Results 1 to 7 of 7
  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area

    Exclamation Buffer Overflow in IIS 5.0

    This came to me from BugTraq. I think that MANY folks here would have interest.

    CERT Advisory CA-2003-09 Buffer Overflow in Microsoft IIS 5.0

    Original issue date: March 17, 2003
    Last revised: --
    Source: CERT/CC

    A complete revision history is at the end of this file.

    Systems Affected

    * Systems running Microsoft Windows 2000 with IIS 5.0 enabled


    A buffer overflow vulnerability exists in Microsoft IIS 5.0 running on
    Microsoft Windows 2000. IIS 5.0 is installed and running by default on
    Microsoft Windows 2000 systems. This vulnerability may allow a remote
    attacker to run arbitrary code on the victim machine.

    An exploit is publicly available for this vulnerability, which
    increases the urgency that system administrators apply a patch.

    I. Description

    IIS 5.0 includes support for WebDAV, which allows users to manipulate
    files stored on a web server (RFC2518). A buffer overflow
    vulnerability exists in ntdll.dll (a portion of code utilized by the
    IIS WebDAV component). By sending a specially crafted request to an
    IIS 5.0 server, an attacker may be able to execute arbitrary code in
    the Local System security context, essentially giving the attacker
    compete control of the system.

    Microsoft has issued the following bulletin regarding this


    This vulnerability has been assigned the identifier CAN-2003-0109 by
    the Common Vulnerabilities and Exposures (CVE) group:


    II. Impact

    Any attacker who can reach a vulnerable web server can gain complete
    control of the system and execute arbitrary code in the Local System
    security context. Note that this may be significantly more serious
    than a simple "web defacement."

    III. Solution

    Apply a patch from your vendor

    A patch is available from Microsoft at


    Disable vulnerable service

    Until a patch can be applied, you may wish to disable IIS. To
    determine if IIS is running, Microsoft recommends the following:

    Go to Start | Settings | Control Panel | Administrative Tools | Services.

    If the World Wide Web Publishing service is listed then IIS
    is installed

    To disable IIS, run the IIS lockdown tool. This tool is available


    If you cannot disable IIS, consider using the IIS lockdown tool to
    disable WebDAV (removing WebDAV can be specified when running the IIS
    lockdown tool). Alternatively, you can disable WebDAV by following the
    instructions located in Microsoft's Knowledgebase Article 241520, "How
    to Disable WebDAV for IIS 5.0":


    Restrict buffer size

    If you cannot use either IIS lockdown tool or URLScan, consider
    restricting the size of the buffer IIS utilizes to process requests by
    using Microsoft's URL Buffer Size Registry Tool. This tool can be run
    against a local or remote Windows 2000 system running Windows 2000
    Service Pack 2 or Service Pack 3. The tool, instructions on how to use
    it, and instructions on how to manually make changes to the registry
    are available here:

    URL Buffer Size Registry Tool - http://go.microsoft.com/fwlink/?LinkId=14875

    Microsoft Knowledge Base Article 816930 - http://support.microsoft.com/default...b;en-us;816930

    Microsoft Knowledge Base Article 260694 - http://support.microsoft.com/default...b;en-us;260694

    You may also wish to use URLScan, which will block web requests that
    attempt to exploit this vulnerability. Information about URLScan is
    available at:


    Appendix A. Vendor Information

    This appendix contains information provided by vendors. When vendors
    report new information, this section is updated and the changes are
    noted in the revision history. If a vendor is not listed below, we
    have not received their comments.

    Microsoft Corporation

    Please see Microsoft Security Bulletin MS03-007.

  2. #2
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002

    evolve or die, patch quickly!
    thanks for the heads up horse13
    yeah, I\'m gonna need that by friday...

  3. #3
    Senior Member
    Join Date
    Aug 2002
    I got this seminar announcement from my Boss. I am going to try to attend. I figured you guys may want to check it out also:

    Special Flash Webcast: Tuesday March 18, 2003 3:00 EST, (2000 UTC)

    Overview: Windows 2000 WebDAV Buffer Overflow Exploit Against IIS 5.0

    Will a new Code Red Worm get to your machine before you take the
    necessary steps to protect yourself?

    If you are running IIS 5.0 on Windows 2000, you probably already know
    that a buffer overflow exploit has been discovered in a WebDAV component
    on IIS 5.0. The error permits the remote execution of arbitrary
    commands, and that's all the hackers need to start up another worm with
    nearly the same impact as Code Red.

    WebDAV is used to manage files on the web server using the HTTP/HTTPS
    protocol itself, hence, it operates over TCP 80/443. WebDAV is enabled
    by default and Microsoft has assigned a severity rating of CRITICAL to
    this issue. Tuesday's webcast will discuss the WebDAV vulnerability and
    how to fix it before the race to complete the "WebDAV Worm" is

    The webcast features two top Windows Security experts who will first
    give you an overview and then answer your questions:

    Jason Fossen: SANS premier teacher of advanced security techniques for
    Chris Weber: Author of the definitive book on Windows XP Security

    There is no cost.

    Register early to reserve a seat in the live program

    See www.sans.org for details.

    PS. This new vulnerability demonstrates, again, the reason that SANS
    Windows Security training is so important to organizations that have
    important data on Windows systems. If you accepted Microsoft's standard
    configuration, you would have been vulnerable to attacks using this
    vulnerability. If you followed the guidance SANS teaches in the course,
    you would not have been vulnerable. It doesn't always work -- but it
    works quite often.
    Here's the schedule for SANS upcoming Securing Windows training courses:

    New York City: March 24-29
    Baltimore: April 7-12
    Monterey, CA: June 11-16
    London, UK: June 23-18
    Washington, DC: July 14-19
    Plus online and onsite training
    See www.sans.org for details.

    To change your subscription, address, or other information, visit
    http://www.sans.org/sansurl and enter your SD number or email address
    (from the headers.) You will receive your personal URL via email.

    Unsubscribing will take you off any news bulletin lists for NewsBites
    or Security Alert Consensus as well as any conference information

    You may also email <sans@sans.org> with complete instructions and
    your SD number for subscribe, unsubscribe, change address, add other
    digests, or any other comments.

    Opinions are like holes - everybody\'s got\'em.


  4. #4
    Join Date
    Mar 2003


    do you now where the exploit is available at.

    Or not.


  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    You can find the tool out on the internet. I cannot/will not post it here. Sorry
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Join Date
    Jul 2002
    This exploit was directed at US military web servers first!

  7. #7
    Join Date
    Mar 2003


    US army hacked via iis hole, 3 hours ago.


    The world is moving on.......


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts