Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Windows Media Services Remote Command Execution #2
From: Brett Moore (brett.mooreSECURITY-ASSESSMENT.COM)
Date: Mon Jul 07 2003 - 14:17:47 CDT
Unfortunately I am unable to test that particular setup but based on the MS
advisory it would appear that the nsiislog.dll file is available only
the IIS /scripts folder.
"This logging capability is implemented as an Internet Services Application
Programming Interface (ISAPI) extension - nsiislog.dll. When Windows Media
Services are added through add/remove programs to Windows 2000, nsiislog.dll
is installed in the Internet Information Services (IIS) Scripts directory on
the server. Once Windows Media Services is installed, nsiislog.dll is
automatically loaded and used by IIS."
Therefore if the /scripts folder is not available to the Internet then the
vulnerable dll file can not be reached and can not be exploited remotely.
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQLISTSERV.NTBUGTRAQ.COM]On Behalf Of Jim Winchell
Sent: Thursday, 26 June 2003 8:03 a.m.
Subject: Re: Windows Media Services Remote Command Execution #2
Windows Media Server doesn't require IIS to be installed. IIS can be
installed on the same machine, but in that case, either Windows Media or IIS
have to be configured to use a different port for http since they can't both
share port 80.
Windows Media uses it's own built-in web server (Cougar) for streaming http
traffic rather than IIS. If IIS isn't installed, the /scripts directory
doesn't exist and nsiislog.dll is instead installed in
Can you confirm whether or not this affects Windows Media Servers that don't
running IIS or can nsiislog.dll still be exploited?
Brett Moore wrote:
> = Windows Media Services Remote Command Execution #2
> = brett.mooresecurity-assessment.com
> = http://www.security-assessment.com
> = MS Bulletin posted: June 25, 2003
> = http://www.microsoft.com/technet/security/bulletin/MS03-022.asp
> = Affected Software:
> = Microsoft Windows 2000
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to