Rule

--
Sid
16147

--
Summary:
This event is generated when an attempt is made to exploit a known vulnerability in Internet Information Server.

--
Impact:
Denial of Service. Information disclosure. Loss of integrity. 

--
Detailed Information:
The URL parser in Microsoft Internet Information Services (IIS) 5.1 on Windows XP Professional SP2 allows remote attackers to execute arbitrary code via multiple requests to ".dll" followed by arguments such as "~0" through "~9", which causes ntdll.dll to produce a return value that is not correctly handled by IIS, as demonstrated using "/_vti_bin/.dll/*/~0".  NOTE: the consequence was originally believed to be only a denial of service (application crash and reboot).

--
Affected Systems:
Microsoft Internet Information Server 5.1

--
Attack Scenarios:


--
Ease of Attack:
Medium.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Upgrade to the latest non-affected version of the software.

Apply the appropriate vendor supplied patches.

--
Contributors:
Sourcefire Vulnerability Research Team
This document was generated from data supplied by the National Vulnerability Database. A product of the National Institute of Standards and Technology.
For more information see http://nvd.nist.gov/

--
Additional References:

NIST CVE-2005-4360:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4360
  
--
