Bugtraq mailing list archives
Re: Safe(?) testing for idq.dll vulnerability
From: Matt Scarborough <vexversa () usa net>
Date: 20 Jul 2001 15:57:19 EDT
On Fri, 20 Jul 2001 01:59:28 +0000, Chris St. Clair wrote:
I had to come up with a way to test a server remotely for this vulnerability without actually killing it and running the plerthora of exploit code that is out. This is what I have, hopefully someone can use it.
Good ideas. Marc Maiffret discusses just such a test at http://www.8wire.com/article_render/?aid=2094 (may reqire registration) McAfee is offering "CyberCop WormScan" free http://www.mcafeeasap.com/asp_subscribe/trial_cc_wormscan.asp Matt Scarborough 2001-07-20
Known Vulnerable Testing Platform The first round of tests was run on a Windows 2000 Server running IIS 5.0 (if anyone has similar analysis for IIS 4.0 I'd love to see it) with AND without SP1 (no difference) not patched for MS01-033. Results Sending 1-219 bytes yields the error: The IDQ file NULL.ida could not be found. Nothing written to the event log. Sending 220-231 bytes we get: File . Error 0xc0000005 caught while processing query Nothing written to the event log. Sending 232-??? bytes we get: No response from web server. System event log event ID 7031 from Service Control Manager. IIS services are then stopped and restarted. Known Invulnerable Testing Platform Another system running Windows 2000 Server, IIS 5.0 with SP1 and the patch for MS01-033. Results Sending 1-199 bytes yields the error: The IDQ file NULL.ida could not be found. Nothing written to the event log. Sending 200-??? bytes we get: File . Error 0x80040e14 caught while processing query Nothing written to the event log. So, in summary, to test do the following: send 200 bytes if response = "Error 0x80040e14 caught while processing query" the sytem is patched. if response = "The IDQ file NULL.ida could not be found." the system is not patched. I can't take all the credit for figuring this out. Like most people, I owe it all to the following bit of code: #!/bin/sh SIZE=1 export SIZE while [ $SIZE -lt 201 ]; do BUFF="`perl -e 'print \"x\" x $ENV{SIZE}'`" echo -e "GET /NULL.ida?$BUFF=X HTTP/1.1\nHost: iluvpaul\n\n" | \ nc host port SIZE=`expr $SIZE + 1` done
____________________________________________________________________ Get free email and a permanent address at http://www.amexmail.com/?A=1
Current thread:
- Safe(?) testing for idq.dll vulnerability Chris St. Clair (Jul 20)
- <Possible follow-ups>
- RE: Safe(?) testing for idq.dll vulnerability Andrew Hatfield (Jul 20)
- Re: Safe(?) testing for idq.dll vulnerability Matt Scarborough (Jul 20)
- RE: Safe(?) testing for idq.dll vulnerability Chris St. Clair (Jul 20)