Vulnerability Development mailing list archives

Re: CR II - winME? confirmation? (Slightly OT)

From: "Ryan Permeh" <ryan () eEye com>
Date: Thu, 9 Aug 2001 13:01:03 -0700

iis does need to be running to be vulnerable to this method of exploitation
however.
<subliminal>APPLY THE PATCH.</subliminal>
The vulnerability was found and exploited via iis, but the vulnerability
does not exist in iis per se.(almost every iis installation on earth was
vulnerable to it when we found it though).
<subliminal>APPLY THE PATCH.</subliminal>
the vulnerability is in the indexing server.  iis by default includes the
indexing server,  the indexing server can be there if iis is not however, so
even if iis is not there, the vulnerability could still be there if the
indexing server were there.(you wouldn't be able to exploit it via iis
however, you would have to craft a local attack against it).
<subliminal>APPLY THE PATCH.</subliminal>
This caused a lot of people a lot of confusion.  The worm attacks iis
because it gives an easy path to the indexing server(via the ida mapping).
If the iis server is stopped, the worm can't hit you, but other local things
might be able to.
<subliminal>APPLY THE PATCH.</subliminal>
if in doubt, apply the patch.  if not in doubt, apply the patch.  basically,
if you run nt/2k, apply this patch.  period.  no questions, get everyone you
know that admins a nt/2k box to do the same.  iis isn't running?  apply the
patch(who knows when it might be started). index server not installed? apply
this patch(patching software you don'thave will not presumably hurt you).
don't wait, don't hesitate, apply the patch.


<subliminal>APPLY THE PATCH.</subliminal>
Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer

----- Original Message -----
From: "Inman, Carey" <Inman () nasirc nasa gov>
To: "'Meritt James'" <meritt_james () bah com>; "kam" <kam () aversion net>
Cc: "Amer Karim" <amerk () telus net>; "VULN-DEV List"
<VULN-DEV () securityfocus com>
Sent: Wednesday, August 08, 2001 10:32 AM
Subject: RE: CR II - winME? confirmation? (Slightly OT)

Hi,

I would like to offer a quote from MS01-033:

"the service would not need to be running in order for an attacker to
exploit the vulnerability."

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/

bulletin/MS01-033.asp

Carey

-----Original Message-----
From: Meritt James [mailto:meritt_james () bah com]
Sent: Wednesday, August 08, 2001 9:28 AM
To: kam
Cc: Amer Karim; VULN-DEV List
Subject: Re: CR II - winME? confirmation? (Slightly OT)

"running" or "installed"?  It is my understanding that the vulnerability
exists if the files and mapping are there no matter the process state of
the IIS server.  Is my understanding incorrect?

Jim

kam wrote:


Without IIS running, an attacker has no means of exploiting the

vulnerable

file. With no access to the file, the vulnerability does not exist. If
they're running IIS, then there is a hole which they can exploit. Even
though it comes installed by default on 2000, it's not a risk until you

turn

on your web services.

kam

----- Original Message -----
From: "Amer Karim" <amerk () telus net>
To: "VULN-DEV List" <VULN-DEV () SECURITYFOCUS COM>
Sent: Tuesday, August 07, 2001 10:03 AM
Subject: Re: CR II - winME? confirmation? (Slightly OT)

Hi All,

All the advisories about CR state that only IIS servers are

vulnerable.

However, it's my understanding that the unchecked buffer in idq.dll

was

the

source of that vulnerability.  If that's the case, then why have the
advisories not included Win2K systems (all flavours) since idq.dll is
installed by default as part of the indexing service on all these

systems -

regardless of whether they are using the service or not?  Wouldn't

that

make

ANY system with the indexing service on it just as vulnerable as

systems

with IIS? Am I overlooking something obvious here?

Regards,
Amer Karim
Nautilis Information Systems
e-mail: amerk () telus net, mamerk () hotmail com


--
James W. Meritt, CISSP, CISA
Booz, Allen & Hamilton
phone: (410) 684-6566

Current thread:

Re: CR II - winME? confirmation? (Slightly OT), (continued)
- - Re: CR II - winME? confirmation? (Slightly OT) Michael J. Cannon (Aug 08)
- RE: CR II - winME? confirmation? (Slightly OT) Gregory_DeGennaro (Aug 07)
- Re: CR II - winME? confirmation? (Slightly OT) Grab Raham (Aug 07)
- Re: CR II - winME? confirmation? (Slightly OT) Amer Karim (Aug 07)
  - Re: CR II - winME? confirmation? (Slightly OT) Jason Haar (Aug 08)
    - Re: CR II - winME? confirmation? (Slightly OT) HackHawk (Aug 10)
  - Re: CR II - winME? confirmation? (Slightly OT) Gregory McCann (Aug 08)
    - Re: CR II - winME? confirmation? (Slightly OT) Enrique A. Compañ Gzz. (Aug 10)
- RE: CR II - winME? confirmation? (Slightly OT) Gregory_DeGennaro (Aug 09)
- RE: CR II - winME? confirmation? (Slightly OT) Inman, Carey (Aug 09)
  - Re: CR II - winME? confirmation? (Slightly OT) Ryan Permeh (Aug 10)
  - RE: CR II - winME? confirmation? (Slightly OT) Mike Duncan (Aug 10)
  - RE: CR II - winME? confirmation? (Slightly OT) Matthew Leeds (Aug 10)
  - Re: CR II - winME? confirmation? (Slightly OT) Thor (Aug 10)
  - RE: CR II - winME? confirmation? (Slightly OT) Jonathan Rickman (Aug 10)
  - RE: CR II - winME? confirmation? (Slightly OT) Ron DuFresne (Aug 10)
    - Re: CR II - winME? confirmation? (Slightly OT) Thor (Aug 10)
- RE: CR II - winME? confirmation? (Slightly OT) William T. Barrett (Aug 10)