OVAL for CVE-2000-0886 (for Win_2K)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

OVAL for CVE-2000-0886 (for Win_2K)

Tiffany Bergeron
CVE-ID: CVE-2000-0886
CVE Description: IIS 5.0 allows remote attackers to execute arbitrary
commands via a malformed request for an executable file whose name is
appended with operating system commands, aka the "Web Server File
Request Parsing" vulnerability.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0886

Microsoft Security Bulletin (MS00-086)
http://www.microsoft.com/technet/security/bulletin/MS00-086.asp

This IIS vulnerability involves the way IIS interprets requests for
files, and enables an attacker to execute commands on a web server.
Operating system commands contained in a request for an executable file
are passed on to the operating system by IIS, causing those commands to
be executed on the server.  This vulnerability is fixed by the patch
Microsoft provided in MS00-086, more recent cumulative patches for IIS,
or Windows 2000 Service Pack 2.

OVAL-ID: OVAL191

Status: DRAFT
Date Modified: 2003-01-15
Platform: Windows 2000

Query Synopsis:
-- Vulnerable software exists
   o IIS 5.0 installed
   o Affected w3svc.dll versions
   o Patch Q277873_W2K_SP2_x86_EN.exe not installed
   o Patch Q293826_W2K_SP3_x86_EN.exe not installed
   o Patch Q301625_W2K_SP3_x86_EN.exe not installed
   o Patch Q319733_W2K_SP3_X86_EN.exe not installed
   o Patch Q327696_W2K_SP4_X86_EN.exe not installed
   o Windows 2000 Service Pack 2 (or later) not installed

SELECT 'CAN-2000-0886' FROM Placeholder WHERE EXISTS
-- ### BEGIN VULNERABLE SOFTWARE EXISTS
--
-- IIS 5.0 installed
 (SELECT 'IIS 5.0 Major Version' from Win2K_RegistryKeys WHERE
      RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\INetStp' AND
      EntryName = 'MajorVersion' AND
      EntryValue = '5')
AND EXISTS
 (SELECT 'IIS 5.0 Minor Version' FROM Win2K_RegistryKeys WHERE
      RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\INetStp' AND
      EntryName = 'MinorVersion' AND
      EntryValue = '0')
AND EXISTS
-- Affected w3svc.dll versions
     -- Build the FilePath for w3svc.dll by retrieving the value of
     --   SystemRoot from the registry, and concatenating it with
     --   '\System32\inetsrv\w3svc.dll' (using || concat. operator):
 (SELECT 'File %windir%\System32\inetsrv\w3svc.dll version <
5.0.2195.2784' FROM Win2K_FileAttributes WHERE
      FilePath = ((SELECT EntryValue FROM Win2K_RegistryKeys WHERE
RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion' AND
      EntryName = 'SystemRoot') || '\System32\inetsrv\w3svc.dll') AND
     -- To avoid lexical (string) comparisons of file versions, the
     --   version string (e.g. '5.0.2195.2784') is broken into its
     --   components, stored as numbers.
          (Version1 < 5 OR
          (Version1 = 5 AND Version2 = 0 AND
          (Version3 < 2195 OR
          (Version3 = 2195 AND Version4 < 2784)))))
AND NOT EXISTS
-- Patch Q277873_W2K_SP2_x86_EN.exe installed
 (SELECT 'Patch Q277873 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Hotfix\Q277873'
AND
      EntryName = 'Installed' AND
      EntryValue = '1')
AND NOT EXISTS
-- Patch Q293826_W2K_SP3_x86_EN.exe (cumulative patch from MS01-026)
installed
 (SELECT 'Patch Q293826 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Hotfix\Q293826'
AND
      EntryName = 'Installed' AND
      EntryValue = '1')
AND NOT EXISTS
-- Patch Q301625_W2K_SP3_x86_EN.exe (cumulative patch from MS01-044)
installed
 (SELECT 'Patch Q301625 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Hotfix\Q301625'
AND
      EntryName = 'Installed' AND
      EntryValue = '1')
AND NOT EXISTS
-- Patch Q319733_W2K_SP3_X86_EN.exe (cumulative patch from MS02-018)
installed
 (SELECT 'Patch Q319733 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Hotfix\Q319733'
AND
      EntryName = 'Installed' AND
      EntryValue = '1')
AND NOT EXISTS
-- Patch Q327696_W2K_SP4_X86_EN.exe (cumulative patch from MS02-062)
installed
 (SELECT 'Patch Q327696 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Hotfix\Q327696'
AND
      EntryName = 'Installed' AND
      EntryValue = '1')
AND NOT EXISTS
-- Windows 2000 Service Pack 2 (or later) installed
 (SELECT 'Windows 2000 SP2 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion' AND
      EntryName = 'CSDVersion' AND
      EntryValue >= 'Service Pack 2')
-- ### END VULNERABLE SOFTWARE EXISTS
--
-- ### BEGIN VULNERABLE CONFIGURATION
-- ### END VULNERABLE CONFIGURATION
;

-------------------------
INSERT IDs used:
INSERT5
INSERT18
INSERT22
INSERT59
INSERT65
INSERT80
INSERT135
INSERT184
-------------------------
New INSERTID:

INSERT5
-- Q277873_W2K_SP2_x86_EN.exe
INSERT INTO Win2K_RegistryKeys_Conf (RegistryKey) VALUES
('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Hotfix\Q277873')

;
-------------------------

Please provide comments.

Thanks,
Tiffany

Microsoft Technical Lead, MITRE's OVAL Team


Loading...