RE: new IIS exploit?

["David LeBlanc" <dleblanc () Exchange Microsoft com>]

It is either the .printer exploit, or a scan for possibly vulnerable
systems. If you sent just a GET for /NULL.printer and got back a certain
error response, you'd know that the .printer handler was enabled. You
could then proceed with the rest of the exploit. If that's all you're
getting, someone is probing for vulnerable systems. If you see that
followed by "Host:[bunch of padding and shell code]", then it is the
exploit.


-----Original Message-----
From: Sarbjit Singh Gill [mailto:ssgill () gilltechnologies com] 
Sent: Monday, February 02, 2004 5:13 PM
To: jamie () nucdc org; incidents () securityfocus com
Subject: RE: new IIS exploit?

It looks like an old exploit as well. I could be wrong. It was the
Internet
Printing ISAPI extension exploit on IIS5. Here is the article.
http://support.microsoft.com/default.aspx?scid=kb;en-us;296576

/Gill



-----Original Message-----
From: Jamie Pratt [mailto:jamie () nucdc org] 
Sent: Saturday, January 31, 2004 1:18 AM
To: 
Subject: Re: new IIS exploit?

havent seen that one myself, but here is one i just found that I havent
seen
either...:

  /<Rejected-By-UrlScan> ~/NULL.printer 404

regards,
jamie


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------