RE: new IIS exploit?

• Previous message: James C Slora Jr: "RE: Possible new Bugbear"
• Maybe in reply to: Alan Melia (Melmac): "RE: new IIS exploit?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 6 Feb 2004 19:47:38 -0800
To: <ssgill@gilltechnologies.com>, <jamie@nucdc.org>, <incidents@securityfocus.com>

It is either the .printer exploit, or a scan for possibly vulnerable
systems. If you sent just a GET for /NULL.printer and got back a certain
error response, you'd know that the .printer handler was enabled. You
could then proceed with the rest of the exploit. If that's all you're
getting, someone is probing for vulnerable systems. If you see that
followed by "Host:[bunch of padding and shell code]", then it is the
exploit.

-----Original Message-----
From: Sarbjit Singh Gill [mailto:ssgill@gilltechnologies.com]
Sent: Monday, February 02, 2004 5:13 PM
To: jamie@nucdc.org; incidents@securityfocus.com
Subject: RE: new IIS exploit?

It looks like an old exploit as well. I could be wrong. It was the
Internet
Printing ISAPI extension exploit on IIS5. Here is the article.
http://support.microsoft.com/default.aspx?scid=kb;en-us;296576

/Gill

-----Original Message-----
From: Jamie Pratt [mailto:jamie@nucdc.org]
Sent: Saturday, January 31, 2004 1:18 AM
To:
Subject: Re: new IIS exploit?

havent seen that one myself, but here is one i just found that I havent
seen
either...:

  /<Rejected-By-UrlScan> ~/NULL.printer 404

regards,
jamie

------------------------------------------------------------------------

---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.
Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.
Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------

• Previous message: James C Slora Jr: "RE: Possible new Bugbear"
• Maybe in reply to: Alan Melia (Melmac): "RE: new IIS exploit?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Mac Server Hacked In Less Than 6 Hours ... Windows has RAS, and for it is built in since NT 3.1 ... | A typical IIS box and this Mac are not the same thing so the comparison ... IIS has been subject to quite a few bugs and so have ... Security isn't a proprietary attribute. ... (sci.crypt) Re: DCOM calls fails - access denied ... That's exactly how I understood the ASP.NET security. ... But why does one configuration work but not the other? ... should get the token from IIS. ... If you set there a domain account, ... (microsoft.public.dotnet.framework.aspnet.security) Re: How to secure IIS? ... XP as well, because even if you don't install IIS, there are still a number ... If you think Windows 98 is secure, ... easy to attack, if there's no firewall... ... IIS security checklists] 3) install firewall and antivirus, ... (microsoft.public.inetserver.iis.security) RE: .pdf security using ASP.NET security... ... I am wondering if using the aspnet_isapi.dll to handle PDF files security ... IIS has a list of Application Mappings which dictate whether a particular ... entries that tell aspnet_isapi.dll what to do with various file types. ... Files that do have app mappings require all the same steps, ... (microsoft.public.dotnet.framework.aspnet.security) Re: impact of mapping .??? to ASP.NET ISAPI??? ... security issue, either from ASP.NET or IIS (this is something that my ISP ... > entries that tell aspnet_isapi.dll what to do with various file types. ... > process the request. ... (microsoft.public.dotnet.framework.aspnet.security)