COMMAND

    IIS

SYSTEMS AFFECTED

    Win NT running IIS

PROBLEM

    David  Litchfield  found  following.   As  most  of  you  may know
    getdrvrs.exe  in  the  drive:\inetpub\scripts\tools\  directory is
    used  to  create  an  ODBC  database  source  on IIS.  Let's say a
    malicious hacker followed  the following url  and selected as  his
    driver Microsoft Access (*.mdb).

        http://www.company.com/scripts/tools/getdrvrs.exe

    The file he creates does not have the *.mdb file extension. He can
    use *.exe and  create a file  called test.exe in  any directory he
    wants.  Now, assuming he doesn't  put a path in, test.exe will  be
    created in the  /scripts directory.   The hacker then  follows the
    following url:

        http://www.company.com/scripts/test.exe

    IIS will try and run  the ".exe" and launch ntvdm.exe  and because
    test.exe does not stop "executing" neither does the ntvdm process.
    If  the  attacker  keeps  on  refreshing  the browser a new VDM is
    launched....it does not take long  for the server's memory to  run
    dry of both physical and virtual memory.

SOLUTION

    The admin can end these processes no problem from the task manager
    but it's still  not a great  thing having your  server run out  of
    RAM.   Use  NTFS  file  permissions  to  stop  access to sensitive
    directories and files for the IUSR_<computer-name> account or  the
    group you have assigned this account to...