OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: NEWDSN.EXE DoS Attack - NT 4.0 SP5 - LOW RISK
From: Steve (steveSECURESOLUTIONS.ORG)
Date: Sun Apr 30 2000 - 12:31:52 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This was sent to me this morning. The author is very correct when he
states that this is low risk, but, still possible.

I copied the SA2000-01.TXT into the bottom of this message for those
that are nervous about following links. :-)

- -Steve

- -----Original Message-----
From: Ichinin [mailto:ichininsuespammers.org]
Sent: Saturday, April 29, 2000 10:56 AM
To: steveSECURESOLUTIONS.ORG; securitymicrosoft.com
Subject: Here you go.

Hi Steve.

Regarding your request for vulnerabilities.

http://www.geocities.com/Ichinin/SA2000-01.txt

(Unlike when i put my foot in my mouth with the SP4 issue,
 this one have actually been researched.)

I've submitted this to MicroSoft via anonymiser (because my
smtpserver was down for the moment), i DID include my name
+ email adress so that they could contact me to confirm
delivery - this has not happened. I'm CC'ing Microsoft again
to make sure that they get it. = A delivery confirmation would
be nice)

Regards,

Glenn Larsson

NT Security Analyst/Developer
Sweden

Public1: ichininsuespammers.org
Public2: i.hate.spamyesbox.se
Private: ichininswipnet.se
_____________________________________________________________

<FLAME>
(Yes, many people & companies sit on vulnerabilities (i do),
people want to make money on knowing something that some other
people don't, i haven't been able to sell even a single license
of my security software because i've got my ideas included by
international software makers with more rah-rah and cash than
little me do = very hard to get my break. It's very hard to get
a job in the crap country i live in because the black/white hat
thing haven't happened over here yet. Do you know how many
security analysts a certain big Swedish network service company
have? ONE!... I've even offered my knowledge to law enforcement
and intelligence branch, but they are too stale and narrow minded.
I'm seriously considering migrating to a country where computer
security is taken seriously.)
</FLAME>

- ---------------Copy of TXT file from Link Above--------------

Conditional Denial of Service vulnerability in MS IIS (Newdsn)

Affected Systems:
- -----------------

        - Windows NT 4, Servicepacks 4 & 5
          Internet Information Server 2.0
          Vulnerable to: Condition 1 and 2

        - Windows NT 4, Servicepacks 4 & 5
          Internet Information Server 3 (upgraded from IIS 2.0)
          Vulnerable to: Condition 1 and 2

        - Windows NT 4, Servicepacks 4 & 5
          Internet Information Server 4 (upgraded from IIS 2.0)
          Vulnerable to: Only Condition 1 (AFAIK)

Impact:
- -------
        Under certain conditions, IIS is vulnerable to a DoS attack.
        Low risk conditional attack - It is hard to exploit.

Exploit:
- --------

        Start a webbrowser, request the following:

                http://www.server.com/Scripts/Tools/Newdsn.exe?Createdatabase

        and the browser just sits there. So, you may ask, what's
        happening on my server right now?

        Well, not much, it is still spinning fine, it does not hog the
        cpu, and you can still access webpages. The problem comes
        if you try doing the following: (The server seem to resolve
        this problem after an hour or two, possibly a shorter time, so it
        is hard to exploit.)

        CONDITION 1) You later may want to restart the W3 service for some
        reason. This makes it stop totally, attempts to restart the service
        results in the very informative error message - " !". Though,
in
        IIS 4 there is an error message: "Socket in use".

        CONDITION 2) If you go ahead and stop the service anyway and it
locks,
        the database part in IIS does not shut down and still responds to
HTTP
        requests on port 80. So, again, we re-request

                http://www.server.com/Scripts/Tools/Newdsn.exe?Createdatabase

        ...and Drwatson mops up after InetInfo.

        Short:
        As long as you _do not_ stop or pause the W3SVC during the period in
        which Newdsn is attacked - afaik, you are "ok".

        Solution:
        ---------
        Remove Newdsn.exe from your site if you haven't done that already
        because of the Database creation vulnerability reported earlier.

        Glenn "Ichinin" Larsson
        Security Analyst
        Sweden
        _______________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOQxuBTV9eGvIXwM6EQJK3ACdESb0+LLhUKwDnb8hp8/QlmQoXC8An3GK
GsmtSI2doUMsR/aVx0ZQu7WZ
=Al/7
-----END PGP SIGNATURE-----

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net