NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 2003-q3

Re: Windows Media Services Remote Command Execution #2

From: Brett Moore (brett.mooreSECURITY-ASSESSMENT.COM)
Date: Mon Jul 07 2003 - 14:17:47 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jim

Unfortunately I am unable to test that particular setup but based on the MS
advisory it would appear that the nsiislog.dll file is available only
through
the IIS /scripts folder.

"This logging capability is implemented as an Internet Services Application
Programming Interface (ISAPI) extension - nsiislog.dll. When Windows Media
Services are added through add/remove programs to Windows 2000, nsiislog.dll
is installed in the Internet Information Services (IIS) Scripts directory on
the server. Once Windows Media Services is installed, nsiislog.dll is
automatically loaded and used by IIS."

Therefore if the /scripts folder is not available to the Internet then the
vulnerable dll file can not be reached and can not be exploited remotely.

Regards
Brett Moore
www.security-assessment.com

-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQLISTSERV.NTBUGTRAQ.COM]On Behalf Of Jim Winchell
Sent: Thursday, 26 June 2003 8:03 a.m.
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Re: Windows Media Services Remote Command Execution #2

Windows Media Server doesn't require IIS to be installed. IIS can be
installed on the same machine, but in that case, either Windows Media or IIS
have to be configured to use a different port for http since they can't both
share port 80.

Windows Media uses it's own built-in web server (Cougar) for streaming http
traffic rather than IIS. If IIS isn't installed, the /scripts directory
doesn't exist and nsiislog.dll is instead installed in
%windir%\system32\Windows Media\Server.
Can you confirm whether or not this affects Windows Media Servers that don't
running IIS or can nsiislog.dll still be exploited?

Thanks,
Jim Winchell

Brett Moore wrote:

> ========================================================================
> = Windows Media Services Remote Command Execution #2
> =
> = brett.mooresecurity-assessment.com
> = http://www.security-assessment.com
> =
> = MS Bulletin posted: June 25, 2003
> = http://www.microsoft.com/technet/security/bulletin/MS03-022.asp
> =
> = Affected Software:
> = Microsoft Windows 2000
etc..

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to

http://www.trusecure.com/offer/s0100/

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]