[20666] in bugtraq
MS01-026 - proof of concept - Followup
daemon@ATHENA.MIT.EDU (Filip Maertens)
Wed May 16 09:41:10 2001
Message-ID: <3B0232DF.E1312A8C@securax.be>
Date: Wed, 16 May 2001 09:57:19 +0200
From: Filip Maertens <filip@securax.be>
MIME-Version: 1.0
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
A few remarks,
The following topics tackles some comments being made through private
e-mail. Just clarification.
NOT UNICODE - This is not 100% unicode we are talking about. This is
the vulnerability as discovered by NSFOCUS Security
Advisory(SA2001-02). This has been documented by Microsoft as being
MS01-026 or to be found at the CERT ( CERTŪ Advisory CA-2001-12 ).
Please read the history in the advisory to get a full update on the
whereabouts of this vulnerability. This five-minute code snippet is
meant to provide an easy to use testing interface for your IIS
webservers. Nothing more, nothing less.
CRIPPLED : Seems I've been sending the backup-code I had on my Windows
machine instead of the working one on my OpenBSD testing machine. It
will spit out with an error code, everyone with even pre-basic C
knowledge will know how to solve this, however, simply put brackets on
the if instruction like this:
if ( ( strstr(recvbuffer,"404") == NULL ) ) {
while(recv(create_socket, recvbuffer, 1, 0) > 0)
{
printf("%c", recvbuffer[0]);
}
}else {
printf(" -- Wrong command processing. \n");
}
PROOF OF CONCEPT - Tool or weapon? I guess everyone gets these
discussions now and then, and I don't even want to go that way. The
advisory is very clear, the patch is there... I do not see any harm in
having a quick'n'dirty interface for this vulnerability on this
advisory. Mind you, anyone with a netcat can pull off the exact same
thing. Hence the fact it's even a waste of time wasting C on this one,
but it just happened I had to write this one for testing purposes on our
own IIS testing machines, and I didn't felt like opening a netcat
connection and manually typing the GET request. There is no logic, I
know... :-)
Cheers,
</filip>
