Vulnerability Development mailing list archives
RE: CR II - winME? confirmation? (Slightly OT)
From: "Amer Karim" <amerk () telus net>
Date: Fri, 10 Aug 2001 16:19:25 -0700
<SNIP> ...Oh yeah, and obviously a web server of some sort must be running, the worm propagates by GET requests, which'll have no effect on a server that doesn't process them...hard to see how anyone could be confused on this front... <END SNIP> My question was regarding only W2K systems. However, you've raised the point that's been bothering me throughout all this and the reason I raised my second question - perhaps not clearly enough. I've hesitated re-posting my question, hoping that I'd be able to find the answer somewhere, or someone here would have the answer. Given the following configuration - W2K (any flavour) with default installation of Index service (enabled or not) and ANY web server (not just IIS) - are these possible hosts for the CR worm? Or is it something in IIS specifically that requires its presence? From what I've gathered - both from the discussion here and other sources such as MS, eEye, SARC etc. - it was the original unchecked buffer in the idq.dll that was being used, and IIS was necessary only as a conduit. If this is the case, then ANY web server should serve (pardon the pun) as that conduit. Which brings me back to my question of why all the advisories are NOT targeting ALL W2K users, instead of giving the impression that it's only corporate servers that need worry. And if ANY web server, not just IIS, will suffice - then, I repeat my question with even more emphasis. Regards, Amer Karim Nautilis Information Systems e-mail: amerk () telus net, mamerk () hotmail com -----Original Message----- From: Jordan [mailto:jordanf () home com] Sent: August 9, 2001 12:40 To: vuln-dev () securityfocus com Subject: Re: CR II - winME? confirmation? (Slightly OT) I've held off on posting about this for quite some time cause I thought it would go away...but this topic seems to still be alive, so here goes. Quoted from the wonderful analysis of the second version of Code Red by the brilliant Eeye folks and Mr Levy. "This worm, like the original Code Red worm, will only exploit Windows 2000 web servers because it overwrites EIP with a jmp that is only correct under Windows 2000. Under NT4.0 etc... that offset is different so, the process will simply crash instead of allowing the worm to infect the system and spread." Read this paragraph over and over and over again, and if you still have any questions about whether it'll work on ME, NT4, OSX or any other operating system, read it again. I'm amazed that no one's posted this yet...Oh yeah, and obviously a web server of some sort must be running, the worm propagates by GET requests, which'll have no effect on a server that doesn't process them...hard to see how anyone could be confused on this front... If we're talking strictly about exploiting an unchecked buffer in idq.dll, that's one topic, and of course it's possible that it'll work on any system with a vulnerable idq.dll, but if we're talking about a specific worm, say CR2, then at least read the analysis before posting about it... Jordan Frank jordanf () home com
Current thread:
- Re: CR II - winME? confirmation? (Slightly OT) Amer Karim (Aug 07)
- Re: CR II - winME? confirmation? (Slightly OT) kam (Aug 07)
- Re: CR II - winME? confirmation? (Slightly OT) Meritt James (Aug 08)
- Re: CR II - winME? confirmation? (Slightly OT) Devdas Bhagat (Aug 09)
- RE: CR II - winME? confirmation? (Slightly OT) Ken Pfeil (Aug 09)
- Re: CR II - winME? confirmation? (Slightly OT) Jordan (Aug 10)
- RE: CR II - winME? confirmation? (Slightly OT) Amer Karim (Aug 10)
- Re: CR II - winME? confirmation? (Slightly OT) Meritt James (Aug 08)
- Re: CR II - winME? confirmation? (Slightly OT) kam (Aug 07)
- Re: CR II - winME? confirmation? (Slightly OT) Michael J. Cannon (Aug 08)
- <Possible follow-ups>
- RE: CR II - winME? confirmation? (Slightly OT) Gregory_DeGennaro (Aug 07)
- Re: CR II - winME? confirmation? (Slightly OT) Grab Raham (Aug 07)
- Re: CR II - winME? confirmation? (Slightly OT) Amer Karim (Aug 07)
- Re: CR II - winME? confirmation? (Slightly OT) Jason Haar (Aug 08)
- Re: CR II - winME? confirmation? (Slightly OT) HackHawk (Aug 10)
- Re: CR II - winME? confirmation? (Slightly OT) Gregory McCann (Aug 08)
- Re: CR II - winME? confirmation? (Slightly OT) Enrique A. CompaƱ Gzz. (Aug 10)
- Re: CR II - winME? confirmation? (Slightly OT) Jason Haar (Aug 08)
- RE: CR II - winME? confirmation? (Slightly OT) Gregory_DeGennaro (Aug 09)
- RE: CR II - winME? confirmation? (Slightly OT) Inman, Carey (Aug 09)