Safe(?) .ida vuln. testing for IIS 4.0

From: Chris St. Clair (chris_stclair@hotmail.com)
Date: 07/24/01


From: "Chris St. Clair" <chris_stclair@hotmail.com>
To: bugtraq@securityfocus.com
Subject: Safe(?) .ida vuln. testing for IIS 4.0
Date: Tue, 24 Jul 2001 19:59:50 +0000
Message-ID: <F236yg3xCb674hvph680000570c@hotmail.com>

After several bouts trying to get my laptop's second hard drive to
run NT 4.0, and then an hour long search for the NT Option Pack,
this is what I was able to come up with to test for the .ida
vulnerability in IIS 4.0.

Tested on Windows NT 4.0 SP6a, IIS 4.0 - no patches at all

Sending 1-212 bytes we get:
Error "The IDQ file C:\Inetpub\wwwroot\NULL.ida could not be found.
" (0xc000203e) encountered while processing the query
Nothing in the event log.

Sending 213-231 bytes we get:
Error "File .
Error 0xc0000005 caught while processing the query
" (0xc0000005) encountered while processing the query
Nothing in the event log.

Sending 232 bytes crashes the web service.
Nothing in the event log.

Tested on Windows NT 4.0 SP6a, IIS 4.0 + MS01-033 patch

Sending 1-199 bytes we get:
Error "The IDQ file NULL.ida could not be found.
" (0xc000203e) encountered while processing the query
(also note the lack of the full path to the .ida file)
Nothing in the event log.

Sending 200-??? bytes we get:
Error "File .
Query tree contained one or more errors
" (0x80040e14) encountered while processing the query
Nothing in the event log.

So we can test by sending a 200 byte request:
if response = 0xc000203e the server is probably not patched
if response = 0x80040e14 the server is probably patched (same for IIS
5.0)

Hope this helps. And if anyone has come up with something else
I'd love to hear about it.

I'd like to thank paul@moquijo.com for lending an ear this morning
when I was lost in Microsoft's download center looking for the NT
option pack. Thanks Paulie.

--chris

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp



Relevant Pages

  • Re: Incomplete results returned
    ... Turns out I had to map the idq.dll in my IIS ... simple query ... the page logo, ... >> ' the single quote character) from the line below. ...
    (microsoft.public.inetserver.indexserver)
  • RE: FP database problems after installing URLscan tool
    ... The wizard is verifying the query as correct. ... If you are using win2k server open IIS mmc and right ... iisreset command from ... >The log file should have and entry for the rejected urls ...
    (microsoft.public.frontpage.extensions.windowsnt)
  • Re: Incomplete results returned
    ... Turns out I had to map the idq.dll in my IIS ... Ron Patla ... > ' your logo is not a GIF file, or you don't want to copy it, change the ... > ' You can set the number of query results returned on a single page ...
    (microsoft.public.inetserver.indexserver)
  • Re: Indexing Service Query From in System Management Console vs ASP
    ... > IIS pointing to a folder in a local drive other than C:. ... > I can query this index using Indexing Service Query From in System ... > Management Console but if I put the same query to a ASP form (which I ...
    (microsoft.public.inetserver.indexserver)
  • Re: query datetime problem
    ... Another rather irritating aspect of this is that the query: ... writes to a custom event log. ... The datetime when my task started was ... during that time there were a number of entries written to the event ...
    (microsoft.public.win32.programmer.wmi)