"We Want our country back," shouted the California Democratic
Party convention over the weekend. Heh. This to the candidates for
Democratic nomination to the Presidency. And these are the people whose
votes are needed for the nomination. They booed all mention of the
military, of course.
This is bad for Democratic prospects, or so I would think.
http://news.com.com/2100-1002-992920.html
http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/security/bulletin/ms03-007.asp
Begin forwarded message:
> From: "Douglas R. Wilson"
> Date: Mon Mar 17, 2003 2:02:06 PM US/Pacific
> To: Focus-MS
> Subject: Microsoft Security Advisory MS 03-007
>
> I developed this for my work environment -- however, I
> believe that it isn't proprietary, and am forwarding it to
> the list for comment and/or informative values. Hopefully
> there are no glaring errors.
>
> Please realize that any information contained in here
> should be verified and tested independently before you
> apply the process to any environment you are responsible
> for. I take no responsibility for any modifications anyone
> makes to their system based on what I put down here.
>
> --
>
> I have done some research today, as many people have asked
> the "are my web servers vulnerable/need to be patched, et
> al" question in response to the latest MSFT advisory (MS
> 03-007). It's likely that most servers that can be patched
> should be, BUT only after testing, as this may be a much
> more impactual problem than first realized, as well as all
> the other innate problems inherent with rolling patches out
> on production systems.
>
>
>
> Microsoft has handled this somewhat differently than a
> standard bulletin, and the conjecture on that could easily
> be a separate discussion. Initially, however, it points to
> the fact that this vulnerability is with ALL Windows 2000
> servers, period, and they have come out with this patch at
> this time because IIS servers are actively being
> compromised already, before the bulletin was released, to
> deal with an active attack vector. This implies that they
> may have rushed the patch out the door, and that the
> problems may involve a lot more parts of windows . . .
>
> Points to consider:
>
> · This may not be something that is an immediate
> threat to a lot of the servers if you only consider the IIS
> attack vector, if they have been deployed with the IIS
> lockdown tool in most configurations. CERTAIN
> CONFIGURATIONS OF THE IIS LOCKDOWN TOOL DO LEAVE WEBDAV
> ENABLED -- other methods should be employed there. There is
> a list of these profiles that I have found at the end of
> this.
>
> · The servers in question may have other things
> impacted by the patch, as a core system dll is what is
> being replaced by this hotfix.
>
> · The servers in question may not be able to be
> rebooted right away in keeping with SLA?s/production
> schedules.
>
>
>
> This is an issue with a core dll, ntdll.dll, which (I
> believe) is currently being addressed because an exploit
> exists that can be injected using IIS as its attack vector.
>
> MSFT recommends the IIS lockdown tool as one specific
> solution. However, some people are not sure they have
> applied the tool properly, and some people have made
> modifications and/or installed other applications since
> then (like Cold Fusion) that may add/modify application
> mappings, and thus change settings done by the IISLockdown
> tool.
>
> I have derived one result from my research as a way to
> detect one form of "protection" from the exploit. This
only
> addresses nailing down the IIS based attack vector, and
> only on certain boxes. However, the only true way to know
> for sure is if you have the exploit tool, and try using it,
> and it fails.
>
>
> WebDAV requests are processed in the httpext.dll. This is
> NOT the dll that the buffer overflow exists in, but it is
> the dll that initially would handle WebDAV requests, and it
> is that dll which the IISLockdown tool "locks down."
>
>
> So, if a windows 2000 server is running IIS 5.0, and it has
> had either:
>
> · Service Pack 3 for windows 2000 installed, or
>
> · Service Pack 2 and MS02-018: April 2002
> Cumulative Patch for Internet Information Services
> installed, or later cumulative patches installed,
>
>
>
> The following test can be used:
>
>
> If the C:\winnt\system32\inetsrv\httpext.dll file has ACL?s
> on it such that anonymous web context accounts cannot
> execute it, the server in question is very likely not
> vulnerable to this exploit. (Obviously, if you start
> considering the concept of NT Authentication, and various
> user accounts accessing the httpext.dll, the scope varies).
>
>
>
> Older versions of the lockdown tool will simply deny the
> Everyone Group?s permissions to execute -? as long as the
> anonymous users haven?t been put in any privileged group,
> this is fine. Newer versions of the lockdown tool will
> create specific groups for web users, and then specifically
> deny permissions on these files.
>
>
>
> The reason the service pack level is important is before
> MS02-018, some WebDAV requests could get around the
> httpext.dll, due to another issue, which is patched in
> either MS02-018 or SP3.
>
>
>
> There may be some way of scripting up a tool that will
> check for the above parameters on servers, to do quick spot
> checking, if someone has not already developed a
> vulnerability testing tool. As I said before, however, the
> only true way to make sure is to attempt the exploit, and
> have it fail.
>
> IIS Lockdown 2.1 Profiles that leave WebDAV enabled:
>
> Small Business Server 2000
> Exchange 2000 (OWA, PF, IM, SMTP, NNTP)
> Share Point Portal Server
> BizTalk Server 2000
> Commerce Server 2000
>
>
> Initial public release as pertains to Windows 2000:
> http://www.microsoft.com/security/security_bulletins/ms03-007.asp
>
>
>
> The full bulletin, as pertains to IIS:
>
> http://www.microsoft.com/technet/treeview/?url=/technet/security/
> bulletin/MS03-007.asp
>
>
>
> Article on WebDAV getting around httpext.dll in earlier
> versions:
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B307934
>
>
>
> IIS Lockdown Tool 2.1
>
> http://download.microsoft.com/download/iis50/
Utility/2.1/NT45XP/EN-US/iislockd.exe
>
> --
>
> Douglas R. Wilson
>
> dallendoug@dallenhome.org
>
> --
>
> "the biologist will tell you that progress is the result of
> mutations. mutations are another word for freaks. for god's
> sake let's have a little more freakish behavior- not less .
> . .
> Maybe 90 per cent of the freaks will just be freaks,
> ludicrous and pathetic and getting nowhere but into
> trouble. . .
> Eliminate them, however- bully them into conformity- and
> nobody in america will ever be really young any more and
> we'll be left standing in the dead center of nowhere."
>
> -- Tennessee Williams
>
>
----------------------------------------------------------------------
> ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
> It's as simple as placing additional SQL commands into a Web Form
input
> box giving hackers complete access to all your backend systems!
> http://www.spidynamics.com/mktg/sqlinjection33
>
If you would have peace be thou then prepared for war. We seem prepared
enough. Alert Level ORANGE
CLICK HERE for
a Special Request. 
