OVAL for CVE-2001-0151 (for Win_2K)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

OVAL for CVE-2001-0151 (for Win_2K)

Tiffany Bergeron
CVE-ID: CVE-2001-0151
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0151
CVE Description: IIS 5.0 allows remote attackers to cause a denial of
service via a series of malformed WebDAV requests.
CVE Reference: XF:iis-webdav-dos(6205)
http://www.iss.net/security_center/static/6205.php

Microsoft Security Bulletin MS01-016
http://www.microsoft.com/technet/security/bulletin/MS01-016.asp
"Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources"

WebDAV (Web distributed authoring and versioning) is an extension to the
HTTP specification that enables users to manage content on a web server
remotely.  This vulnerability exists because WebDAV does not correctly
process certain PROPFIND or SEARCH requests, allowing an attacker to
temporarily disrupt web services by sending a stream of requests that
consumes all of the server¬ís CPU.  WebDAV functionality is made possible
through httpext.dll, which is always installed with IIS 5.0.  This
vulnerability is fixed by the patch Microsoft provided in MS01-016, more
recent cumulative patches for IIS, or Windows 2000 Service Pack 2.
Disabling WebDAV is an effective workaround.  Microsoft recommends using
a patch rather than the workaround.

This is my suggestion for IIS 5.0 using the Windows 2000 schema:

OVAL-ID: OVAL90

Status: DRAFT
Date Modified: 2003-01-13
Platform: Windows 2000

SELECT 'CAN-2002-0151' FROM Placeholder WHERE EXISTS
-- ### BEGIN VULNERABLE SOFTWARE EXISTS
--
-- IIS 5.0 installed
 (SELECT 'IIS 5.0 Major Version' from Win2K_RegistryKeys WHERE
      RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\INetStp' AND
      EntryName = 'MajorVersion' AND
      EntryValue = '5')
AND EXISTS
 (SELECT 'IIS 5.0 Minor Version' FROM Win2K_RegistryKeys WHERE
      RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\INetStp' AND
      EntryName = 'MinorVersion' AND
      EntryValue = '0')
AND EXISTS
-- Affected httpext.dll versions
     -- Build the FilePath for httpext.dll by retrieving the value of
     --   SystemRoot from the registry, and concatenating it with
     --   '\System32\inetsrv\httpext.dll' (using || concat. operator):
 (SELECT 'File %windir%\System32\inetsrv\httpext.dll version <
0.9.3940.20' FROM Win2K_FileAttributes WHERE
      FilePath = ((SELECT EntryValue FROM Win2K_RegistryKeys WHERE
RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion' AND
      EntryName = 'SystemRoot') || '\System32\inetsrv\httpext.dll') AND
     -- To avoid lexical (string) comparisons of file versions, the
     --   version string (e.g. '0.9.3940.20') is broken into its
     --   components, stored as numbers.
          (Version1 = 0 AND
          (Version1 < 9 OR Version2 = 9 AND
          (Version3 < 3940 OR
          (Version3 = 3940 AND Version4 < 20)))))
AND NOT EXISTS
-- Patch Q291845_W2K_SP2_x86_en.EXE installed
 (SELECT 'Patch Q291845 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Hotfix\Q291845'
AND
      EntryName = 'Installed' AND
      EntryValue = '1')
AND NOT EXISTS
-- Patch Q293826_W2K_SP3_x86_EN.exe (cumulative patch from MS01-026)
installed
 (SELECT 'Patch Q293826 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Hotfix\Q293826'
AND
      EntryName = 'Installed' AND
      EntryValue = '1')
AND NOT EXISTS
-- Patch Q301625_W2K_SP3_x86_EN.exe (cumulative patch from MS01-044)
installed
 (SELECT 'Patch Q301625 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Hotfix\Q301625'
AND
      EntryName = 'Installed' AND
      EntryValue = '1')
AND NOT EXISTS
-- Patch Q319733_W2K_SP3_X86_EN.exe (cumulative patch from MS02-018)
installed
 (SELECT 'Patch Q319733 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Hotfix\Q319733'
AND
      EntryName = 'Installed' AND
      EntryValue = '1')
AND NOT EXISTS
-- Patch Q327696_W2K_SP4_X86_EN.exe (cumulative patch from MS02-062)
installed
 (SELECT 'Patch Q327696 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Hotfix\Q327696'
AND
      EntryName = 'Installed' AND
      EntryValue = '1')
AND NOT EXISTS
-- Windows 2000 Service Pack 2 (or later) installed
 (SELECT 'Windows 2000 SP2 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion' AND
      EntryName = 'CSDVersion' AND
      EntryValue >= 'Service Pack 2')
-- ### END VULNERABLE SOFTWARE EXISTS
--
-- ### BEGIN VULNERABLE CONFIGURATION
AND EXISTS
-- WebDAV enabled
 (SELECT 'WebDAV Enabled' FROM Win2K_RegistryKeys WHERE
      RegistryKey =
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters'
AND
      EntryName = 'DisableWebDAV' AND
      EntryValue != '1')
-- ### END VULNERABLE CONFIGURATION
;

-------------------------
INSERT IDs used:
INSERT18
INSERT22
INSERT48
INSERT65
INSERT107
INSERT135
INSERT184
INSERT188
------------------------
New INSERTIDS:

INSERT48
-- httpext.dll
INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES
(%windir%\System32\inetsrv\httpext.dll)
;

INSERT107
-- Q291845_W2K_SP2_x86_en.EXE
INSERT INTO Win2K_RegistryKeys_Conf (RegistryKey) VALUES
('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Hotfix\Q291845')

;

INSERT188
-- WWW Services
INSERT INTO Win2K_RegistryKeys_Conf (RegistryKey) VALUES
('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters')

;
------------------------

Please provide any comments and suggestions.

Thanks,
Tiffany

Microsoft Technical Lead, MITRE's OVAL Team


Loading...