NT Users SHOULD be CAREFULL when applying NT hotfixes "Multiple version problem inside NT Hotfixes"

["Adonis.No.Spam" <adonis1 () videotron ca>]

+--------------------------------------------.
Multiple version problem inside NT Hotfixes   .
+----------------------------------------------`--------------------+
Hotfixes Affected: MS00-057 MS00-078 MS00-090                       .
Type             : Wrong Version                                      .
Date             : 3-10-2001                                          .
Product          : Microsoft NT Server and workstation                .
Author:          : NtWaK0 www.versalys.com                            .
+-------------------------------------------------------------------+

-----------------------------.
NT Hotfixes Version Problem   .
-------------------------------`------------------------------------.
MS00-078: Web Server Folder Traversal Vulnerability
MS00-057: File Permission Canonicalization Vulnerability
MS00-090: .ASX Buffer Overrun and .WMS Script
-------------------.
Problem Introduction.
---------------------`----------------------------------------------.
MS00-078: Web Server Folder Traversal Vulnerability
Microsoft Internet Information Server 4.0
Microsoft Internet Information Services 5.0

Description of vulnerability can be found at
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp

Patch can be found at
http://download.microsoft.com/download/winntsp/Patch/q269862/NT4ALPHA
/EN-US/prmcan4i.exe

MS00-057: File Permission Canonicalization Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms00-057.asp

Patch can be found at
http://download.microsoft.com/download/winntsp/Patch/q269862/NT4ALPHA
/EN-US/prmcan4i.exe


As you can see based on Microsoft description you should also run the
MS00-057, both both fixes are goes together if you want.
That what make both hotfixes affected by the problem.

------------------------------------.
Problem detail MS00-078 prmcan4i.exe .
--------------------------------------`-----------------------------.
The problem is in the files version included in these hotfixes.
The hotfix prmcan4i.exe supposed to fix or change these files:
asp.dll
sspifilt.dll
ssinc.dll
w3svc.dll

Now if we take a look at the file version one by one and compare that
to the file contained in the hotfix MS00-060, this hotfixes supposed
to be older then MS00-078 and the files inside supposed to be newer
then the file contained in MS00-057 and MS00-060

Files inside the prmcan4i.exe MS00-078 :
---------------------------------------
HF\NT\prmcan4i>filever asp.dll sspifilt.dll ssinc.dll
--a-- W32i   DLL ENU       4.2.749.1 shp    330,080 08-03-2000 asp.dll
--a-- W32i   DLL ENU       4.2.749.1 shp     25,360 08-03-2000 sspifilt.dll
--a-- W32i   DLL ENU       4.2.749.1 shp     38,256 08-03-2000 ssinc.dll
--a-- W32i   APP ENU       4.2.749.1 shp    228,496 08-03-2000 w3svc.dll

Now let us compare these file with the file contained in the hotfix

MS00-060 MS00-060: IIS Cross-Site Scripting Vulnerabilities
Description of vulnerability can be found at
http://www.microsoft.com/technet/security/bulletin/MS00-060.asp

Files inside the crsscri.exe MS00-060 :
--------------------------------------
--a-- W32i   DLL ENU       4.2.752.1 shp    330,080 10-03-2000 asp.dll
--a-- W32i   DLL ENU       4.2.752.1 shp     25,360 10-03-2000 sspifilt.dll
--a-- W32i   DLL ENU       4.2.752.1 shp     38,256 10-03-2000 ssinc.dll
--a-- W32i   APP ENU       4.2.752.1 shp    229,008 10-03-2000 w3svc.dll

AS you can see 4.2.752.1 is > 4.2.749.1 this may lead to a security
problem. Since the newwer hotfix it contain older dll's.
Second users who are thinking that MS00-078 is newer then MS00-060
they maybe wrong.

-----------------------.
Second Problem MS00-090 .
-------------------------`------------------------------------------.
MS00-090: .ASX Buffer Overrun and .WMS Script

I did found a problem with this hotfix "wmqfe33955.exe".
The file dxmasf.dll in the hotfix (wmqfe33955.exe) is version
6.4.9.1110 but the file on the system is version 6.4.9.1109 and when
you run this hotfix it wont update the file, GO figure.

I have tried this on 3 different NT boxes and still it did not update
the file. I did not get any error while applying the hotfix.
Leaving an older file, this will leave your system open to the
exploit mentioned on MS00-090.
Description of vulnerability can be found at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet
/security/bulletin/ms00-090.asp


NOTE: Microsoft consider this a technical issue, I do not agree. Since this
affect the hotfixes and the hotfixes job is to fix from security problem
most of the time.



________________________________________________________________________
The only secure computer is one that's unplugged, locked in a safe,
and buried 20 feet under the ground in a secret location... and i'm
not even too sure about that one"--Dennis Huges, FBI.
____________________________________________________________.___________
Live Well Do Good                                           |
Je Pense, Donc Je Suis                                    \(|)/
I know I ain't perfect, but i'm 99 point 9 percent :)    --(")--
RFCs are meant to be read and followed…:)                  /`\  NtWaK0
________________________________________________________________________
-=- Use a computer in a ways that ensure respect for your fellow     -=-
¡SJÜ??=?f÷]\¡???½áä«?¢â
L??ä:#?"U??a? << My PGP Signature