Vulnerability Development mailing list archives

Re: CR II - winME? confirmation? (Slightly OT)

From: Thor () HammerofGod com
Date: Fri, 10 Aug 2001 11:55:39 -0700

Actually, the script mapping is _NOT_ removed via the hisecweb template,
even though it says it is.  It is, however, removed by the security tool.
If anyone knows of any way to use a template to remove the script mappings,
_please_ speak up!!

Thanks!
AD




----- Original Message -----
From: "Ron DuFresne" <dufresne () winternet com>
To: "Inman, Carey" <Inman () nasirc hq nasa gov>
Cc: "'Meritt James'" <meritt_james () bah com>; "kam" <kam () aversion net>; "Amer
Karim" <amerk () telus net>; "VULN-DEV List" <VULN-DEV () securityfocus com>
Sent: Thursday, August 09, 2001 1:31 PM
Subject: RE: CR II - winME? confirmation? (Slightly OT)


Perhaps a better quote:

     Mitigating factors:
     * The vulnerability can only be exploited if a web session can be
       established with an affected server. Customers who have installed
       Index Server or Index Services but not IIS would not be at risk.
       This is the default case for Windows 2000 Professional.
     * The vulnerability cannot be exploited if the script mappings for
       Internet Data Administration (.ida) and Internet Data Query (.idq)
       files are not present. The procedure for removing the mappings is
       discussed in the IIS 4.0 and IIS 5.0 Security checklists, can be
       automatically removed via either the High Security Template or the
       Windows 2000 Internet Server Security Tool. Customers should be
       aware, however, that subsequently adding or removing system
       components can cause the mapping to be reinstated, as discussed in
       the FAQ.


Thanks,

Ron DuFresne


On Wed, 8 Aug 2001, Inman, Carey wrote:

Hi,

I would like to offer a quote from MS01-033:

"the service would not need to be running in order for an attacker to
exploit the vulnerability."

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/

bulletin/MS01-033.asp

Carey

-----Original Message-----
From: Meritt James [mailto:meritt_james () bah com]
Sent: Wednesday, August 08, 2001 9:28 AM
To: kam
Cc: Amer Karim; VULN-DEV List
Subject: Re: CR II - winME? confirmation? (Slightly OT)

"running" or "installed"?  It is my understanding that the vulnerability
exists if the files and mapping are there no matter the process state of
the IIS server.  Is my understanding incorrect?

Jim

kam wrote:


Without IIS running, an attacker has no means of exploiting the

vulnerable

file. With no access to the file, the vulnerability does not exist. If
they're running IIS, then there is a hole which they can exploit. Even
though it comes installed by default on 2000, it's not a risk until

you

turn

on your web services.

kam

----- Original Message -----
From: "Amer Karim" <amerk () telus net>
To: "VULN-DEV List" <VULN-DEV () SECURITYFOCUS COM>
Sent: Tuesday, August 07, 2001 10:03 AM
Subject: Re: CR II - winME? confirmation? (Slightly OT)

Hi All,

All the advisories about CR state that only IIS servers are

vulnerable.

However, it's my understanding that the unchecked buffer in idq.dll

was

the

source of that vulnerability.  If that's the case, then why have the
advisories not included Win2K systems (all flavours) since idq.dll

is

installed by default as part of the indexing service on all these

systems -

regardless of whether they are using the service or not?  Wouldn't

that

make

ANY system with the indexing service on it just as vulnerable as

systems

with IIS? Am I overlooking something obvious here?

Regards,
Amer Karim
Nautilis Information Systems
e-mail: amerk () telus net, mamerk () hotmail com


--
James W. Meritt, CISSP, CISA
Booz, Allen & Hamilton
phone: (410) 684-6566


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

Current thread:

Re: CR II - winME? confirmation? (Slightly OT), (continued)
- - Re: CR II - winME? confirmation? (Slightly OT) Gregory McCann (Aug 08)
    - Re: CR II - winME? confirmation? (Slightly OT) Enrique A. Compañ Gzz. (Aug 10)
- RE: CR II - winME? confirmation? (Slightly OT) Gregory_DeGennaro (Aug 09)
- RE: CR II - winME? confirmation? (Slightly OT) Inman, Carey (Aug 09)
  - Re: CR II - winME? confirmation? (Slightly OT) Ryan Permeh (Aug 10)
  - RE: CR II - winME? confirmation? (Slightly OT) Mike Duncan (Aug 10)
  - RE: CR II - winME? confirmation? (Slightly OT) Matthew Leeds (Aug 10)
  - Re: CR II - winME? confirmation? (Slightly OT) Thor (Aug 10)
  - RE: CR II - winME? confirmation? (Slightly OT) Jonathan Rickman (Aug 10)
  - RE: CR II - winME? confirmation? (Slightly OT) Ron DuFresne (Aug 10)
    - Re: CR II - winME? confirmation? (Slightly OT) Thor (Aug 10)
- RE: CR II - winME? confirmation? (Slightly OT) William T. Barrett (Aug 10)