[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] MS03-029 / Q823803 and not-only-RRAS Problems

To: <full-disclosure@lists.netsys.com>
Subject: [Full-Disclosure] MS03-029 / Q823803 and not-only-RRAS Problems
From: "Daniele Muscetta" <daniele@muscetta.com>
Date: Sat, 9 Aug 2003 22:44:15 +0200 (W. Europe Daylight Time)


>> Microsoft is aware of a problem with the recently released
>> security patch MS03-029 [...]
>> Specifically there is a problem with the patch when installed
>> on systems that are also running RRAS (Routing and Remote
>> Access Service) that causes the RRAS Service to fail when the
>> system is rebooted after applying the patch.



I have actually reported to Microsoft a similar flaw with the same
patch. In my case, tough, the service that does not start is the "Web
Proxy" component of Microsoft Proxy Server 2.0, when running in IIS3 (it
actually looks like the problem is indeed IIS3, which is not supported
anymore, while it does not happen with IIS4).

Microsoft Support gave me the hotfix released for the RRAS problem, and
that fixed this issue too. Thanks!

I would not be surprised of seeing them releasing an updated bullettin
stating that RRAS is not anymore the only service affected, but Proxy is
affected too. I actually hope they would do that soon, since I notified
them that the hotfix works.

Here is a description of the problem that was happening - AGAIN, the
hotfix released for the RRAS problem has fixed this problem too!


On a machine with Microsoft Proxy Server 2.0 running into IIS3, the "Web
Proxy" service would not start.
I am talking of NT Server 4.0 SP6a with most security hotfixes, and
Microsoft Proxy Server 2.0 SP1.

The "World Wide Web Publishing Service" starts, but from Internet
service manager the "Web Proxy" module appears as Not Running, and the
EventLog reports an Event ID 100 stating that it cannot logon user
"". I looked at the property of the WWW Service in Internet Service
Manager, where the field "User" (for Anonymous Authentication) is indeed
EMPTY, instead of containing the usual IUSR_SERVERNAME (here is the ""
user!). But, funny enough, the value with the correct user name IS
written in the registry
(HKLM/System/CurrentControlSet/Services/W3SVC/Parameters ....). It's
still IIS3, then it is in the registry, it does not have a
metabase. But this value DOES not get read !!
Uninstalling the original patch (as for the RRAS issue - btw there is no
need to manually replace the file, since there is an UNINSTALL
feature...), the service works again, and the user is correctly
displayed.

I KNOW that the vulnerability is considered "Moderate" since no native
service can expose it remotely.
On the other hand, on the very same machine a third-party SMTP
Virus-Scanning product is also installed, which MIGHT make use of the
"dangerous" API, and expose the flaw remotely.... very remote
possibility, but still I like to have my systems patched.... maybe a
maliciously crafted mail could trigger the vulnerability (?worst case
scenario?), like in a bug of sendmail of some time ago.....


Hope this might be interesting for you to know. Anyway, in my case the
hotfix from PSS solved the problem, and it looks stable, thus I am
expecting to see soon the "final" patch being released.

With Best Regards,

Daniele Muscetta



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] FWD: [teso-announce] new release: objobf 0.5
Next by Date: [Full-Disclosure] [SECURITY] [DSA-361-2] New kdelibs-crypto packages fix multiple vulnerabilities
Prev by thread: [Full-Disclosure] FWD: [teso-announce] new release: objobf 0.5
Next by thread: [Full-Disclosure] [SECURITY] [DSA-361-2] New kdelibs-crypto packages fix multiple vulnerabilities
Index(es):
- Date
- Thread