OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: NEWDSN.EXE DoS Attack - NT 4.0 SP5 - LOW RISK
From: Marc (marcEEYE.COM)
Date: Sun Apr 30 2000 - 17:15:56 CDT

I've not played with the newdsn.exe much but it might be interesting to try
to overflow it.. something like
http://www.server.com/Scripts/Tools/Newdsn.exe?[buffer] where [buffer] is 5k
of chars or something. It would be a lot more fun. I'll play with it monday
unless someone else does before then.

any system that wants to be a bit more secure shouldn't have newdsn.exe on
it anyway.

As for your flame... Sitting on exploits as a way of making money is plain
dirty. It is probably because of that thinking, that people do not wish to
buy your product.

Signed,
Marc
eEye Digital Security
http://www.eEye.com

"All your seeing is a product begging for your fat ass dirty dollar. Learn
to swim."
tool

| -----Original Message-----
| From: Steve [mailto:steveSECURESOLUTIONS.ORG]
| Sent: Sunday, April 30, 2000 10:32 AM
| To: win2ksecadviceLISTSERV.NTSECURITY.NET
| Subject: NEWDSN.EXE DoS Attack - NT 4.0 SP5 - LOW RISK
|
|
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| This was sent to me this morning. The author is very correct when he
| states that this is low risk, but, still possible.
|
| I copied the SA2000-01.TXT into the bottom of this message for those
| that are nervous about following links. :-)
|
|
| - -Steve
|
| - -----Original Message-----
| From: Ichinin [mailto:ichininsuespammers.org]
| Sent: Saturday, April 29, 2000 10:56 AM
| To: steveSECURESOLUTIONS.ORG; securitymicrosoft.com
| Subject: Here you go.
|
|
| Hi Steve.
|
| Regarding your request for vulnerabilities.
|
| http://www.geocities.com/Ichinin/SA2000-01.txt
|
| (Unlike when i put my foot in my mouth with the SP4 issue,
| this one have actually been researched.)
|
| I've submitted this to MicroSoft via anonymiser (because my
| smtpserver was down for the moment), i DID include my name
| + email adress so that they could contact me to confirm
| delivery - this has not happened. I'm CC'ing Microsoft again
| to make sure that they get it. = A delivery confirmation would
| be nice)
|
| Regards,
|
| Glenn Larsson
|
| NT Security Analyst/Developer
| Sweden
|
| Public1: ichininsuespammers.org
| Public2: i.hate.spamyesbox.se
| Private: ichininswipnet.se
| _____________________________________________________________
|
| <FLAME>
| (Yes, many people & companies sit on vulnerabilities (i do),
| people want to make money on knowing something that some other
| people don't, i haven't been able to sell even a single license
| of my security software because i've got my ideas included by
| international software makers with more rah-rah and cash than
| little me do = very hard to get my break. It's very hard to get
| a job in the crap country i live in because the black/white hat
| thing haven't happened over here yet. Do you know how many
| security analysts a certain big Swedish network service company
| have? ONE!... I've even offered my knowledge to law enforcement
| and intelligence branch, but they are too stale and narrow minded.
| I'm seriously considering migrating to a country where computer
| security is taken seriously.)
| </FLAME>
|
| - ---------------Copy of TXT file from Link Above--------------
|
| Conditional Denial of Service vulnerability in MS IIS (Newdsn)
|
| Affected Systems:
| - -----------------
|
| - Windows NT 4, Servicepacks 4 & 5
| Internet Information Server 2.0
| Vulnerable to: Condition 1 and 2
|
| - Windows NT 4, Servicepacks 4 & 5
| Internet Information Server 3 (upgraded from IIS 2.0)
| Vulnerable to: Condition 1 and 2
|
| - Windows NT 4, Servicepacks 4 & 5
| Internet Information Server 4 (upgraded from IIS 2.0)
| Vulnerable to: Only Condition 1 (AFAIK)
|
| Impact:
| - -------
| Under certain conditions, IIS is vulnerable to a DoS attack.
| Low risk conditional attack - It is hard to exploit.
|
| Exploit:
| - --------
|
| Start a webbrowser, request the following:
|
|
http://www.server.com/Scripts/Tools/Newdsn.exe?Createdatabase

        and the browser just sits there. So, you may ask, what's
        happening on my server right now?

        Well, not much, it is still spinning fine, it does not hog the
        cpu, and you can still access webpages. The problem comes
        if you try doing the following: (The server seem to resolve
        this problem after an hour or two, possibly a shorter time, so it
        is hard to exploit.)

        CONDITION 1) You later may want to restart the W3 service for some
        reason. This makes it stop totally, attempts to restart the service
        results in the very informative error message - " !". Though,
in
        IIS 4 there is an error message: "Socket in use".

        CONDITION 2) If you go ahead and stop the service anyway and it
locks,
        the database part in IIS does not shut down and still responds to
HTTP
        requests on port 80. So, again, we re-request

http://www.server.com/Scripts/Tools/Newdsn.exe?Createdatabase

        ...and Drwatson mops up after InetInfo.

        Short:
        As long as you _do not_ stop or pause the W3SVC during the period in
        which Newdsn is attacked - afaik, you are "ok".

        Solution:
        ---------
        Remove Newdsn.exe from your site if you haven't done that already
        because of the Database creation vulnerability reported earlier.

        Glenn "Ichinin" Larsson
        Security Analyst
        Sweden
        _______________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOQxuBTV9eGvIXwM6EQJK3ACdESb0+LLhUKwDnb8hp8/QlmQoXC8An3GK
GsmtSI2doUMsR/aVx0ZQu7WZ
=Al/7
-----END PGP SIGNATURE-----

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net