Safe(?) testing for idq.dll vulnerability

From: Chris St. Clair (chris_stclair@hotmail.com)
Date: 07/20/01


From: "Chris St. Clair" <chris_stclair@hotmail.com>
To: bugtraq@securityfocus.com
Subject: Safe(?) testing for idq.dll vulnerability
Date: Fri, 20 Jul 2001 01:59:28 +0000
Message-ID: <F181FMwr9y4cp51dyZS000011da@hotmail.com>

I had to come up with a way to test a server remotely for this
vulnerability without actually killing it and running the plerthora
of exploit code that is out. This is what I have, hopefully someone
can use it.

Known Vulnerable Testing Platform
The first round of tests was run on a Windows 2000 Server running
IIS 5.0 (if anyone has similar analysis for IIS 4.0 I'd love to
see it) with AND without SP1 (no difference) not patched for MS01-033.

Results
Sending 1-219 bytes yields the error:
The IDQ file NULL.ida could not be found.
Nothing written to the event log.

Sending 220-231 bytes we get:
File .
Error 0xc0000005 caught while processing query
Nothing written to the event log.

Sending 232-??? bytes we get:
No response from web server.
System event log event ID 7031 from Service Control Manager.
IIS services are then stopped and restarted.

Known Invulnerable Testing Platform
Another system running Windows 2000 Server, IIS 5.0 with SP1 and
the patch for MS01-033.

Results
Sending 1-199 bytes yields the error:
The IDQ file NULL.ida could not be found.
Nothing written to the event log.

Sending 200-??? bytes we get:
File .
Error 0x80040e14 caught while processing query
Nothing written to the event log.

So, in summary, to test do the following:
send 200 bytes
if response = "Error 0x80040e14 caught while processing query" the
sytem is patched.
if response = "The IDQ file NULL.ida could not be found." the system
is not patched.

I can't take all the credit for figuring this out. Like most people,
I owe it all to the following bit of code:
#!/bin/sh
SIZE=1
export SIZE

while [ $SIZE -lt 201 ]; do
     BUFF="`perl -e 'print \"x\" x $ENV{SIZE}'`"
     echo -e "GET /NULL.ida?$BUFF=X HTTP/1.1\nHost: iluvpaul\n\n" | \
          nc host port
     SIZE=`expr $SIZE + 1`
done

-chris

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp



Relevant Pages

  • Re: Safe(?) testing for idq.dll vulnerability
    ... Safetesting for idq.dll vulnerability ... >The first round of tests was run on a Windows 2000 Server running ... >Nothing written to the event log. ... >System event log event ID 7031 from Service Control Manager. ...
    (Bugtraq)
  • Re: idq.dll problem??
    ... So that the server presents the error, ... >The IDQ file NULL.ida could not be found. ... >Nothing written to the event log. ... >Error 0x80040e14 caught while processing query ...
    (Vuln-Dev)
  • SecurityFocus Microsoft Newsletter #142
    ... MICROSOFT VULNERABILITY SUMMARY ... Mollensoft Enceladus Server Suite Clear Text Password Storage... ... FakeBO Syslog Format String Vulnerability ... Methodus 3 Web Server File Disclosure Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #139
    ... OFF any Windows 2000 Managed Dedicated Hosting Solution from Interland. ... Sun ONE Application Server Plaintext Password Vulnerability ... Batalla Naval Remote Buffer Overflow Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #140
    ... Cafelog b2 Remote File Include Vulnerability ... Webfroot Shoutbox Remote Command Execution Vulnerability ... Pablo Software Solutions Baby POP3 Server Multiple Connection... ... Microsoft Windows XP Nested Directory Denial of Service... ...
    (Focus-Microsoft)