OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: FW: DVWSSR.dll Vulnerability and revised MS00-025
From: Steve (steveSECURESOLUTIONS.ORG)
Date: Mon Apr 17 2000 - 08:24:31 CDT

-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQLISTSERV.NTBUGTRAQ.COM]On Behalf Of Russ
Sent: Sunday, April 16, 2000 8:03 AM
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Re: DVWSSR.dll Vulnerability and revised MS00-025

>Ok, here's a breaking update.
>
>Latest reports say that there is
>
>NO VULNERABILITY IN DVWSSR.DLL

While I felt right at the time, now we know that that statement is clearly
wrong.

Due to some amazingly quick work by the folks at CORE-SDI, Microsoft have
revised their Security Bulletin MS00-025;

http://www.microsoft.com/technet/security/bulletin/ms00-025.asp

to reflect their confirmation of the first CORE-SDI finding. Namely, that
connecting to DVWSSR.DLL and sending it some 5000 characters causes a buffer
overrun which then prevents the web server from being able to process
further connection attempts.

In my independent tests of a default installation of NT 4.0, IIS 4.0 (from
the NT 4.0 Option Kit using the "Typical" installation options), and SP4
(128-bit) I have been *unable* to reproduce the Denial of Service. Every
attempt to use the CORE-SDI script, or variations of it, have resulted in a
401 - Unauthorized HTTP error. The server continues to process requests as
if nothing had happened. The "Typical" installation installs FP98
extensions, enables the default web site as a Front Page Web, and installs
the DVWSSR.DLL.

Please note, I'm either doing something wrong (although several different
people have confirmed the same inability to exploit a default installation)
or some other modification to the default installation must take place
before you become susceptible to the attack. I find some reassurance in the
fact the script does not seem to exploit a default installation, but of
course I'm leery since both CORE-SDI and Microsoft say its possible. I have
so far been unable to determine what exactly it takes for a site to be
vulnerable to this problem.

In Microsoft's revised Security Bulletin they further state they are
continuing to investigate CORE-SDI's claims about being able to run
arbitrary code via DVWSSR.DLL. CORE-SDI noted they had to put the .dll into
a different directory before they were able to run arbitrary code. Why that
is has yet to be determined.

Microsoft's original recommendation to remove DVWSSR.DLL still stands
according to the revised bulletin. As they state, you should use the "Find"
command to ensure you remove all occurrences of DVWSSR.DLL. They've also
widened the scope of possibly affected machines to any machine which has any
of the following installed;

- NT 4.0 Option Kit
- Windows 95 and 98 Personal Web Server
- Front Page 98 Server Extensions

This would include the following CD distributions;

- NT 4.0 Option Kit
- Front Page 98
- Visual InterDev 1.0

CORE-SDI took the opportunity to take a jab at my comments about immediate
disclosure, suggesting that had it not been for all of the hype surrounding
RFP's advisory, they never would have looked at the .DLL in the first place.

Well, clearly the initial reports of a vulnerability in DVWSSR.DLL were
hype. The "Secret Backdoor Password" story needed to be shot down when it
was determined it was untrue.

The vulnerability that CORE-SDI has uncovered appears to be totally
unrelated to that "issue", beyond it being in the same .DLL. If CORE-SDI
requires the names of .DLLs to investigate to be prompted to look into them,
I can start a questionable-DLL-of-the-day program to prompt them/others. If
the philosophy is that if there is one potential problem in a .DLL there are
likely exploits, then they should take the manifest for any Service Pack and
go through those "fixed" programs looking for other exploits.

We certainly don't need to have a non-issue hyped in every media outlet
around the world. Attempts to warn people about the *real* issue are going
to meet with resistance after the confusion that I, and others, have
created.

I could have just kept quiet and not tried to clarify the veracity of the
"Secret Backdoor Password" issue. The result would have been a
recommendation to remove the file, and everyone would have been safe from
the CORE-SDI discovered vulnerability. I didn't go to WSJ, they came to me
with the story (ergo, someone else went to them with the details...wonder
who?). Once the story broke, every other media outlet picked it up and if it
wasn't for the Stock Market crash, it would have been an even bigger story
than it was.

I still say that if there had been more time for MS to investigate the issue
before it went public the original hype wouldn't have happened. If that
meant that CORE-SDI wouldn't have looked at DVWSSR.DLL, and therefore
wouldn't have found the buffer overrun, then I think that's a problem with
how some investigators decide what they'll investigate rather than a
disservice to the community as a whole. If we're going to yell "Fire", then
there should at least be a real fire to point at.

I apologize for how things transpired, I wish it had been different. I don't
think, however, that I'll do it any different in the future. If I've got
info about something that's already in the public realm, I'm going to do my
best to give you what I know.

Cheers,
Russ - NTBugtraq Editor
"dot-age" (as in "we're in the dot-age") = senility (source Webster's)

------------

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net