Vulnerability Development mailing list archives
RE: CR II - winME? confirmation? (Slightly OT)
From: "Ken Pfeil" <Ken () infosec101 org>
Date: Wed, 8 Aug 2001 13:32:04 -0400
Nope. If IIS is not running, there is no delivery mechanism for the overflow to be delivered on. If the mappings are not present, the overflow cannot take place to the vulnerable ISAPI .dll's, and if you are patched with MS01-033 you do not have vulnerable .dll's. Plain and simple: If users can establish a web session under IIS, you have not applied the patch, AND the mappings are present- you are vulnerable.
-----Original Message----- From: Meritt James [mailto:meritt_james () bah com] Sent: Wednesday, August 08, 2001 9:28 AM To: kam Cc: Amer Karim; VULN-DEV List Subject: Re: CR II - winME? confirmation? (Slightly OT) "running" or "installed"? It is my understanding that the vulnerability exists if the files and mapping are there no matter the process state of the IIS server. Is my understanding incorrect? Jim kam wrote:Without IIS running, an attacker has no means of exploiting thevulnerablefile. With no access to the file, the vulnerability does not exist. If they're running IIS, then there is a hole which they can exploit. Even though it comes installed by default on 2000, it's not a riskuntil you turnon your web services. kam ----- Original Message ----- From: "Amer Karim" <amerk () telus net> To: "VULN-DEV List" <VULN-DEV () SECURITYFOCUS COM> Sent: Tuesday, August 07, 2001 10:03 AM Subject: Re: CR II - winME? confirmation? (Slightly OT)Hi All, All the advisories about CR state that only IIS servers arevulnerable.However, it's my understanding that the unchecked buffer inidq.dll wasthesource of that vulnerability. If that's the case, then why have the advisories not included Win2K systems (all flavours) since idq.dll is installed by default as part of the indexing service on all thesesystems -regardless of whether they are using the service or not?Wouldn't thatmakeANY system with the indexing service on it just as vulnerableas systemswith IIS? Am I overlooking something obvious here? Regards, Amer Karim Nautilis Information Systems e-mail: amerk () telus net, mamerk () hotmail com-- James W. Meritt, CISSP, CISA Booz, Allen & Hamilton phone: (410) 684-6566
Current thread:
- Re: CR II - winME? confirmation? (Slightly OT) Amer Karim (Aug 07)
- Re: CR II - winME? confirmation? (Slightly OT) kam (Aug 07)
- Re: CR II - winME? confirmation? (Slightly OT) Meritt James (Aug 08)
- Re: CR II - winME? confirmation? (Slightly OT) Devdas Bhagat (Aug 09)
- RE: CR II - winME? confirmation? (Slightly OT) Ken Pfeil (Aug 09)
- Re: CR II - winME? confirmation? (Slightly OT) Jordan (Aug 10)
- RE: CR II - winME? confirmation? (Slightly OT) Amer Karim (Aug 10)
- Re: CR II - winME? confirmation? (Slightly OT) Meritt James (Aug 08)
- Re: CR II - winME? confirmation? (Slightly OT) kam (Aug 07)
- Re: CR II - winME? confirmation? (Slightly OT) Michael J. Cannon (Aug 08)
- <Possible follow-ups>
- RE: CR II - winME? confirmation? (Slightly OT) Gregory_DeGennaro (Aug 07)
- Re: CR II - winME? confirmation? (Slightly OT) Grab Raham (Aug 07)
- Re: CR II - winME? confirmation? (Slightly OT) Amer Karim (Aug 07)
- Re: CR II - winME? confirmation? (Slightly OT) Jason Haar (Aug 08)
- Re: CR II - winME? confirmation? (Slightly OT) HackHawk (Aug 10)
- Re: CR II - winME? confirmation? (Slightly OT) Gregory McCann (Aug 08)
- Re: CR II - winME? confirmation? (Slightly OT) Enrique A. CompaƱ Gzz. (Aug 10)
- Re: CR II - winME? confirmation? (Slightly OT) Jason Haar (Aug 08)