File: 2129.txt

package info (click to toggle)
snort 2.9.15.1-5
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 59,656 kB
  • sloc: ansic: 310,441; sh: 13,260; makefile: 2,943; yacc: 497; perl: 496; lex: 261; sed: 14
file content (67 lines) | stat: -rw-r--r-- 1,642 bytes parent folder | download | duplicates (8)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
Rule:

--
Sid: 2129


--
Summary:
This event is generated when an attempt is made to access nsiislog.dll on a host running Microsoft Internet Information Server (IIS). 

--
Impact:
Possible buffer overrun leading to arbitrary code execution.

--
Detailed Information:
This event indicates that an attempt has been made to access nsiislog.dll on a host running Microsoft Internet Information Server (IIS).

The attacker may be trying to overflow a buffer using nsiislog.dll. This can present the attacker with the opportunity to execute arbitrary code of his choice on the vulnerable system. The vulnerability occurs when requests for Server Side Includes are not properly checked by the web server.

--
Affected Systems:
Any host using IIS 5.0.

--
Attack Scenarios:
An attacker can overflow a buffer and then proceed to execute arbitrary code.

--
Ease of Attack:
Simple.

--
False Positives:
None Known.

--
False Negatives:
None Known.

--
Corrective Action:
Upgrade to the latest non-affected version of the software.

Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.

Ensure that the IIS implementation is fully patched.

Ensure that the underlying operating system is fully patched.

Employ strategies to harden the IIS implementation and operating system.

Check the host for signs of compromise.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

Microsoft Technet:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-018.asp

--