Thanks for clearing things up regarding ES & FP extensions, Jelmer... we
have enough hype about the code red worm. We don't need anymore... :-)
Trev.
-----Original Message-----
From: Jelmer Kuperus [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 07, 2001 11:40 AM
To: Charlie Brady; [EMAIL PROTECTED]
Subject: RE: [e-smith-devinfo] FrontPage and CodeRed?
yeah and if you foward my mail to 10 people in your adressbook nokia will
give you a FREE CELLPHONE!!!!!!!!!! :)
ok sorry bout that
But seriously e-smith is positively absolutely not at risc , the reason for
this is that code red uses a known buffer overflow in iis.
<QUOTE>
The vulnerability lies within the code that allows a Web server to interact
with Microsoft Indexing Service functionality. The vulnerable Indexing
Service ISAPI filter is installed by default on all versions of IIS. The
problem lies in the fact that the .ida (Indexing Service) ISAPI filter does
not perform proper "bounds checking" on user inputted buffers and therefore
is susceptible to a buffer overflow attack
</QUOTE>
Isapi filters arent inalled with fpe
And even if it where
it will only exploit Windows 2000 web servers because it overwrites EIP with
a jmp that is only correct under Windows 2000.
since i imagine most of you arent familiar with pc assembly in lamens terms
this means , basicly code red interups the normal processing of the
webserver in order to execute its own code , it as uses one of windows own
functions for that. Under NT4.0 etc... the location for that function is
different so, the process will simply crash instead of allowing the worm to
infect the system and
spread.
-----Original Message-----
From: Charlie Brady [mailto:[EMAIL PROTECTED]]
Sent: dinsdag 7 augustus 2001 19:06
To: [EMAIL PROTECTED]
Subject: [e-smith-devinfo] FrontPage and CodeRed?
On Mon, 6 Aug 2001, somebody posted to the members mailing list of Sage-au
(www.sage-au.org.au):
> Umm, if you loaded Frontpage and the web extensions onto your home PC....
guess
> what, you're running a cut-down version of IIS - and its just as
susceptible to
> CodeRed and variants as are the full blown IIS boxes. I'm still wondering
why
> no-one has mentioned this little fact yet.
I have no other information to confirm or deny this rumour, however, I
thought it prudent to pass it on.
[It shouldn't take long for someone to work out whether there is a CGI
called default.ida.]
--
Charlie Brady [EMAIL PROTECTED]
http://www.e-smith.org (development) http://www.e-smith.com (corporate)
Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739
e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada
--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
