[Snort-sigs] WEB-FRONTPAGE dvwssr.dll

Brian bmc at ...95...
Wed Jan 23 15:45:05 EST 2002


A couple of comments:

This submition is mostly commentary.  Can you fill this in with a bit 
more actual information please?

For an excelent example, check out the posts from David Wilburn.

-b

On Wed, Jan 23, 2002 at 01:44:30PM -0600, Chris Arsenault wrote:
> Signature Submission :-)
>  
> Chris Arsenault
> Information Systems Manager
> First Educators Credit Union
> Senior Technical Instructor
> Rice Unversity
> Exchange 5.5/Exchange 2000
>  
> Microsoft Certified Systems Engineer
> Microsoft Certified Trainer
>  

Content-Description: WEB-FRONTPAGE dvwssr.dll.txt
> # This is a template for submitting snort signature descriptions to
> # the snort.org website
> #
> # Ensure that your descriptions are your own
> # and not the work of others.  References in the rules themselves
> # should be used for linking to other's work. 
> #
> # If you are unsure of some part of a rule, use that as a commentary
> # and someone else perhaps will be able to fix it.
> # 
> # $Id$
> #
> # 
> 
> Rule:  WEB-FRONTPAGE dvwssr.dll
> --
> 
> Sid:  
> 
> --
> 
> Summary:  dvwssr.dll is a component installed with Windows NT Option Pack 4.0, Personal Web Server for Windows 95 and 98 and Front Page 98 Server Extensions. 
> 
> --
> Impact:  This component is vulnerable to a buffer overflow which would run in the context of the system account.
> 
> --
> Detailed Information:  As with an abundance of other exploits related to Microsoft’s Internet Information Services and web server based implementations, it would be possible for an attacker to run code of choice against the vulnerable web server.  It is also possible to use this exploit to stop the remote server from responding which would create a consistent denial of service     
> 
> --
> Attack Scenarios:  Use of the GET statement along with the dvwssr.dll file would suggest a possible attempted attack.   
> 
> --
> Ease of Attack:  This attack would require for both the dvwssr.dll file to reside on the web server and for the correct permissions to be in place in order for the attack to be successful.  Using a script to send continued requests for the file dvwssr.dll would make a denial of service attack fairly easy.      
> 
> --
> False Positives:  Web requests or web based applications which use dvwssr.dll in a context which in not malicious in nature.
> 
> --
> False Negatives:  N/A
> 
> --
> Corrective Action:  Remove dvwssr.dll from the web server and test all necessary functionality.
> 
> --
> Contributors:
> 
> Chris Arsenault – carsenault at ...283... 
> 
> References:
> 
> Security Focus BugTraq ID
> http://www.securityfocus.com/bid/1109
> 
> CVE
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0260
> 
> Microsoft – ms00-025
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-025.asp
>  





More information about the Snort-sigs mailing list