OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: RAZOR Analysis of dvwssr.dll
From: David LeBlanc (dleblancMINDSPRING.COM)
Date: Mon Apr 17 2000 - 18:04:30 CDT

At 04:05 PM 4/17/00 -0500, Simple Nomad wrote:

>Detection is quite simple. The following examples use NetCat:

>The 500 error means dvwssr.dll is not present.

>The 401 error means dvwssr.dll is present but you do not have the rights
to it.

>The connection closed means that you had the rights to run the DLL, but
>since no parameters were passed the connection was completed.

Thanks for making this clear. However, one point that should be made is
that this is true only for systems that could possibly be vulnerable.
Windows 2000 hosts, machines running web servers other than IIS, and
possibly even older IIS hosts could behave differently, and may give errors
other than these. Additionally, certain configurations will also change
the errors that would occur. Some of the configurations are servers where
https is required, and servers where authentication of some kind is
required. There may be other configurations which could also cause
erroneous conclusions based on the above, or possibly returns which are not
listed.

I'm still trying to sort out all of these nuances myself, and these caveats
are not at all meant to say that the cogent explanation presented by Simple
Nomad isn't useful or accurate - it does clear up a couple of issues for me
- just that I've been looking for this problem on a rather large network
and have encounted a lot of different conditions.

David LeBlanc
dleblancmindspring.com

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net