Bugtraq mailing list archives

Re: Safe(?) testing for idq.dll vulnerability

From: Matt Scarborough <vexversa () usa net>
Date: 20 Jul 2001 15:57:19 EDT

On Fri, 20 Jul 2001 01:59:28 +0000, Chris St. Clair wrote:

I had to come up with a way to test a server remotely for this
vulnerability without actually killing it and running the plerthora
of exploit code that is out. This is what I have, hopefully someone
can use it.


Good ideas.

Marc Maiffret discusses just such a test at
http://www.8wire.com/article_render/?aid=2094
(may reqire registration)

McAfee is offering "CyberCop WormScan" free
http://www.mcafeeasap.com/asp_subscribe/trial_cc_wormscan.asp

Matt Scarborough 2001-07-20

Known Vulnerable Testing Platform
The first round of tests was run on a Windows 2000 Server running
IIS 5.0 (if anyone has similar analysis for IIS 4.0 I'd love to
see it) with AND without SP1 (no difference) not patched for MS01-033.

Results
Sending 1-219 bytes yields the error:
The IDQ file NULL.ida could not be found.
Nothing written to the event log.

Sending 220-231 bytes we get:
File .
Error 0xc0000005 caught while processing query
Nothing written to the event log.

Sending 232-??? bytes we get:
No response from web server.
System event log event ID 7031 from Service Control Manager.
IIS services are then stopped and restarted.


Known Invulnerable Testing Platform
Another system running Windows 2000 Server, IIS 5.0 with SP1 and
the patch for MS01-033.

Results
Sending 1-199 bytes yields the error:
The IDQ file NULL.ida could not be found.
Nothing written to the event log.

Sending 200-??? bytes we get:
File .
Error 0x80040e14 caught while processing query
Nothing written to the event log.

So, in summary, to test do the following:
send 200 bytes
if response = "Error 0x80040e14 caught while processing query" the
sytem is patched.
if response = "The IDQ file NULL.ida could not be found." the system
is not patched.

I can't take all the credit for figuring this out. Like most people,
I owe it all to the following bit of code:
#!/bin/sh
SIZE=1
export SIZE

while [ $SIZE -lt 201 ]; do
    BUFF="`perl -e 'print \"x\" x $ENV{SIZE}'`"
    echo -e "GET /NULL.ida?$BUFF=X HTTP/1.1\nHost: iluvpaul\n\n" | \
         nc host port
    SIZE=`expr $SIZE + 1`
done



____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1

Current thread:

Safe(?) testing for idq.dll vulnerability Chris St. Clair (Jul 20)
- <Possible follow-ups>
- RE: Safe(?) testing for idq.dll vulnerability Andrew Hatfield (Jul 20)
- Re: Safe(?) testing for idq.dll vulnerability Matt Scarborough (Jul 20)
- RE: Safe(?) testing for idq.dll vulnerability Chris St. Clair (Jul 20)