Hello,

I know the moderators have said that the Code Red discussion is closed,
but I just found out an interesting piece of info for those people
whose IIS 4 servers have been crashing even though they have been
patched against Code Red.

According to Shared Knowlege Limited's support services (I found this
by searching in Google Groups, so they might not have been the first to
find this out) and confirmed by Eddie Bowers of MS IIS support who
responded in the newsgroups, if your IIS4 website is using URL
redirection, you are still vulnerable to Code Red even if you are
patched. The reason is that when you set IIS to redirect URL's, it will
accept any URL and send an 302 HTTP status code (Object Moved). The
*.ida?NNNNN... overflow still causes IIS to crash.
Here is an excerpt from their messages:

-------------
If you having problems and have not applied the patch, it may not work.
Too
many people have been applying the patch to no avail. The solution is as
follows:

1. Remove ALL redirected IIS websites and URL's from the server.
2. Apply the patches.
3. Reboot.

The first point is the important one. Shared Knowledge have been
investigating the issue now for some time and belive this the solution.
If
you are syill having any problems, please post back.

Regards,

Support Services
Shared Knowledge Limited
Advanced ASP Hosting www.sharedknowledge.net
-------------------

and here is the confirmation from MS

---------------
From: keifremovethistoemailme.compulink.co.uk (Keif Gwinn)

>I don't think this is a suitable fix... the other way to defend
against
>Code Red is to remove all .ida script mappings from the webserver.
>Almost no one uses them any more...
>Keif Gwinn

Actually removing the script mappings will not avoid all the problems
if
you are running IIS4.
Removing the redirections is currently the best solution (this is in
addtion to installing the fix or removing the script mappings)
We are working on a real fix. Can't give an ETA yet.

Eddie
IIS Support
--------------------

So basically, if you are using URL redirection, Code Red WILL crash
your machine. The only fix for now is to remove all URL redirections.
Shared Knowledge have a script available to list all URL redirections
on an IIS server, it requires Perl to run. You can find it at
http://www.sharedknowledge.net/codered/checkredirect.bat

If you have been affected by this, please send your Dr. Watson logs and
user.dmp files to Eddie Bowers at the following address
eddiebmicrosoft.com so they can issue a fix for the patch, as it seems
that it is the Code Red patch that is causing this problem.

Mod's, this is the first time I post to this list, so if I should have
sent it to another one, I apologise. I am sure some people with patched
servers which are crashing might find this helpful.

Jean-Francois Prieur,
Project Manager,
BNP Paribas

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]