Re: CR II - winME? confirmation? (Slightly OT)

From: Thorat_private
Date: Fri Aug 10 2001 - 11:55:39 PDT

  • Next message: JKlemencat_private: "RE: Winnt/Win2k Vuln ?"

    Actually, the script mapping is _NOT_ removed via the hisecweb template,
    even though it says it is.  It is, however, removed by the security tool.
    If anyone knows of any way to use a template to remove the script mappings,
    _please_ speak up!!
    
    Thanks!
    AD
    
    
    
    
    ----- Original Message -----
    From: "Ron DuFresne" <dufresneat_private>
    To: "Inman, Carey" <Inmanat_private>
    Cc: "'Meritt James'" <meritt_jamesat_private>; "kam" <kamat_private>; "Amer
    Karim" <amerkat_private>; "VULN-DEV List" <VULN-DEVat_private>
    Sent: Thursday, August 09, 2001 1:31 PM
    Subject: RE: CR II - winME? confirmation? (Slightly OT)
    
    
    >
    > Perhaps a better quote:
    >
    >      Mitigating factors:
    >      * The vulnerability can only be exploited if a web session can be
    >        established with an affected server. Customers who have installed
    >        Index Server or Index Services but not IIS would not be at risk.
    >        This is the default case for Windows 2000 Professional.
    >      * The vulnerability cannot be exploited if the script mappings for
    >        Internet Data Administration (.ida) and Internet Data Query (.idq)
    >        files are not present. The procedure for removing the mappings is
    >        discussed in the IIS 4.0 and IIS 5.0 Security checklists, can be
    >        automatically removed via either the High Security Template or the
    >        Windows 2000 Internet Server Security Tool. Customers should be
    >        aware, however, that subsequently adding or removing system
    >        components can cause the mapping to be reinstated, as discussed in
    >        the FAQ.
    >
    >
    > Thanks,
    >
    > Ron DuFresne
    >
    >
    > On Wed, 8 Aug 2001, Inman, Carey wrote:
    >
    > > Hi,
    > >
    > > I would like to offer a quote from MS01-033:
    > >
    > > "the service would not need to be running in order for an attacker to
    > > exploit the vulnerability."
    > >
    > >
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    > > bulletin/MS01-033.asp
    > >
    > > Carey
    > >
    > >
    > >
    > > -----Original Message-----
    > > From: Meritt James [mailto:meritt_jamesat_private]
    > > Sent: Wednesday, August 08, 2001 9:28 AM
    > > To: kam
    > > Cc: Amer Karim; VULN-DEV List
    > > Subject: Re: CR II - winME? confirmation? (Slightly OT)
    > >
    > >
    > > "running" or "installed"?  It is my understanding that the vulnerability
    > > exists if the files and mapping are there no matter the process state of
    > > the IIS server.  Is my understanding incorrect?
    > >
    > > Jim
    > >
    > > kam wrote:
    > > >
    > > > Without IIS running, an attacker has no means of exploiting the
    vulnerable
    > > > file. With no access to the file, the vulnerability does not exist. If
    > > > they're running IIS, then there is a hole which they can exploit. Even
    > > > though it comes installed by default on 2000, it's not a risk until
    you
    > > turn
    > > > on your web services.
    > > >
    > > > kam
    > > >
    > > > ----- Original Message -----
    > > > From: "Amer Karim" <amerkat_private>
    > > > To: "VULN-DEV List" <VULN-DEVat_private>
    > > > Sent: Tuesday, August 07, 2001 10:03 AM
    > > > Subject: Re: CR II - winME? confirmation? (Slightly OT)
    > > >
    > > > > Hi All,
    > > > >
    > > > > All the advisories about CR state that only IIS servers are
    vulnerable.
    > > > > However, it's my understanding that the unchecked buffer in idq.dll
    was
    > > > the
    > > > > source of that vulnerability.  If that's the case, then why have the
    > > > > advisories not included Win2K systems (all flavours) since idq.dll
    is
    > > > > installed by default as part of the indexing service on all these
    > > > systems -
    > > > > regardless of whether they are using the service or not?  Wouldn't
    that
    > > > make
    > > > > ANY system with the indexing service on it just as vulnerable as
    systems
    > > > > with IIS? Am I overlooking something obvious here?
    > > > >
    > > > > Regards,
    > > > > Amer Karim
    > > > > Nautilis Information Systems
    > > > > e-mail: amerkat_private, mamerkat_private
    > > > >
    > > > >
    > > > >
    > >
    > > --
    > > James W. Meritt, CISSP, CISA
    > > Booz, Allen & Hamilton
    > > phone: (410) 684-6566
    > >
    >
    > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    > "Cutting the space budget really restores my faith in humanity.  It
    > eliminates dreams, goals, and ideals and lets us get straight to the
    > business of hate, debauchery, and self-annihilation." -- Johnny Hart
    > ***testing, only testing, and damn good at it too!***
    >
    > OK, so you're a Ph.D.  Just don't touch anything.
    



    This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 12:08:29 PDT