Results 1 to 2 of 2

Thread: Windows Media Services Remote Command Execution

  1. #1
    Join Date
    Sep 2002

    Windows Media Services Remote Command Execution

    Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution (822343)
    Originally posted: June 25, 2003

    Who should read this bulletin: System administrators running Microsoft® Windows® 2000

    Impact of vulnerability: Allow an attacker to execute code of their choice

    Maximum Severity Rating: Important

    Recommendation: System administrators should install the patch at the earliest available opportunity.

    End User Bulletin: An end user version of this bulletin is available at:


    Affected Software:

    Microsoft Windows 2000
    Not Affected Software Versions:

    Windows NT 4.0
    Microsoft Windows XP
    Microsoft Windows Server 2003

    Technical details
    Technical description:

    Microsoft Windows Media Services is a feature of Microsoft Windows 2000 Server, Advanced Server, and Datacenter Server and is also available in a downloadable version for Windows NT 4.0 Server. Windows Media Services contains support for a method of delivering media content to clients across a network known as multicast streaming. In multicast streaming, the server has no connection to or knowledge of the clients that may be receiving the stream of media content coming from the server. To facilitate logging of client information for the server, Windows 2000 includes a capability specifically designed to enable logging for multicast transmissions.

    This logging capability is implemented as an Internet Services Application Programming Interface (ISAPI) extension – nsiislog.dll. When Windows Media Services are added through add/remove programs to Windows 2000, nsiislog.dll is installed in the Internet Information Services (IIS) Scripts directory on the server. Once Windows Media Services is installed, nsiislog.dll is automatically loaded and used by IIS.

    There is a flaw in the way nsiislog.dll processes incoming client requests. A vulnerability exists because an attacker could send specially formed HTTP request (communications) to the server that could cause IIS to fail or execute code on the user's system.

    Windows Media Services is not installed by default on Windows 2000. An attacker attempting to exploit this vulnerability would have to be aware which computers on the network had Windows Media Services installed on it and send a specific request to that server.

    Mitigating factors:

    Windows Media Services 4.1 is not installed by default on Windows 2000.
    Windows Media Services are not available for Windows 2000 Professional.
    Severity Rating: Windows 2000 Important
    The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

    Vulnerability identifier: CAN-2003-0349

    Tested Versions:
    Microsoft tested Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.


  2. #2
    Senior Member
    Join Date
    Jul 2002
    black_death thanks for the heads up. That looks like it can be a real serious problem.

    Keep the info coming man...

    - The mind is too beautiful to waste...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts