[Snort-sigs] Updated WEB-FRONTPAGE dvwssr.dll

Chris Arsenault carsenault at ...283...
Thu Jan 24 11:34:06 EST 2002

Please feel free to comment back via email or the group on the writing
style below.  My main reason for using Snort in our corporate
environment was because of the links to references in an abundance of
the signatures.  I would very much like to see the Snort Sig DB a piece
of ARTWORK!!  
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$
Rule:  WEB-FRONTPAGE dvwssr.dll
Sid:  967
Summary:  An attacker attempted to perform a buffer overflow against the
system.  The overflow may also allow the attacker to execute code of
Impact:  Successful execution of an attack would allow an attacker to
possibly read .asp files on the remote system.
Detailed Information: The permissions on the file dvwssr.dll do not
allow everyone read access by default.  In order for a host to be
vulnerable to this attack, read access would have to be granted to a
directory with dvwssr.dll within its path.        
Attack Scenarios:  Use of the GET command in the following context would
initiate this attack:  GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0.  If
the file dvwssr.dll was not present on the system, the response would be
500 server error.  If the file dvwssr.dll does not allow read access,
the response would be 401 Access Denied.  If the file was present and
read access to the file was allowed, the response would be Connection
Closed by Foreign Host which would mean that the dvwssr.dll file is
present on the host with the correct permissions in order to initiate
this attack.  
Ease of Attack:  
False Positives: N/A
False Negatives:  N/A
Corrective Action:  Remove dvwssr.dll from the web server and test all
necessary functionality.
Chris Arsenault - carsenault at ...283... 
Security Focus BugTraq ID
Microsoft - ms00-025
Chris Arsenault
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020124/07404f13/attachment.html>

More information about the Snort-sigs mailing list