TCP:80 - Malformed HTR Request - NT4 when remote desktop is setup for port 80

[Matt Curtis]

When the system (WinXP with remote desktop enabled on port
80) is scanned with Retina Security scanner, a Malformed
HTR Request vulnerability is found but is specified to be
a NT4 issue. I have no NT4 machines on that port or on my
network for that matter. The description of the
vunerability is as follows:

TCP:80 - Malformed HTR Request - NT4
A vulnerability in IIS involves an unchecked buffer in the
filter DLLs for the following file types: .HTR, .STM
and .IDC files. The .htr, .STM and .IDC extensions are
used by ISAPI filters so an attacker can therefore
overflow those ISAPI filters and remotely execute code as
SYSTEM.

To correct the problem you are reffered to the following
hotfix page which specifies only NT4:
http://support.microsoft.com/support/kb/articles/Q234/9/05.
ASP

Please advise,
Just wanted to bring this to someone's attention as to
prevent any exploitaton of this.

Thanks,
Matt Curtis

 

[Jeffrey Randow (MVP)]

Note: Don't install that hotfix on XP... It is for IIS, but won't do
anything if you have remote desktop listening on that port (in lieu of
using the web client)...

Jeffrey Randow (Windows Networking & Smart Display MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

 

[Bill Sanderson]

Have you run this by the folks at eEye?

Sounds like a false postive to me, but it'd be good to have an
acknowledgement from them.