RE: Webdev fuss so what?

From: McElroy Richard (RMcElroy@mbe.com)
Date: Fri May 09 2003 - 15:11:00 EDT

• Next message: Stephen Smoogen: "Re: Where is a Free Copy of ISO17799?"
• Previous message: Richard Ginski: "Where is a Free Copy of ISO17799?"
• Maybe in reply to: peter devris: "Webdev fuss so what?"
• Next in thread: mvillanova: "Re: Webdev fuss so what?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You are absolutley not safe I would recommend patching. I got 3 false positives off of machines that I tested as well.

-----Original Message-----
From: peter devris [mailto:peterdevris@hotmail.com]
Sent: Thursday, May 08, 2003 5:17 PM
To: pen-test@securityfocus.com
Subject: Webdev fuss so what?

What is all the fuss about the webdev vul?

I have an IIS5.0 server SP3 and thought I best check

this out so tried the following to test and exploit my

server

webdevfinder.pl - by SensePost Research

      returns - WebDAV possibly in use

OK looks like a problem, so now test exploit using:

webdavx.pl - by isno@xfocus.org

   returns - attempting all the offsets 0-7:

     send buffer...

      telnet target 7788

      if fail, try other offset(0-7)

    All telnet attempts failed to connect!

webdavIIS50.pl by www.infowarfare.dk

  Returns

    IIS 5.0 WebDAV BufferOverflow attack

    but fails to do anything!!

wbr.exe - ntdll.dll exploit trough WebDAV by kralor[Crpt]

     failed to nc to my listening port!

     Results:

     Checking WebDav on 'xxxx' ... FOUND

     exploiting ntdll.dll through WebDav [ret: 0x00100010]

     Connecting... CONNECTED

     Sending evil request... SENT

     Server seems to be patched.

     data: HTTP/1.1 500 Internal Server Failure

     Server: Micr╠╠ñ²↕

     Hey this server is not patched!

Ok all the above failed, so I am safe?

Next step was to build a Win2k SP 1 - default install

IIS5.0 and repeat all the above.

Guess what all failed, so even with SP1 and SP3 -

straight out of the box I was not vuln to this WebDev

exploit

So what is all of the fuss about?

During the testing both Web servers still ran and never

when down.

Cheers peter

---------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM: http://www.securityfocus.com/StillSecure-pen-test
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM:
http://www.securityfocus.com/StillSecure-pen-test
----------------------------------------------------------------------------

• Next message: Stephen Smoogen: "Re: Where is a Free Copy of ISO17799?"
• Previous message: Richard Ginski: "Where is a Free Copy of ISO17799?"
• Maybe in reply to: peter devris: "Webdev fuss so what?"
• Next in thread: mvillanova: "Re: Webdev fuss so what?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:33 EDT