Safe(?) .ida vuln. testing for IIS 4.0

From: Chris St. Clair (chris_stclair@hotmail.com)
Date: 07/24/01


From: "Chris St. Clair" <chris_stclair@hotmail.com>
To: bugtraq@securityfocus.com
Subject: Safe(?) .ida vuln. testing for IIS 4.0
Date: Tue, 24 Jul 2001 19:59:50 +0000
Message-ID: <F236yg3xCb674hvph680000570c@hotmail.com>

After several bouts trying to get my laptop's second hard drive to
run NT 4.0, and then an hour long search for the NT Option Pack,
this is what I was able to come up with to test for the .ida
vulnerability in IIS 4.0.

Tested on Windows NT 4.0 SP6a, IIS 4.0 - no patches at all

Sending 1-212 bytes we get:
Error "The IDQ file C:\Inetpub\wwwroot\NULL.ida could not be found.
" (0xc000203e) encountered while processing the query
Nothing in the event log.

Sending 213-231 bytes we get:
Error "File .
Error 0xc0000005 caught while processing the query
" (0xc0000005) encountered while processing the query
Nothing in the event log.

Sending 232 bytes crashes the web service.
Nothing in the event log.

Tested on Windows NT 4.0 SP6a, IIS 4.0 + MS01-033 patch

Sending 1-199 bytes we get:
Error "The IDQ file NULL.ida could not be found.
" (0xc000203e) encountered while processing the query
(also note the lack of the full path to the .ida file)
Nothing in the event log.

Sending 200-??? bytes we get:
Error "File .
Query tree contained one or more errors
" (0x80040e14) encountered while processing the query
Nothing in the event log.

So we can test by sending a 200 byte request:
if response = 0xc000203e the server is probably not patched
if response = 0x80040e14 the server is probably patched (same for IIS
5.0)

Hope this helps. And if anyone has come up with something else
I'd love to hear about it.

I'd like to thank paul@moquijo.com for lending an ear this morning
when I was lost in Microsoft's download center looking for the NT
option pack. Thanks Paulie.

--chris

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp