Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS553/web-iis_IIS ISAPI Overflow idq

From: Dr SuSE <drsuse () drsuse org>
Date: Wed, 15 Aug 2001 14:14:38 GMT
The IDQ exploit rule was written based on the reports from eeye.com which show 
the ida and idq buffer overflows to be the same.

Windows Index Server ships with Windows NT 4.0 Option Pack and Windows Indexing 
Service ships with Windows 2000. An unchecked buffer exists in the 'idq.dll' 
ISAPI extension associated with each service. A maliciously crafted request 
could allow the execution of arbitrary code on the host in the Local System 
context.

It should be noted that Index Server and Indexing Service do not need to be 
running in order for an attacker to exploit this issue. 'idq.dll' is installed 
by default when IIS is installed, subsequently IIS would need to be the only 
service running.

It should be noted that this vulnerability is currently being exploited by 
the 'Code Red' worm. In addition, all products that run affected versions of 
Microsoft IIS are subject to this issue. Please see the reference section for 
further information regarding this worm.



john.ruff () us abb com wrote:

One of the rules I'm using for Code Red is generating alerts that seem to be
false, rather I'm not sure their reliable.

Rule from Whitehats.com:
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS553/web-iis_IIS ISAPI 

Overflow

idq";
dsize: >239; flags: A+; uricontent: ".idq?"; classtype: system-or-info-

attempt;

reference: arachnids,553;)

Here are my log entries.  In all cases the traffic flow is from 'web proxy
client' --> 'MS Proxy Server'.  What
are the chances that this is a false alarm.  I've scanned these clients with
Eeye's scanner (v 2.7) and come
up with nothing.


Actually, I've been noticing that quite a bit as well.  Its also used by
anyone that uses microsoft's index server.  (Large corporations have
this all over the place to index their word documents)

There is a buffer overflow in the handling of .idq requests in IIS, but
there has yet to be a released exploit for it.

I'm not exactly what the best solution for reducing the false positives
would be, except lower the priority and look at them if you have time.

-- 
Brian Caswell
The MITRE Corporation

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




Score my PGP key @
http://www.drsuse.org/pks

---------------------------------------------
Microsoft ist nicht installiert.
http://www.drsuse.org/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: