A vulnerability was recently reported in Microsoft IIS. Microsoft has since completed its investigation and “found that there is no vulnerability in IIS.” However, “there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server.” The issue only impacts IIS servers that are set up to allow both “write” and “execute” privileges on the same directory, which is not the default configuration for IIS. This issue can be mitigated through proper Web server configuration and Web application development best practices, including proper validation of user submitted file names, and by configuring Web server software so that it will not execute scripts or applications in directories where user uploaded files are stored. We would also like to note that an exploit targeting Microsoft IIS has been made publicly available. We encourage our customers to refer to the Microsoft Security Response Center (MSRC) blog post for additional information.
http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx
http://www.exploit-db.com/
We would also like to inform our customers that a report has surfaced indicating there has been “an increase in probes to port 12174.” Our analysts have also observed an increase in activity on this port. Reportedly, these probes are targeting a vulnerability in the Intel LANDesk Common Base Agent (CBA) which is used by the Symantec Alert Management System. An attacker could exploit this issue by sending a specially-crafted packet to TCP Port 12174 and execute arbitrary code on the vulnerable system. The Alert Management System 2 (AMS2) is a component of the Symantec System Center console, Symantec AntiVirus Server, and of the Symantec AntiVirus Central Quarantine Server. To mitigate against this threat, ensure the Symantec Alert Management Systems running in your environment are up-to-date.
http://isc.sans.org/diary.html?storyid=7834
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090428_02
0 Comments.