HighIBM Security Server Protection for Windows, Proventia Network IDS, Proventia Network MFS, Proventia-G 1.1 and earlier, RealSecure Server Sensor, RealSecure Network, BlackICE Server Protection, BlackICE PC Protection, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects HTTP URLs that contain a ~ (tilde) followed by a digit.
IBM Security Server Protection for Windows, Proventia Network IDS, Proventia Network MFS, Proventia-G 1.1 and earlier, RealSecure Server Sensor, RealSecure Network, BlackICE Server Protection, BlackICE PC Protection, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: Any request to a vulnerable server for a URL that contains ~#, where # is any digit, will cause this signature to trigger. Servers are assumed vulnerable until we see evidence that they're not.
IBM Security Server Protection for Windows, Proventia Network IDS, Proventia Network MFS, Proventia-G 1.1 and earlier, RealSecure Server Sensor, RealSecure Network, BlackICE Server Protection, BlackICE PC Protection, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: ISS XForce believes it to be highly unlikely, although remotely possible, that this vulnerability could be entirely exploited via the internet. In such a case, acurate detection and association of the setup prior to seeing the pattern associated with this event is not possible.
High
IBM Security Server Protection for Windows: 1.0.914.2070, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network IDS: XPU 27.060, Proventia Network MFS: XPU 27.060, Proventia-G 1.1 and earlier: XPU 27.060, RealSecure Server Sensor: XPU 27.060, RealSecure Network: XPU 27.060, BlackICE Server Protection: 3.6.cqm, BlackICE PC Protection: 3.6cqm, Proventia Desktop: 2070, Proventia Network IPS: XPU 27.060, Proventia Server IPS for Linux technology: 27.060, Virtual Server Protection for Vmware: 1.0
Microsoft Windows XP: SP2, Microsoft Internet Information Server: 5.1
Unauthorized Access Attempt
Microsoft Internet Information Services (IIS) is vulnerable to a buffer overflow in the URL parser. By sending a specially-crafted URL request to a Web site running on IIS, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the Web server to crash.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS07-041. See References.
Microsoft Security Bulletin MS07-041
Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution (939373)
http://www.microsoft.com/technet/security/Bulletin/MS07-041.mspx
BugTraq Mailing List, Fri Dec 16 2005 - 17:46:11 CST
Microsoft IIS Remote Denial of Service (DoS) .DLL Url exploit
http://archives.neohapsis.com/archives/bugtraq/2005-12/0212.html
IBM Internet Security Systems Protection Alert July 10, 2007
Microsoft Internet Information Services Remote Code Execution
http://www.iss.net/threats/268.html
HPSBST02243 SSRT071446 rev.1
Storage Management Appliance (SMA), Microsoft Patch Applicability MS07-036 to MS07-041
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01112990&jumpid=reg_R1002_USEN
ISS X-Force
Microsoft Internet Information Services URL parser buffer overflow
http://www.iss.net/security_center/static/35197.php
CVE
CVE-2005-4360
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4360