Code Red affects patched IIS4 servers with URL redirection

["Jean-Francois Prieur" <jfp51 () ebeing com>]

Hello,

I know the moderators have said that the Code Red discussion is closed, 
but I just found out an interesting piece of info for those people 
whose IIS 4 servers have been crashing even though they have been 
patched against Code Red.

According to Shared Knowlege Limited's support services (I found this 
by searching in Google Groups, so they might not have been the first to 
find this out) and confirmed by Eddie Bowers of MS IIS support who 
responded in the newsgroups, if your IIS4 website is using URL 
redirection, you are still vulnerable to Code Red even if you are 
patched. The reason is that when you set IIS to redirect URL's, it will 
accept any URL and send an 302 HTTP status code (Object Moved). The 
*.ida?NNNNN... overflow still causes IIS to crash.
Here is an excerpt from their messages:

-------------
If you having problems and have not applied the patch, it may not work. 
Too
many people have been applying the patch to no avail. The solution is as
follows:

1. Remove ALL redirected IIS websites and URL's from the server.
2. Apply the patches.
3. Reboot.

The first point is the important one. Shared Knowledge have been
investigating the issue now for some time and belive this the solution. 
If
you are syill having any problems, please post back.

Regards,

Support Services
Shared Knowledge Limited
Advanced ASP Hosting www.sharedknowledge.net
-------------------

and here is the confirmation from MS

---------------
From: keif () removethistoemailme compulink co uk (Keif Gwinn)

> I don't think this is a suitable fix... the other way to defend 
against 
> Code Red is to remove all .ida script mappings from the webserver. 
> Almost no one uses them any more... 
> Keif Gwinn

Actually removing the script mappings will not avoid all the problems 
if 
you are running IIS4.
Removing the redirections is currently the best solution (this is in 
addtion to installing the fix or removing the script mappings)
We are working on a real fix. Can't give an ETA yet.

Eddie
IIS Support
--------------------

So basically, if you are using URL redirection, Code Red WILL crash 
your machine. The only fix for now is to remove all URL redirections. 
Shared Knowledge have a script available to list all URL redirections 
on an IIS server, it requires Perl to run. You can find it at 
http://www.sharedknowledge.net/codered/checkredirect.bat

If you have been affected by this, please send your Dr. Watson logs and 
user.dmp files to Eddie Bowers at the following address 
eddieb () microsoft com so they can issue a fix for the patch, as it seems 
that it is the Code Red patch that is causing this problem.

Mod's, this is the first time I post to this list, so if I should have 
sent it to another one, I apologise. I am sure some people with patched 
servers which are crashing might find this helpful.

Jean-Francois Prieur, 
Project Manager,
BNP Paribas



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com