Full Disclosure mailing list archives
MS03-029 / Q823803 and not-only-RRAS Problems
From: "Daniele Muscetta" <daniele () muscetta com>
Date: Sat, 9 Aug 2003 22:44:15 +0200 (W. Europe Daylight Time)
Microsoft is aware of a problem with the recently released security patch MS03-029 [...] Specifically there is a problem with the patch when installed on systems that are also running RRAS (Routing and Remote Access Service) that causes the RRAS Service to fail when the system is rebooted after applying the patch.
I have actually reported to Microsoft a similar flaw with the same patch. In my case, tough, the service that does not start is the "Web Proxy" component of Microsoft Proxy Server 2.0, when running in IIS3 (it actually looks like the problem is indeed IIS3, which is not supported anymore, while it does not happen with IIS4). Microsoft Support gave me the hotfix released for the RRAS problem, and that fixed this issue too. Thanks! I would not be surprised of seeing them releasing an updated bullettin stating that RRAS is not anymore the only service affected, but Proxy is affected too. I actually hope they would do that soon, since I notified them that the hotfix works. Here is a description of the problem that was happening - AGAIN, the hotfix released for the RRAS problem has fixed this problem too! On a machine with Microsoft Proxy Server 2.0 running into IIS3, the "Web Proxy" service would not start. I am talking of NT Server 4.0 SP6a with most security hotfixes, and Microsoft Proxy Server 2.0 SP1. The "World Wide Web Publishing Service" starts, but from Internet service manager the "Web Proxy" module appears as Not Running, and the EventLog reports an Event ID 100 stating that it cannot logon user "". I looked at the property of the WWW Service in Internet Service Manager, where the field "User" (for Anonymous Authentication) is indeed EMPTY, instead of containing the usual IUSR_SERVERNAME (here is the "" user!). But, funny enough, the value with the correct user name IS written in the registry (HKLM/System/CurrentControlSet/Services/W3SVC/Parameters ....). It's still IIS3, then it is in the registry, it does not have a metabase. But this value DOES not get read !! Uninstalling the original patch (as for the RRAS issue - btw there is no need to manually replace the file, since there is an UNINSTALL feature...), the service works again, and the user is correctly displayed. I KNOW that the vulnerability is considered "Moderate" since no native service can expose it remotely. On the other hand, on the very same machine a third-party SMTP Virus-Scanning product is also installed, which MIGHT make use of the "dangerous" API, and expose the flaw remotely.... very remote possibility, but still I like to have my systems patched.... maybe a maliciously crafted mail could trigger the vulnerability (?worst case scenario?), like in a bug of sendmail of some time ago..... Hope this might be interesting for you to know. Anyway, in my case the hotfix from PSS solved the problem, and it looks stable, thus I am expecting to see soon the "final" patch being released. With Best Regards, Daniele Muscetta _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MS03-029 / Q823803 and not-only-RRAS Problems Daniele Muscetta (Aug 09)