RE: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability

From: Noonan, Wesley (Wesley_Noonan@bmc.com)
Date: Wed Mar 19 2003 - 12:05:34 EST


In terms of stability, MS has added the following warning to the bulletin:

"Warning If you are running Windows 2000 Service Pack 2 (SP2), you must
check the version of Ntoskrnl.exe on your computer before you install this
update. To do this:
Open the %Windir%\System32 folder.
Right-click the Ntoskrnl.exe file, click Properties, and then click the
Version tab.
Versions of Ntoskrnl.exe from 5.0.2195.4797 to 5.0.2195.4928 are not
compatible with this update. These versions were distributed only with
Microsoft Product Support Services hotfixes. If you install the update that
is described in this article on a computer with an Ntoskrnl.exe version from
5.0.2195.4797 to 5.0.2195.4928, the computer stops responding with a "Stop
0x00000071" message when you restart the computer. If this occurs, you must
recover the Windows installation by using Windows 2000 Recovery Console and
the backup copy of the Ntdll.dll file that is stored in the
Winnt\$NTUninstallQ815021$ folder"

The full details are located here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q815021&sd=tech

I feel for the folks who blue screened their production servers they may
have attempted to patch... Fortunately, we caught it on test systems first.

HTH

Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
wnoonan@bmc.com
http://www.bmc.com

> -----Original Message-----
> From: Royans Tharakan [mailto:RTharakan@ingenuity.com]
> Sent: Tuesday, March 18, 2003 22:02
> To: Sarah Kenna Groark; Nicolas Gregoire; Gary O'leary-Steele
> Cc: pen-test@securityfocus.com
> Subject: RE: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability
>
> I checked this out. SANS had an emergency webcast this morning
> in which a lot of security engineers reviewed this bug. Few microsoft
> guys where there who confirmed that OWA uses its own version of WEBDAV
> which overrides the version which is installed by the OS.
> They said the version of WEBDAV in OWA is not vulnerable to this exploit.
>
> However, I'm still hunting for an exploit to test it. Obviously we don't
> want to upgrade OWA if it can be avoided. We don't know how stable the
> patch is at this point.
>
> rkt
>
> -----Original Message-----
> From: Sarah Kenna Groark [mailto:sarah@procinct.com]
> Sent: Tuesday, March 18, 2003 4:35 PM
> To: Royans Tharakan; Nicolas Gregoire; Gary O'leary-Steele
> Cc: pen-test@securityfocus.com
> Subject: RE: Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability
>
>
>
> >Someone said that OWA is not at risk so we are not patching it for
> webdav.
>
> Is there a definitive statement on this somewhere? I am trying to track
> down for a client whether OWA is vulnerable to this and unfortunately do
> not have an environment where I can test it myself at the moment.
>
> Any info much appreciated.
>
> Take care,
> // Sarah
>
>
> --------------------------------------------------------------------------
> --
> Did you know that you have VNC running on your network?
> Your hacker does. Plug your security holes now!
> Download a free 15-day trial of VAM:
> http://www2.stillsecure.com/download/sf_vuln_list.html

----------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does. Plug your security holes now!
Download a free 15-day trial of VAM:
http://www2.stillsecure.com/download/sf_vuln_list.html



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:31 EDT