Government Security
Network Security Resources

Jump to content


Windows IIS 5.0 Buffer Overflow Vulnerabilit

windows buffer overflow server exploit vulnerability
  • Please log in to reply
1 reply to this topic

#1 aladin168



  • Members
  • 5 posts

Posted 03 April 2003 - 04:50 AM

There's a nice IIS5 WebDAV / ntdll.dll vulnerability round-up article including exploit analysis, problems, fixes, FAQ, and impacts on Exchange Server OWA.

URL: http://www.klcconsul...webdav_vuln.htm

#2 Guest_DGJ_*

  • Guests

Posted 21 March 2003 - 08:41 AM

Microsoft Windows 2000 supports the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol. WebDAV, defined in RFC 2518, is a set of extensions to the Hyper Text Transfer Protocol (HTTP) that provide a standard for editing and file management between computers on the Internet. A security vulnerability is present in a Windows component used by WebDAV resulting from a component containing an unchecked buffer.

An attacker could exploit the vulnerability by sending a specially formed HTTP request to a machine running Internet Information Server (IIS). The request could cause the server to fail or to execute code of the attacker's choice. The code would run in the security context of the IIS service (which, by default, runs in the LocalSystem context).

The patch for Windows 2000 is available at the following location: microsoft

Additional information about this patch Installation platforms: This patch can be installed on systems running Windows 2000 Service Pack 2 or Service Pack 3.

Set the IIS registry MaxClientRequestBuffer value to less than 64000 bytes. By default, the registry key MaxClientRequestBuffer is not created. It is essential to IIS security to set a limit to MaxClientRequestBuffer. Microsoft has developed a tool to change the buffer size and may be found at: microsoft

In conjunction with applying the patch, systems should be scanned for the following services to determine if the box has already been compromised

(1) Check for the existence of the netshowservices account. The NetShowServices account is normally set up in Windows Media Services. If the netshowservices account (often lower case) is present on a box where Windows Media Services is not enabled, the likelihood of a compromise is high.

(2) Check to ensure normal applications are not mapped to nontraditional ports (i.e. explorer.exe).

(a) Backdoors are often set by modifying normal applications to listen on random ports. Fport (found at is ideal for finding such trojan applications.

(B) The following new backdoor tools have been found on compromised systems: The files are extapi.dll and svchost.exe. Although svchost.exe is a standard file in the operating system(c:\winnt\system32), the trojaned version will be located in c:\winnt. The extapi.dll is not a windows dll, and has been found under c:\winnt\system32.

(3) Intruders have also been known to leave certain additional files on compromised machines. Search for these files in particular: pwdump.exe (or variations of; use search string pwdump*), abc.exe, findpass.exe.

Continue to use URLScan if possible. URLScan is part of the Microsoft IIS Lockdown tool. URLScan prevents many URL facilitated attacks including this particular Windows 5.0 Buffer Overflow.

install URLScan from this location here

Also tagged with one or more of these keywords: windows, buffer overflow, server, exploit, vulnerability