Re: IIS Search Method Overflow being revisted?

["Felipe Moniz de Aragao" <felipe () syhunt com>]

Hi. I agree with Karl. MS03-007, which is also a SANS Top 20 item
(CAN-2003-0109). Details can be viewed at
http://www.securityfocus.com/bid/7116/exploit/ in the Bugtraq database.

- Felipe

----- Original Message -----
From: "Levinson, Karl" <Karl.Levinson () dhs gov>
To: "'Rohny Jotton'" <rohnyjotton () hotmail com>;
<incidents () securityfocus com>
Sent: Thursday, March 25, 2004 8:25 AM
Subject: RE: IIS Search Method Overflow being revisted?


> A Google search suggests a possible attempt to exploit the MS03-007 NTDLL
> vulnerability [via WebDAV] from February 2003.
>
> http://archives.neohapsis.com/archives/sf/pentest/2003-03/0109.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.jb.h
> tml
> http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx
>
> Possibly we're seeing an increase of this now due to Agobot / Gaobot /
> Polybot scans, as some variants can exploit this vulnerability.  I believe
> new Agobot / Gaobot variants a being discovered sometimes at a rate of
> several per day.
>
> I would suspect that if you checked your IDS logs or could run Ethereal
> packet captures through an IDS like Snort, the year-old NTDLL signatures
> might help you confirm what this is.  Another post I believe in the
> microsoft.public today mentioned a different payload:
> SEARCH /AAAAAAA....
>
> As you may already know, if you're using IIS 4 or 5, I strongly recommend
> running URLScan and the other security recommendations that are all free
> from www.microsoft.com/technet/security
>
> - karl
>
>
> -----Original Message-----
> From: Rohny Jotton [mailto:rohnyjotton () hotmail com]
> Sent: Thursday, March 25, 2004 10:45 AM
> To: incidents () securityfocus com
> Subject: IIS Search Method Overflow being revisted?
>
>
> In the last 24 hours, I've logged two instances of "SEARCH
> /±±±±±±±±±±±±±±±±±±±±±±....(many more)" on my web
> server from two different networks resulting in a 501 being returned.
>
> When googling, the only thing I can relate to it is an Overflow attempt
from
> 2001 (Georgi Guninski).
>
> I do not see any prior attempts. I just thought inquiring minds ought to
> know...
>
>
>
> --------------------------------------------------------------------------
-
> Free 30-day trial: firewall with virus/spam protection, URL filtering,
VPN,
> wireless security
>
> Protect your network against hackers, viruses, spam and other risks with
Astaro
> Security Linux, the comprehensive security solution that combines six
> applications in one software solution for ease of use and lower total cost
of
> ownership.
>
> Download your free trial at
> http://www.securityfocus.com/sponsor/Astaro_incidents_040301
> --------------------------------------------------------------------------
--
>


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------