SCAN: Core Impact IIS ASP Chunked Exploit
This signature detects the CORE Impact penetration testing tool using the IIS ASP Chunked Encoding exploit against your network (this exploit is also detected by the HTTP:REQERR:REQ-MALFORMED-URL anomaly). Because CORE Impact can chain one infected computer to another, other machines in the network can already be compromised. CORE Impact can be used legitimately to perform a network security audit of your network. However, if a network security audit is not in progress, triggering this signature can indicate that a malicious attacker is using the CORE Impact tool to compromise your network.
Extended Description
A heap overflow condition in the 'chunked encoding transfer mechanism' related to Active Server Pages has been reported for Microsoft IIS (Internet Information Services). This condition affects IIS 4.0 and IIS 5.0. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. Microsoft IIS 5.0 is reported to ship with a default script (iisstart.asp) which may be sufficient for a remote attacker to exploit. Other sample scripts may also be exploitable. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves.
Affected Products
Cisco call_manager
Short Name
SCAN:CORE:IIS-ASP-CHUNKED
Severity
Major
Recommended
False
Recommended Action
Drop
Category
SCAN
Keywords
ASP CVE-2002-0079 Chunked Core Exploit IIS Impact bid:4485
Release Date
12/17/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3724
False Positive
Unknown
Vendors
Cisco
Microsoft
CVSS Score
7.5