RE: IIS Search Method Overflow being revisted?

From: Levinson, Karl (Karl.Levinson_at_dhs.gov)
Date: 03/25/04

  • Next message: Jay Woody: "Re: IIS Search Method Overflow being revisted?"
    To: 'Rohny Jotton' <rohnyjotton@hotmail.com>, incidents@securityfocus.com
    Date: Thu, 25 Mar 2004 11:25:13 -0500
    
    

    A Google search suggests a possible attempt to exploit the MS03-007 NTDLL
    vulnerability [via WebDAV] from February 2003.

    http://archives.neohapsis.com/archives/sf/pentest/2003-03/0109.html
    http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.jb.h
    tml
    http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

    Possibly we're seeing an increase of this now due to Agobot / Gaobot /
    Polybot scans, as some variants can exploit this vulnerability. I believe
    new Agobot / Gaobot variants a being discovered sometimes at a rate of
    several per day.

    I would suspect that if you checked your IDS logs or could run Ethereal
    packet captures through an IDS like Snort, the year-old NTDLL signatures
    might help you confirm what this is. Another post I believe in the
    microsoft.public today mentioned a different payload:
    SEARCH /AAAAAAA....

    As you may already know, if you're using IIS 4 or 5, I strongly recommend
    running URLScan and the other security recommendations that are all free
    from www.microsoft.com/technet/security

    - karl

    -----Original Message-----
    From: Rohny Jotton [mailto:rohnyjotton@hotmail.com]
    Sent: Thursday, March 25, 2004 10:45 AM
    To: incidents@securityfocus.com
    Subject: IIS Search Method Overflow being revisted?

    In the last 24 hours, I've logged two instances of "SEARCH
    /....(many more)" on my web
    server from two different networks resulting in a 501 being returned.

    When googling, the only thing I can relate to it is an Overflow attempt from

    2001 (Georgi Guninski).

    I do not see any prior attempts. I just thought inquiring minds ought to
    know...

    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.

    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_incidents_040301
    ----------------------------------------------------------------------------


  • Next message: Jay Woody: "Re: IIS Search Method Overflow being revisted?"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #165
      ... Tenable Security ... distribute, manage, and communicate vulnerability and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #174
      ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
      (Focus-Microsoft)
    • [NT] Cumulative Security Update for Internet Explorer (MS04-038)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... CSS Heap Memory Corruption Vulnerability, ... Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ...
      (Securiteam)
    • SecurityFocus Microsoft Newsletter #171
      ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #160
      ... MICROSOFT VULNERABILITY SUMMARY ... Geeklog Forgot Password SQL Injection Vulnerability ... Atrium Software Mercur Mailserver IMAP AUTH Remote Buffer Ov... ... Sun Java Virtual Machine Slash Path Security Model Circumven... ...
      (Focus-Microsoft)