Re: Article on WebDAV Vulnerability (MS03-007)
From: Matt Scarborough (vexversa@verizon.net)
Date: 03/28/03
- Next message: Jami: "PIX VPN, & Windows domain"
- Previous message: Scott: "Re: Certificate Creation Error - help!"
- In reply to: Karl Levinson [x y] mvp: "Re: Article on WebDAV Vulnerability (MS03-007)"
- Next in thread: Karl Levinson [x y] mvp: "Re: Article on WebDAV Vulnerability (MS03-007)"
- Reply: Karl Levinson [x y] mvp: "Re: Article on WebDAV Vulnerability (MS03-007)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Matt Scarborough <vexversa@verizon.net> Date: Fri, 28 Mar 2003 05:42:55 +0000
On Mon, 24 Mar 2003 16:34:07 -0500, Karl Levinson [x y] mvp wrote
<#X4lw1k8CHA.2040@TK2MSFTNGP10.phx.gbl>
> The advice from Matt Scarborough stating that URLScan does not limit URL
> length AFAIK is not exactly correct. Nor is the advice from Microsoft to
> use the MaxURL setting in URLScan entirely correct. My understanding from
> the various Microsoft articles on URLScan is that the MaxURL setting was
> only introduced in URLScan 2.5 [which is not the version bundled with IIS
> Lockdown].
The points I wanted to clarify to Russ in an e-mail that made their way into a
public FAQ verbatim and slightly out of context were:
1) MaxClientRequestBuffer was missing from his FAQ. Setting
MaxClientRequestBuffer was the quickest and dirtiest and most effective fix
available for those who could not patch immediately. Microsoft's
setmaxurllength.exe tool made this a breeze.
2) URLScan blocked by default the known attack tool not by limiting the URL
length, but by stripping out % and \ characters or disabling WebDAV (or WebDAV
verbs.) This blocked the exploit, but in some configurations left IIS open to
DoS. We see today some of the exploits and <ahem> testing tools that do not send
shellcode, such as the ones ripped from Nessus script 11412, can crash IIS even
with IISLockD 2.1/URLScan 2.0.
When someone is drowning, it is not a good time to teach them to swim. Deploying
IISLockD 2.1/URLScan 2.0, and then deploying URLScanSRP/URLScan2.5 on top (to
obtain Query String or URL length limits) was simply an unwarranted waste of
time when faced with a mutating 0-day attack.
This means BTW, that I mostly agree with your observations. I just wanted to
clarify the above.
> URLScan 2.1 also limits the MaxURL setting to a pretty small
> amount, but this is hard coded into the .DLL, not using the MaxURL setting.
> URLScan 2.0 and 1.0 may include this feature, but unfortunately there's no
> documentation from Microsoft to confirm this for you.
>
> Personally if I was Microsoft, I might have included this information a
> little more prominently. The MS03-007 articles all simply state that
> "URLScan with the default settings will block this." Unfortunately, though,
> most people don't use the default settings.
- Next message: Jami: "PIX VPN, & Windows domain"
- Previous message: Scott: "Re: Certificate Creation Error - help!"
- In reply to: Karl Levinson [x y] mvp: "Re: Article on WebDAV Vulnerability (MS03-007)"
- Next in thread: Karl Levinson [x y] mvp: "Re: Article on WebDAV Vulnerability (MS03-007)"
- Reply: Karl Levinson [x y] mvp: "Re: Article on WebDAV Vulnerability (MS03-007)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
