TCP:80 - Malformed HTR Request - NT4 when remote desktop i..

[Guest]

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

When the system (WinXP with remote desktop enabled on port
80) is scanned with Retina Security scanner, a Malformed
HTR Request vulnerability is found but is specified to be
a NT4 issue. I have no NT4 machines on that port or on my
network for that matter. The description of the
vunerability is as follows:

TCP:80 - Malformed HTR Request - NT4
A vulnerability in IIS involves an unchecked buffer in the
filter DLLs for the following file types: .HTR, .STM
and .IDC files. The .htr, .STM and .IDC extensions are
used by ISAPI filters so an attacker can therefore
overflow those ISAPI filters and remotely execute code as
SYSTEM.

To correct the problem you are reffered to the following
hotfix page which specifies only NT4:
http://support.microsoft.com/support/kb/articles/Q234/9/05.
ASP

Please advise,
Just wanted to bring this to someone's attention as to
prevent any exploitaton of this.

Thanks,
Matt Curtis

 

[Guest]

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Note: Don't install that hotfix on XP... It is for IIS, but won't do
anything if you have remote desktop listening on that port (in lieu of
using the web client)...

Jeffrey Randow (Windows Networking & Smart Display MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

On Wed, 2 Jun 2004 08:25:58 -0700, "Matt Curtis"
<matt_curtis@yaskawa.com> wrote:

>When the system (WinXP with remote desktop enabled on port
>80) is scanned with Retina Security scanner, a Malformed
>HTR Request vulnerability is found but is specified to be
>a NT4 issue. I have no NT4 machines on that port or on my
>network for that matter. The description of the
>vunerability is as follows:
>
>TCP:80 - Malformed HTR Request - NT4
>A vulnerability in IIS involves an unchecked buffer in the
>filter DLLs for the following file types: .HTR, .STM
>and .IDC files. The .htr, .STM and .IDC extensions are
>used by ISAPI filters so an attacker can therefore
>overflow those ISAPI filters and remotely execute code as
>SYSTEM.
>
>To correct the problem you are reffered to the following
>hotfix page which specifies only NT4:
>http://support.microsoft.com/support/kb/articles/Q234/9/05.
>ASP
>
>Please advise,
>Just wanted to bring this to someone's attention as to
>prevent any exploitaton of this.
>
>Thanks,
>Matt Curtis

 

[Guest]

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Have you run this by the folks at eEye?

Sounds like a false postive to me, but it'd be good to have an
acknowledgement from them.


"Matt Curtis" <matt_curtis@yaskawa.com> wrote in message
news:174b501c448b5$e7ad47f0$a101280a@phx.gbl...
> When the system (WinXP with remote desktop enabled on port
> 80) is scanned with Retina Security scanner, a Malformed
> HTR Request vulnerability is found but is specified to be
> a NT4 issue. I have no NT4 machines on that port or on my
> network for that matter. The description of the
> vunerability is as follows:
>
> TCP:80 - Malformed HTR Request - NT4
> A vulnerability in IIS involves an unchecked buffer in the
> filter DLLs for the following file types: .HTR, .STM
> and .IDC files. The .htr, .STM and .IDC extensions are
> used by ISAPI filters so an attacker can therefore
> overflow those ISAPI filters and remotely execute code as
> SYSTEM.
>
> To correct the problem you are reffered to the following
> hotfix page which specifies only NT4:
> http://support.microsoft.com/support/kb/articles/Q234/9/05.
> ASP
>
> Please advise,
> Just wanted to bring this to someone's attention as to
> prevent any exploitaton of this.
>
> Thanks,
> Matt Curtis