[Snort-sigs] SID 1243

Robert Wagner rwagner at ...447...
Tue Mar 19 08:19:14 EST 2002


I am not sure if this has been corrected.  The website
http://www.snort.org/snort-db/sid.html?id=1243 showed this as complete, but
there isn't any detailed information listed.  I guess it is MIA?  


Rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida 
attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+;
reference:arachnids,552; \
classtype:web-application-attack; reference:cve,CAN-2000-0071; sid:1243; 
rev:2;)

--
Sid:
1243

--
Summary:
An attempt was made to see if the system has the idq.dll file 
vulnerability of IIS servers.

--
Impact:
This technique may be part of a Code Red virus attack or a buffer overflow 
attempt.  If this file is available, then your system may be fully
compromized.

--
Detailed Information:
A packet is sent to the server like: 

218.114.160.45 - - [17/Mar/2002:06:19:38 -0600] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNN\
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNN\
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u780
1%u\
9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003
%u8\
b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 329 "-" "-"

The server will then respond with: "File . Error 0x80040e14 caught while 
processing query" if this the system is patched and "The IDQ file 
NULL.ida could not be found" if the vulnerability exists.  

--
Attack Scenarios:
This can occur as part of the Code Red virus or a system recon.

--
Ease of Attack:
Easy.  This can be done straight through any web browser.

--
False Positives:
Only if you are intentionally running idq.dll.  This also checks for a 
minimum length of 239.

--
False Negatives:
Unknown.

--
Corrective Action:
Obtain the latest Microsoft IIS system patches and lockdown tools.  

--
Contributors:
rwagner

--
Additional References:
http://www.net-security.org/text/bugs/995634801,15771,.shtml






More information about the Snort-sigs mailing list