OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jean-Francois Prieur (jfp51ebeing.com)
Date: Wed Aug 08 2001 - 07:04:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello,

    I know the moderators have said that the Code Red discussion is closed,
    but I just found out an interesting piece of info for those people
    whose IIS 4 servers have been crashing even though they have been
    patched against Code Red.

    According to Shared Knowlege Limited's support services (I found this
    by searching in Google Groups, so they might not have been the first to
    find this out) and confirmed by Eddie Bowers of MS IIS support who
    responded in the newsgroups, if your IIS4 website is using URL
    redirection, you are still vulnerable to Code Red even if you are
    patched. The reason is that when you set IIS to redirect URL's, it will
    accept any URL and send an 302 HTTP status code (Object Moved). The
    *.ida?NNNNN... overflow still causes IIS to crash.
    Here is an excerpt from their messages:

    -------------
    If you having problems and have not applied the patch, it may not work.
    Too
    many people have been applying the patch to no avail. The solution is as
    follows:

    1. Remove ALL redirected IIS websites and URL's from the server.
    2. Apply the patches.
    3. Reboot.

    The first point is the important one. Shared Knowledge have been
    investigating the issue now for some time and belive this the solution.
    If
    you are syill having any problems, please post back.

    Regards,

    Support Services
    Shared Knowledge Limited
    Advanced ASP Hosting www.sharedknowledge.net
    -------------------

    and here is the confirmation from MS

    ---------------
    From: keifremovethistoemailme.compulink.co.uk (Keif Gwinn)

    >I don't think this is a suitable fix... the other way to defend
    against
    >Code Red is to remove all .ida script mappings from the webserver.
    >Almost no one uses them any more...
    >Keif Gwinn

    Actually removing the script mappings will not avoid all the problems
    if
    you are running IIS4.
    Removing the redirections is currently the best solution (this is in
    addtion to installing the fix or removing the script mappings)
    We are working on a real fix. Can't give an ETA yet.

    Eddie
    IIS Support
    --------------------

    So basically, if you are using URL redirection, Code Red WILL crash
    your machine. The only fix for now is to remove all URL redirections.
    Shared Knowledge have a script available to list all URL redirections
    on an IIS server, it requires Perl to run. You can find it at
    http://www.sharedknowledge.net/codered/checkredirect.bat

    If you have been affected by this, please send your Dr. Watson logs and
    user.dmp files to Eddie Bowers at the following address
    eddiebmicrosoft.com so they can issue a fix for the patch, as it seems
    that it is the Code Red patch that is causing this problem.

    Mod's, this is the first time I post to this list, so if I should have
    sent it to another one, I apologise. I am sure some people with patched
    servers which are crashing might find this helpful.

    Jean-Francois Prieur,
    Project Manager,
    BNP Paribas

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com