[21741] in bugtraq
Re: Safe(?) testing for idq.dll vulnerability
daemon@ATHENA.MIT.EDU (Matt Scarborough)
Fri Jul 20 17:05:02 2001
Message-ID: <20010720195719.15521.qmail@awcst401.netaddress.usa.net>
Date: 20 Jul 2001 15:57:19 EDT
From: Matt Scarborough <vexversa@usa.net>
To: bugtraq@securityfocus.com
Cc: "Chris St. Clair" <chris_stclair@hotmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
On Fri, 20 Jul 2001 01:59:28 +0000, Chris St. Clair wrote:
>I had to come up with a way to test a server remotely for this
>vulnerability without actually killing it and running the plerthora
>of exploit code that is out. This is what I have, hopefully someone
>can use it.
Good ideas.
Marc Maiffret discusses just such a test at
http://www.8wire.com/article_render/?aid=2094
(may reqire registration)
McAfee is offering "CyberCop WormScan" free
http://www.mcafeeasap.com/asp_subscribe/trial_cc_wormscan.asp
Matt Scarborough 2001-07-20
>Known Vulnerable Testing Platform
>The first round of tests was run on a Windows 2000 Server running
>IIS 5.0 (if anyone has similar analysis for IIS 4.0 I'd love to
>see it) with AND without SP1 (no difference) not patched for MS01-033.
>
>Results
>Sending 1-219 bytes yields the error:
>The IDQ file NULL.ida could not be found.
>Nothing written to the event log.
>
>Sending 220-231 bytes we get:
>File .
>Error 0xc0000005 caught while processing query
>Nothing written to the event log.
>
>Sending 232-??? bytes we get:
>No response from web server.
>System event log event ID 7031 from Service Control Manager.
>IIS services are then stopped and restarted.
>
>
>Known Invulnerable Testing Platform
>Another system running Windows 2000 Server, IIS 5.0 with SP1 and
>the patch for MS01-033.
>
>Results
>Sending 1-199 bytes yields the error:
>The IDQ file NULL.ida could not be found.
>Nothing written to the event log.
>
>Sending 200-??? bytes we get:
>File .
>Error 0x80040e14 caught while processing query
>Nothing written to the event log.
>
>So, in summary, to test do the following:
>send 200 bytes
>if response = "Error 0x80040e14 caught while processing query" the
>sytem is patched.
>if response = "The IDQ file NULL.ida could not be found." the system
>is not patched.
>
>I can't take all the credit for figuring this out. Like most people,
>I owe it all to the following bit of code:
>#!/bin/sh
>SIZE=1
>export SIZE
>
>while [ $SIZE -lt 201 ]; do
> BUFF="`perl -e 'print \"x\" x $ENV{SIZE}'`"
> echo -e "GET /NULL.ida?$BUFF=X HTTP/1.1\nHost: iluvpaul\n\n" | \
> nc host port
> SIZE=`expr $SIZE + 1`
>done
____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1
