Bugtraq mailing list archives

IIS Advisory Update

From: Marc () EEYE COM (Marc)
Date: Sun, 24 Jan 1999 19:42:16 -0800


I am still receiving eMails such as:

Not to burst anyones bubble, or Im doing it wrong, but in testing my ftp
server at my office which is an NT4.0 sp3, iis 4.0 box. I cant even put in
that many letters to make it crash..

Please understand that the above is a client side restriction..

The only valid eMail I have gotten, and has pretty much been proven so far,
was from Mnemonix were he couldnt reproduce the overflow on NT 4 Server IIS4
(installed from NT 4 Option pack) with service Pack 3 - no hotfixes. He used
telnet to establish the session to the FTP server and then issued the PORT
command and had netcat listen on the port. He then tried the overflow and it
did not work. This very well may be true because we did not test sp3. There
seems to be some mixed findings... some I am not sure if the people eMailing
me are doing it wrong and some could be configuration differences. Which
ever the case its up to Microsoft to fix the problem. We do know positivily
the following:

NT + Option Pack Four (IIS4) + sp4 is exploitable
NT + IIS3 + sp4 is exploitable
PWS1.0 is exploitable.

I am going to go pass out now.

Signed,
Marc
eEye Digital Security Team
www.eEye.com

P.S.
Some of the Unix ftp clients also malform the request so even though to the
eye it looks like its sending the correct "ls (aaa...)" it doesnt send it
correctly. Some goes for NT4.0's ftp.exe and a few others.

Current thread:

Re: linux crashes irix6.3, (continued)
- - - Re: linux crashes irix6.3 J.A. Gutierrez (Jan 23)
    - CERT Advisory CA-99.01 - TCP.Wrappers (fwd) //Stany (Jan 22)
    - Misleading CERT Advisory CA-99-01-Trojan-TCP-Wrappers Jochen Thomas Bauer (Jan 22)
    - Follow up - IIS 4 logging mnemonix (Jan 23)
- WebRamp M3 remote network access bug John Stanley (Jan 21)
  - Re: WebRamp M3 remote network access bug James Egelhof (Jan 21)
  - Perl.exe and IIS security advisory mnemonix (Jan 22)
    - Re: Perl.exe and IIS security advisory Tabor J. Wells (Jan 24)
    - Repost: Wietse's FTP site has moved Wietse Venema (Jan 25)
    - Using Example Domain Names in Exploits bandregg () REDHAT COM (Jan 25)
    - IIS Advisory Update Marc (Jan 24)
- backdoored tcp wrapper source code Wietse Venema (Jan 21)
  - Re: backdoored tcp wrapper source code John Stange (Jan 23)
    - SSH 1.x and 2.x Daemon KuRuPTioN (Jan 23)
    - Re: SSH 1.x and 2.x Daemon Jan B. Koum (Jan 24)
    - Re: SSH 1.x and 2.x Daemon Linux Mailing Lists (Jan 25)
    - Re: SSH 1.x and 2.x Daemon KuRuPTioN (Jan 25)
    - Re: SSH 1.x and 2.x Daemon Alan Olsen (Jan 24)
    - baynetworks router DoS Virsoft (Jan 25)
    - Re: baynetworks router DoS Neale Banks (Jan 26)
    - 2.2.0 SECURITY (fwd) Aaron Lehmann (Jan 26)

(Thread continues...)