Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:1021 |
Message | WEB-IIS ism.dll attempt |
Summary | This event is generated when an attempt is made to retrieve file contents by exploiting a vulnerability in Microsoft Internet Information Server (IIS) ISAPI component. |
Impact | Information Disclosure. |
Detailed Information | Default installations of IIS 4.0 and IIS 5.0 contain a vulnerability in ISM.DLL that can allow an attacker to retrieve the contents of files on the system. This could be used to retrieve web application source code or the contents of other sensitive files. |
Affected Systems | Microsoft IIS 4.0 and 5.0 Multiple vendor implementations of IIS. |
Attack Scenarios | The attacker sends a URL containing the file to be retrieved (without the extension), followed by approximately 230 "%20" (ascii space) characters followed by ".htr". Note: This attempt can only be performed once. The server must be restarted to make another sucessful request. |
Ease of Attack | Simple. No exploit software required. |
Corrective Action | Check server logs for signs of compromise. |
Additional References | |
Rule References | bugtraq: 1193 cve: 2000-0457 nessus: 10680 url: www.microsoft.com/technet/security/bulletin/MS00-031.mspx |
--
DID:577637
--
http://www.aanval.com/