1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
Rule:
--
Sid:
1243
--
Summary:
This event is generated when an attempt is made to access the .ida Indexing Service ISAPI filter.
--
Impact:
Remote access. This attack may allow execution of arbitrary commands in System context providing complete control of the server.
--
Detailed Information:
Microsoft Internet Information Service (IIS) installs several Internet Service Application Programming Interface (ISAPI) extensions. A buffer overflow vulnerability exists because of improper buffer checking in the .ida ISAPI filter. This may allow execution of arbitrary commands with System level access on the vulnerable server. The Code Rode worm used this vulnerability to propagate.
--
Affected Systems:
Windows NT 4.0 IIS 4.0
Windows 2000 IIS 5.0
Windows XP beta IIS 6.0 beta
--
Attack Scenarios:
An attacker can craft a special HTTP request that can cause a buffer overflow.
--
Ease of Attack:
Simple. Send the following request to a vulnerable server:
GET /a.ida?NNNN... HTTP/1.0 where 240 N's or other characters are supplied.
--
False Positives:
None Known.
--
False Negatives:
None Known.
--
Corrective Action:
Consider removing the .ida ISAPI filter if it is not necessary.
Download and install the appropriate patch mentioned in the Microsoft bulletin.
--
Contributors:
Original rule written by Dr SuSE and C. Mayor.
Modified by Brian Caswell <bmc@sourcefire.com>
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>
--
Additional References:
Arachnids
http://www.whitehats.com/info/IDS552
CERT
http://www.cert.org/incident_notes/IN-2001-08.html
Microsoft
http://www.microsoft.com/technet/security/bulletin/ms01-033.asp
eEye Digital Security
http://www.eeye.com/html/Research/Advisories/AD20010618.html
--
|
