Snort mailing list archives
Re: IDS553/web-iis_IIS ISAPI Overflow idq
From: Dr SuSE <drsuse () drsuse org>
Date: Wed, 15 Aug 2001 14:14:38 GMT
The IDQ exploit rule was written based on the reports from eeye.com which show the ida and idq buffer overflows to be the same. Windows Index Server ships with Windows NT 4.0 Option Pack and Windows Indexing Service ships with Windows 2000. An unchecked buffer exists in the 'idq.dll' ISAPI extension associated with each service. A maliciously crafted request could allow the execution of arbitrary code on the host in the Local System context. It should be noted that Index Server and Indexing Service do not need to be running in order for an attacker to exploit this issue. 'idq.dll' is installed by default when IIS is installed, subsequently IIS would need to be the only service running. It should be noted that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that run affected versions of Microsoft IIS are subject to this issue. Please see the reference section for further information regarding this worm.
john.ruff () us abb com wrote:One of the rules I'm using for Code Red is generating alerts that seem to be false, rather I'm not sure their reliable. Rule from Whitehats.com: alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS553/web-iis_IIS ISAPI
Overflow
idq"; dsize: >239; flags: A+; uricontent: ".idq?"; classtype: system-or-info-
attempt;
reference: arachnids,553;) Here are my log entries. In all cases the traffic flow is from 'web proxy client' --> 'MS Proxy Server'. What are the chances that this is a false alarm. I've scanned these clients with Eeye's scanner (v 2.7) and come up with nothing.Actually, I've been noticing that quite a bit as well. Its also used by anyone that uses microsoft's index server. (Large corporations have this all over the place to index their word documents) There is a buffer overflow in the handling of .idq requests in IIS, but there has yet to be a released exploit for it. I'm not exactly what the best solution for reducing the false positives would be, except lower the priority and look at them if you have time. -- Brian Caswell The MITRE Corporation _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Score my PGP key @ http://www.drsuse.org/pks --------------------------------------------- Microsoft ist nicht installiert. http://www.drsuse.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS553/web-iis_IIS ISAPI Overflow idq john . ruff (Aug 15)
- Re: IDS553/web-iis_IIS ISAPI Overflow idq Brian Caswell (Aug 15)
- Re: IDS553/web-iis_IIS ISAPI Overflow idq Ryan Russell (Aug 15)
- <Possible follow-ups>
- Re: IDS553/web-iis_IIS ISAPI Overflow idq Dr SuSE (Aug 15)