(here we go again) more info on MS00-057?

[rain forest puppy <rfp () WIRETRIP NET>]

Ok, MS released MS00-057: file permission canonicalization vulnerability
for IIS 4.0 and 5.0.  It causes IIS to use permissions on parent folders,
rather than the actual permissions on the files/folders(?).

Does anyone have any exact exploit information on this?  Burt Abreu & Sren
Skov of VBExplorer.com, would you like to post some more info?

If you can cause IIS to inherit different permissions on files, then it
may be possible to use stuff like, oh, say dvwssr.dll *without* needing
authoring permission, allowing you to read source or use that handy-dandy
buffer overflow.

- rfp