Bugtraq mailing list archives
IIS Advisory Update
From: Marc () EEYE COM (Marc)
Date: Sun, 24 Jan 1999 19:42:16 -0800
I am still receiving eMails such as:
Not to burst anyones bubble, or Im doing it wrong, but in testing my ftp server at my office which is an NT4.0 sp3, iis 4.0 box. I cant even put in that many letters to make it crash..
Please understand that the above is a client side restriction.. The only valid eMail I have gotten, and has pretty much been proven so far, was from Mnemonix were he couldnt reproduce the overflow on NT 4 Server IIS4 (installed from NT 4 Option pack) with service Pack 3 - no hotfixes. He used telnet to establish the session to the FTP server and then issued the PORT command and had netcat listen on the port. He then tried the overflow and it did not work. This very well may be true because we did not test sp3. There seems to be some mixed findings... some I am not sure if the people eMailing me are doing it wrong and some could be configuration differences. Which ever the case its up to Microsoft to fix the problem. We do know positivily the following: NT + Option Pack Four (IIS4) + sp4 is exploitable NT + IIS3 + sp4 is exploitable PWS1.0 is exploitable. I am going to go pass out now. Signed, Marc eEye Digital Security Team www.eEye.com P.S. Some of the Unix ftp clients also malform the request so even though to the eye it looks like its sending the correct "ls (aaa...)" it doesnt send it correctly. Some goes for NT4.0's ftp.exe and a few others.
Current thread:
- Re: linux crashes irix6.3, (continued)
- Re: linux crashes irix6.3 J.A. Gutierrez (Jan 23)
- CERT Advisory CA-99.01 - TCP.Wrappers (fwd) //Stany (Jan 22)
- Misleading CERT Advisory CA-99-01-Trojan-TCP-Wrappers Jochen Thomas Bauer (Jan 22)
- Follow up - IIS 4 logging mnemonix (Jan 23)
- WebRamp M3 remote network access bug John Stanley (Jan 21)
- Re: WebRamp M3 remote network access bug James Egelhof (Jan 21)
- Perl.exe and IIS security advisory mnemonix (Jan 22)
- Re: Perl.exe and IIS security advisory Tabor J. Wells (Jan 24)
- Repost: Wietse's FTP site has moved Wietse Venema (Jan 25)
- Using Example Domain Names in Exploits bandregg () REDHAT COM (Jan 25)
- IIS Advisory Update Marc (Jan 24)
- backdoored tcp wrapper source code Wietse Venema (Jan 21)
- Re: backdoored tcp wrapper source code John Stange (Jan 23)
- SSH 1.x and 2.x Daemon KuRuPTioN (Jan 23)
- Re: SSH 1.x and 2.x Daemon Jan B. Koum (Jan 24)
- Re: SSH 1.x and 2.x Daemon Linux Mailing Lists (Jan 25)
- Re: SSH 1.x and 2.x Daemon KuRuPTioN (Jan 25)
- Re: backdoored tcp wrapper source code John Stange (Jan 23)
- Re: SSH 1.x and 2.x Daemon Alan Olsen (Jan 24)
- baynetworks router DoS Virsoft (Jan 25)
- Re: baynetworks router DoS Neale Banks (Jan 26)
- 2.2.0 SECURITY (fwd) Aaron Lehmann (Jan 26)