From: Frank Knobbe (fknobbe@knobbeits.com)
Date: Wed Mar 19 2003 - 13:25:15 EST
On Tue, 2003-03-18 at 22:02, Royans Tharakan wrote:
> I checked this out. SANS had an emergency webcast this morning
> in which a lot of security engineers reviewed this bug. Few microsoft
> guys where there who confirmed that OWA uses its own version of WEBDAV
> which overrides the version which is installed by the OS.
> They said the version of WEBDAV in OWA is not vulnerable to this exploit.
However, those same folks said that it is not the LOCK method that is
vulnerable, but in fact only the GET method. I heard reports from guys
who just couldn't make WebDAV crash with GET, but didn't have a problem
with SEARCH and PROPFIND. Personally, I'm wondering if ISS was just
spreading misinformation to confuse the potential worm-writers, but I'm
not making any such accusation. (Misinformation wouldn't be effective
anyway. But then again, neither is holding back the details for a sig,
but explaining how it works...:/
I think it's safe to assume that any WebDAV method, and perhaps others,
not yet discovered components, are vulnerable, mainly because the bug is
in ntdll.dll. So perhaps OWA is vulnerable.... we just haven't found out
where and how....
Regards,
Frank
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:31 EDT