Windows 2003 IIS IP Binding - Bad default behaviour/security problem ...
From: David Connors (Public Mail) (davidc_at_CODIFY.COM)
Date: Tue, 5 Aug 2003 11:10:39 +1000 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Has anyone else noticed this strange/poor behaviour in Windows Server
1. Bind two IP addresses to your server, let's call these 10.0.0.1 and
2. Bind a web site to 10.0.0.2. Ensure no other web sites are started
and bound to 10.0.0.1.
3. Telnet to 10.0.0.1 80 and you get a connection! You can request a
document but get:
HTTP/1.1 400 Bad Request
Date: Tue, 05 Aug 2003 01:03:45 GMT
<h1>Bad Request (Invalid Verb)</h1>
Connection to host lost.
I guess that is the new kernel mode http.sys driver or whatever it's
called listening always - but does this strike anyone else as really bad
default behaviour for a the OS? What if there is an exploit in that
driver? Your machine would be vulnerable even with the individual web
David Connors (email@example.com)
Phone: +61 (7) 3210 6268
Facsimile: +61 (7) 3210 6269
Mobile: +61 417 189 363
Address: Level 2, 132 Albert Street
Brisbane, Queensland, 4000, Australia
Post: GPO Box 864
Brisbane, Queensland, 4001, Australia
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to