Windows 2003 IIS IP Binding - Bad default behaviour/security problem ...

From: David Connors (Public Mail) (davidc_at_CODIFY.COM)
Date: 08/05/03

  • Next message: Domreg: "Re: MS03-026 - are you patched? Windows Update isn't sure!" 
    Date:         Tue, 5 Aug 2003 11:10:39 +1000
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Hi,

    Has anyone else noticed this strange/poor behaviour in Windows Server
    2003?

    1. Bind two IP addresses to your server, let's call these 10.0.0.1 and
    10.0.0.2.
    2. Bind a web site to 10.0.0.2. Ensure no other web sites are started
    and bound to 10.0.0.1.
    3. Telnet to 10.0.0.1 80 and you get a connection! You can request a
    document but get:
                    HTTP/1.1 400 Bad Request
                    Content-Type: text/html
                    Date: Tue, 05 Aug 2003 01:03:45 GMT
                    Connection: close
                    Content-Length: 35
                    
                    <h1>Bad Request (Invalid Verb)</h1>
                    
                    Connection to host lost.

    I guess that is the new kernel mode http.sys driver or whatever it's
    called listening always - but does this strike anyone else as really bad
    default behaviour for a the OS? What if there is an exploit in that
    driver? Your machine would be vulnerable even with the individual web
    sites stopped!

    David Connors (davidc@codify.com)
    Software Engineer
    Codify
    Phone: +61 (7) 3210 6268
    Facsimile: +61 (7) 3210 6269
    Mobile: +61 417 189 363
    Address: Level 2, 132 Albert Street
               Brisbane, Queensland, 4000, Australia
    Post: GPO Box 864
               Brisbane, Queensland, 4001, Australia

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to

    http://www.trusecure.com/offer/s0100/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

  • Next message: Domreg: "Re: MS03-026 - are you patched? Windows Update isn't sure!"

    Relevant Pages

    • Re: BIND 9 Windows NT / Windows 2000 Binary Kit
      ... I would not recommend anyone to use the ISC Windows NT / Windows 2000 Binary Kit ... for Bind 9.2.2 in a Windows 2003 production environment without extreme caution. ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Re: Alert: Microsoft Security Bulletin - MS03-039
      ... The way that Microsoft patched the new RPC Part II vulnerability ... Summer's Hottest Certification Just Got HOTTER! ... To learn more about the TICSA certification, ...
      (NT-Bugtraq)
    • Windows 2000 server issue
      ... accurately parse the lists of vulnerable machines produced by the scan ... of addresses directly on the script. ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification ...
      (NT-Bugtraq)
    • Re: Drivial Pursuit: Internet Explorer Browser & Your Files and Folders !
      ... The default Enhanced Security Configuration of IE ... access to files and folders on the local machine from the internet. ... With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. ... And now, for a limited time, you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Re: Microsoft Numbering System
      ... the patch for each systems affected. ... in the right frame. ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)