GRNET-CERT
Suggested Guidelines Against Sadmind/IIS Worm
This new piece of self-propagating malicious code (referred to as the sadmind/IIS worm) affects systems running:
The worm uses two well-known vulnerabilities to compromise systems and deface web pages.
To compromise the Solaris systems, the worm takes advantage of a buffer overflow vulnerability in the Solstice sadmind program. For more information on this vulnerability, see
After successfully compromising the Solaris systems, it uses a vulnerability to compromise the IIS systems. For additional information about this vulnerability, see
Solaris systems compromised by this worm are being used to scan and compromise other Solaris and IIS systems. IIS systems compromised by this worm can suffer modified web content.
Suggested Solutions
Apply a patch from your vendor
A patch is available from Microsoft at
For IIS Version 4:
http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp
For IIS Version 5:
http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp
Additional advice on securing IIS web servers is available from
http://www.microsoft.com/technet/security/iis5chk.asp
http://www.microsoft.com/technet/security/tools.asp
Apply a patch from Sun Microsystems as described in Sun Security Bulletin #00191:
http://sunsolve.sun.com/pub-cgi/retrieve.pl? doctype=coll&doc=secbull/191&type=0&nav=sec.sba
References
- Vulnerability Note VU#111677: Microsoft IIS 4.0 / 5.0 vulnerable to directory traversal via extended unicode in url (MS00-078) http://www.kb.cert.org/vuls/id/111677
- CERT Advisory CA-1999-16 Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind http://www.cert.org/advisories/CA-1999-16.html
Authors: Chad Dougherty, Shawn Hernan, Jeff Havrilla, Jeff Carpenter, Art Manion, Ian Finlay, John Shaffer
NOTE: The source of this document and more infomation is available from:
http://www.cert.org/advisories/CA-2001-11.html