Re: Windows Media Services Remote Command Execution #2

From: Brett Moore (brett.moore_at_SECURITY-ASSESSMENT.COM)
Date: 07/07/03

  • Next message: Russ: "Windows Update - My favorite topic"
    Date:         Mon, 7 Jul 2003 12:17:47 -0700


    Unfortunately I am unable to test that particular setup but based on the MS
    advisory it would appear that the nsiislog.dll file is available only
    the IIS /scripts folder.

    "This logging capability is implemented as an Internet Services Application
    Programming Interface (ISAPI) extension - nsiislog.dll. When Windows Media
    Services are added through add/remove programs to Windows 2000, nsiislog.dll
    is installed in the Internet Information Services (IIS) Scripts directory on
    the server. Once Windows Media Services is installed, nsiislog.dll is
    automatically loaded and used by IIS."

    Therefore if the /scripts folder is not available to the Internet then the
    vulnerable dll file can not be reached and can not be exploited remotely.

    Brett Moore

    -----Original Message-----
    From: Windows NTBugtraq Mailing List
    [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of Jim Winchell
    Sent: Thursday, 26 June 2003 8:03 a.m.
    Subject: Re: Windows Media Services Remote Command Execution #2

    Windows Media Server doesn't require IIS to be installed. IIS can be
    installed on the same machine, but in that case, either Windows Media or IIS
    have to be configured to use a different port for http since they can't both
    share port 80.

    Windows Media uses it's own built-in web server (Cougar) for streaming http
    traffic rather than IIS. If IIS isn't installed, the /scripts directory
    doesn't exist and nsiislog.dll is instead installed in
    %windir%\system32\Windows Media\Server.
    Can you confirm whether or not this affects Windows Media Servers that don't
    running IIS or can nsiislog.dll still be exploited?

    Jim Winchell

    Brett Moore wrote:

    > ========================================================================
    > = Windows Media Services Remote Command Execution #2
    > =
    > =
    > =
    > =
    > = MS Bulletin posted: June 25, 2003
    > =
    > =
    > = Affected Software:
    > = Microsoft Windows 2000

    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to


  • Next message: Russ: "Windows Update - My favorite topic"

    Relevant Pages