Results 1 to 6 of 6

Thread: IIS Patch announcement

  1. #1
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,883

    IIS Patch announcement

    Got this from Bugtraq from someone who got it from Microsoft. Anyway, kinda long, but with 10 new vulnerabilities.......


    - -
    - ----------------------------------------------------------------------
    Title: Cumulative Patch for Internet Information Services
    (Q319733)
    Date: 10 April 2002
    Software: Microsoft Internet Information Server 4.0,
    Microsoft Internet Information Services 5.0,
    Microsoft Internet Information Services 5.1
    Impact: Ten new vulnerabilities, the most serious of which
    could enable code of an attacker's choice to be run
    on a server.
    Max Risk: High
    Bulletin: MS02-018

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/sec.../MS02-018.asp.
    - - -
    - -
    - ----------------------------------------------------------------------

    Issue:
    ======
    This patch is a cumulative patch that includes the functionality of
    all security patches released for IIS 4.0 since Windows NT 4.0
    Service Pack 6a, and all security patches released to date for IIS
    5.0 and 5.1. A complete listing of the patches superseded by this
    patch is provided below, in the section titled "Additional
    information about this patch". Before applying the patch, system
    administrators should take note of the caveats discussed in the
    same section.

    In addition to including previously released security patches,
    this patch also includes fixes for the following newly
    discovered security vulnerabilities affecting IIS 4.0, 5.0 and/or
    5.1:

    - A buffer overrun vulnerability involving the operation of
    the chunked encoding transfer mechanism via Active Server
    Pages in IIS 4.0 and 5.0. An attacker who exploited this
    vulnerability could overrun heap memory on the system, with
    the result of either causing the IIS service to fail or
    allowing code to be run on the server.
    - A Microsoft-discovered vulnerability that is related to the
    preceding one, but which lies elsewhere within the ASP data
    transfer mechanism. It could be exploited in a similar manner
    as the preceding vulnerability, and would havethe same scope.
    However, it affects IIS 4.0, 5.0, and 5.1.
    - A buffer overrun involving how IIS 4.0, 5.0 and 5.1 process
    HTTP header information in certain cases. IIS performs a
    safety check prior to parsing the fields in HTTP headers, to
    ensure that expected delimiter fields are present and in
    reasonable places. However, it is possible to spoof the check,
    and convince IIS that the delimiters are present even when they
    are not. This flaw could enable an attacker to create an URL
    whose HTTP header field values would overrun a buffer used to
    process them.
    - A Microsoft-discovered buffer overrun vulnerability in IIS 4.0,
    5.0 and 5.1 that results from an error in safety check that
    is performed during server-side includes. In some cases, a user
    request for a web page is properly processed by including the
    file into an ASP script and processing it. Prior to processing
    the include request, IIS performs an operation on the user-
    specified file name, designed to ensure that the file name is
    valid and sized appropriately to fit in a static buffer. However,
    in some cases it could be possible to provide a bogus, extremely
    long file name in a way that would pass the safety check, thereby
    resulting in a buffer overrun.
    - A buffer overrun affecting the HTR ISAPI extension in IIS 4.0
    and 5.0. By sending a series of specially malformed HTR
    requests, it could be possible to either cause the IIS service to
    fail or, under a very difficult operational scenario, to cause
    code to run on the server.
    - A denial of service vulnerability involving the way IIS 4.0,
    5.0, and 5.1 handle an error condition from ISAPI filters.
    At least one ISAPI filter (which ships as part of FrontPage
    Server Extensions and ASP.NET), and possibly others, generate
    an error when a request is received containing an URL that
    exceeds the maximum length set by the filter. In processing
    this error, the filter replaces the URL with a null value. A
    flaw results because IIS attempts to process the URL in the course
    of sending the error message back to the requester, resulting in
    an access violation that causes the IIS service to fail.
    - A denial of service vulnerability involving the way the FTP
    service in IIS 4.0, 5.0 and 5.1 handles a request for the status
    of the current FTP session. If an attacker were able to establish
    an FTP session with an affected server,and levied a status
    request that created a particular error condition, a flaw in the
    FTP code would prevent it from correctly reporting the error.
    Other code within the FTP service would then attempt to use
    uninitialized data, with an access violation as the result. This
    would result in the disruption of not only FTP services, but also
    of web services.
    - A trio of Cross-Site Scripting (CSS) vulnerabilities affecting
    IIS 4.0, 5.0 and 5.1: one involving the results page that's
    returned when searching the IIS Help Files, one involving HTTP
    error pages; and one involving the error message that's returned
    to advise that a requested URL has been redirected. All of these
    vulnerabilities have the same scope and effect: an attacker who
    was able to lure a user into clicking a link on his web site
    could relay a request containing script to a third-party web
    site running IIS, thereby causing the third-party site's response
    (still including the script) to be sent to the user. The script
    would then render using the security settings of the third-party
    site rather than the attacker's.


    Mitigating Factors:
    ====================
    Buffer overrun in Chunked Encoding transfer:
    - On default installations of IIS 5.0 and 5.1, exploiting the
    vulnerability to run code would grant the attacker the privileges
    of the IWAM_computername account, which has only the privileges
    commensurate with those of an interactively logged-on
    unprivileged user.
    - The vulnerability requires that Active Server Pages (ASP) be
    enabled on the system in order to be exploited. Version 1.0 of
    the IIS Lockdown Tool removes ASP by default, and the current
    version (version 2.1) removes it by default if Static Web Server
    has been selected.
    - The URLScan tool can be configured to prevent chunked encoding
    requests. If this has been done, the vulnerability could not be
    exploited.

    Microsoft-discovered variant of Chunked Encoding buffer overrun:
    - This vulnerability is subject to exactly the same mitigating
    factors as the buffer overrun in the Chunked Encoding transfer,
    with one exception. The URLScan tool could not be used to protect
    against the vulnerability.

    Buffer Overrun in HTTP header handling:
    - On default installations of IIS 5.0 and 5.1, exploiting the
    vulnerability to run code would grant the attacker the
    privileges of the IWAM_computername account, which has only
    the privileges commensurate with those of an interactively
    logged-on unprivileged user.
    - The vulnerability requires that Active Server Pages (ASP) be
    enabled on the systemin order to be exploited. Version 1.0
    of the IIS Lockdown Tool removes ASP by default, and the
    current version (version 2.1) removes it by default if
    Static Web Server has been selected.
    - The URLScan tool's default ruleset would likely limit the
    attacker to using this vulnerability for denial of service
    attacks only.

    Buffer Overrun in ASP Server-Side Include Function:
    - On default installations of IIS 5.0 and 5.1, exploiting the
    vulnerability to run code would grant the attacker the privileges
    of the IWAM_computername account, which has only the privileges
    commensurate with those of an interactively logged-on user.
    - The vulnerability requires that Active Server Pages (ASP) be
    enabled on the system in order to be exploited. Version 1.0
    of the IIS Lockdown Tool removes ASP by default, and the current
    version (version 2.1) removes it by default if Static Web Server
    has been selected.
    - The URLScan tool's default ruleset would likely limit the
    attacker to using this vulnerability for denial of service
    attacks only.

    Buffer overrun in HTR ISAPI extension:
    - Microsoft has long recommended disabling the HTR ISAPI extension.
    Systems on which this has been done would be at no risk from the
    vulnerability. (All versions of the IIS Lockdown Tool disable HTR
    support by default).
    - The URLScan tool, if using its default ruleset, would prevent
    this vulnerability from being exploited to run code on the server
    even if HTR support was enabled.
    - The vulnerability could only be used to run code on the server if
    the attacker knew the locations of certain information in memory.
    In practice, the most likely such situation would occur if the
    web server had never served any web content since being rebooted.
    In all other cases, it would only be possible to use the
    vulnerability for denial of service attacks.
    - On default installations of IIS 5.0 and 5.1, exploiting the
    vulnerability to run code would grant the attacker the privileges
    of the IWAM_computername account, which has only the privileges
    commensurate with those of an interactively logged-on user.
    - If the vulnerability were used in a denial of service attack,
    normal operation could be restored on an IIS 4.0 server by
    restarting the IIS service; on IIS 5.0 and higher, the service
    would automatically restart itself.

    Access violation in URL error handling:
    - An IIS 4.0 server could be put back into normal operation by
    restarting the service. An IIS 5.0 or 5.1 server would
    automatically restart the service.
    - The vulnerability could only be used for denial of service
    attacks. There is no capability to use the vulnerability to gain
    privileges on the system.
    - The sole ISAPI filter known to generate the error that results in
    the access violation ships only as part of FrontPage Server
    Extensions and ASP.NET. ASP.NET is not installed by default, and
    FPSE can be uninstalled if desired.

    Denial of service via FTP Status request:
    - The IIS Lockdown Tool disables FTP support by default.
    - An IIS 4.0 server could be put back into normal operation by
    restarting the service. An IIS 5.0 or 5.1 server would
    automatically restart the service.
    - The vulnerability could only be used for denial of service
    attacks. There is no capability to use the vulnerability to gain
    privileges on the system.

    Cross-site Scripting in IIS Help File search facility, HTTP Error
    Page, and Redirect Response message:
    - The vulnerabilities could only be exploited if the attacker could
    entice another user into visiting a web page and clicking a link
    on it, or opening an HTML mail.
    - The Redirect Response vulnerability could only be exploited if
    the user was running a browser other than Internet Explorer. IE
    does not actually render the text in the Redirect Response, but
    instead recognizes it by its response header and processes the
    redirect without displaying any text.


    Risk Rating:
    ============
    - Internet systems: Critical
    - Intranet systems: Critical
    - Client systems: Critical

    Patch Availability:
    ===================
    - A patch is available to fix this vulnerability. Please read the
    Security Bulletin at
    http://www.microsoft.com/technet/sec...n/ms02-018.asp
    for information on obtaining this patch.

    Acknowledgment:
    ===============
    - eEye Digital Security (http://www.eeye.com) for reporting the
    buffer overrun in the ASP chunked encoding implementation.
    - Entrust Technologies (http://www.entrust.com) for reporting the
    buffer overrun affecting the HTTP header handling.
    - Chris Wysopal of @Stake (http://www.atstake.com) and Peter
    Grundl of KPMG for reporting the buffer overrun in the HTR
    ISAPI extension and the access violation in URL error handling.
    - Joe Smith (jsm1th@hotmail.com) and zenomorph
    (admin@cgisecurity.com) of http:// www.cgisecurity.com) for
    reporting the cross-site scripting vulnerability in the IIS
    Help File search facility.
    - Keigo Yamazaki of the LAC SNS Team
    (http://www.lac.co.jp/security/) for reporting the
    cross-site scripting vulnerability affecting redirect
    response messages.
    - Thor Larholm of Jubii A/S for reporting the cross-site scripting
    vulnerability affecting HTTP error pages.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  2. #2
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    See this article - http://www.vnunet.com/News/1130836

    Install the patch, but be careful because there may be a number of issues, so back everything up first," said Mark Read, network security analyst at MIS Corporate Defence Solutions.
    Gotta love it.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  3. #3
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,883
    Hey korp> your posts is at 1234...kinda cool. Must be time to start a new account

    Anyway, at least Microsoft is reliable. You can always count on them to screw things up when they try and fix them.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  4. #4
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Im spending waaaay too much time here. But it's just too cool.

    I'm gonna teach myself to do a lil' programming now. Time to check out the tuts.

    peace
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  5. #5
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    iis patches usually open some new holes in any case. 5.1 what's new from 5.0?
    Trappedagainbyperfectlogic.

  6. #6
    I believe XP uses 5.1 and Win2k uses 5.0. But then again I've been known to be wrong, but I'm pretty sure.
    America - Land of the free, home of the brave.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •