IIS Vulnerability Alert
Results 1 to 2 of 2

Thread: IIS Vulnerability Alert

  1. #1
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,121

    IIS Vulnerability Alert

    A new vulnerabilty issue with IIs.

    Taken from SANs e-mail updates.

    Cumulative Patch for Internet Information Services
    (Q319733)
    - released 10 April 2002
    - revised 11 April 2002
    - revised 12 April 2002

    Risk: ****CRITICAL
    - Internet systems: CRITICAL
    - Intranet systems: CRITICAL
    - Client systems: MODERATE

    Impact: Run code of attacker's choice

    Systems Affected:
    - - Internet Information Server (IIS) 4.0
    - - Internet Information Server (IIS) 5.0
    - - Internet Information Server (IIS) 5.1 (ships with Windows XP
    Professional)
    - - Internet Information Server (IIS) 6.0 - this affects users running
    the BETA version of .NET Server PRIOR to Build 3605.
    - - Previous versions are no longer supported, were not tested, and
    may or may not be vulnerable.

    Summary:
    Microsoft has released a patch intended to address all known
    vulnerabilities in Internet Information Server (IIS) to date, including
    several non-security fixes described in Q319733. In addition, this
    patch addresses ten new security vulnerabilities. (NOTE: The patch
    does NOT address four IIS 4.0 vulnerabilities that must be corrected
    by "administrative action," nor does it address vulnerabilities
    in add-on products such as Front Page Extensions or Index Server.
    See MS02-018 for details.)

    1. Buffer overrun in Chunked Encoding mechanism. The HTTP
    specification allows clients to transmit large amounts of data to a web
    server by encoding them in "chunks" of a size defined by the client.
    eEye Digital Security discovered an arithmetic error in the ISAPI
    extension that handles chunks via Active Server Pages causes IIS
    to miscalculate the size of the buffer needed to handle the chunk.
    This creates a buffer overrun condition where an attacker could cause
    the IIS service to crash, or possible execute code in the context of
    the IIS server (by default, SYSTEM on IIS 4.0 and IWAM_machinename on
    IIS 5.0). IIS 5.1 is NOT affected by this vulnerability. Users who
    have configured IIS to serve static pages only (i.e., by using the
    IISLockdown tool) are also not affected. This attack could be blocked
    by using Microsoft's URLScan tool.

    2. Microsoft-discovered variant of Chunked Encoding buffer overrun.
    This vulnerability is similar to the preceding one, but it affects all
    versions of IIS (4.0, 5.0, and 5.1) and cannot be blocked by URLScan.
    Microsoft did not release any additional details on this vulnerability.

    3. Buffer overrun in HTTP header handling. When a client sends a
    request to a web server, it includes various parameters in the HTTP
    headers. Each header is bounded by delimiting characters, and IIS
    normally checks for the existence of those characters to determine
    that they are present and that each header is an appropriate length.
    Serge Mister of Entrust discovered a vulnerability where it is
    possible to spoof the normal checking that IIS performs so that IIS
    would consider the headers valid when they were not. An attacker
    could exploit this to send excess data to the server within the HTTP
    headers, resulting in a buffer overrun that could crash the IIS service
    or possibly run code in the context of the IIS server (SYSTEM on IIS
    4.0, IWAM_machinename on IIS 5.0/5.1). Users who have configured
    IIS to serve static pages only (i.e., using the IISLockdown tool) are
    not vulnerable. URLScan can also be used to block this type of attack.

    4. Buffer overrun in ASP Server-Side Include function. Microsoft has
    discovered a flaw in the way that IIS handles file name requests as
    part of Active Server Pages using Server-Side includes. An attacker
    could craft a URL that requested an overly long, invalid file name.
    When processed as part of a server-side include the file name length
    is not checked before it is parsed, allowing an attacker to disrupt
    the IIS service or possibly run code in the context of the IIS server
    (SYSTEM on IIS 4.0, IWAM_machinename on IIS 5.0/5.1). Users who have
    configured IIS to serve static pages only (i.e., using the IISLockdown
    tool) are not vulnerable. URLScan can also be used to block this
    type of attack.

    5. Buffer overrun in HTR ISAPI extension. Dave Aitel of @Stake
    and Peter Grundl of KPMG have discovered a vulnerability in the way
    that the HTR ISAPI extension calculates the buffer required to handle
    requests. Due to the miscalculation, an attacker could send a series
    of malformed requests to the server and take advantage of this buffer
    overrun condition to crash the IIS server or possibly run code in the
    context of the IIS server (SYSTEM on IIS 4.0, IWAM_machinename on IIS
    5.0). IIS 5.1 is NOT affected by this vulnerability. HTR extensions
    are used primarily to enable web-based password management; Microsoft
    recommends that they be disabled.

    6. Access violation in URL error handling. Dave Aitel of @Stake has
    discovered a flaw in the way IIS handles particular error conditions.
    When one of the ISAPI filters installed with Front Page Server
    Extensions or Microsoft ASP.NET receives a request for a URL that is
    too long, IIS mishandles the error, resulting in an access violation
    that will crash the IIS service and cause a denial of service.

    7. Denial of service via FTP status request. A flaw in the way that
    IIS processes requests for the status of an FTP connection would allow
    an attacker to crash the FTP service by sending a specially malformed
    request to the server. Because FTP services are provided by IIS,
    the attacker could crash the IIS service via this attack as well.

    8. - 10. Three cross-site scripting vulnerabilities (in the IIS Help
    File search facility, in HTTP error pages, and in the IIS redirect
    response message). IIS 4.0 is NOT affected by the vulnerability
    in the IIS Help File search facility. Cross-site scripting
    vulnerabilities in various IIS components could allow an attacker
    to create a malicious web site that would run a script in the user's
    browser in the context of a third-party web site. The script would
    be able to access information in any cookies from the third-party
    site, and might also be able to take other action on the user's
    machine, depending on the security context of the third-party site.
    These vulnerabilities were discovered by Joe Smith and zenomorph,
    Thor Larholm, and Keigo Yamazaki, respectively.

    Details:
    * MS02-018(including patch information and availability):
    http://www.microsoft.com/technet/sec...n/ms02-018.asp
    * Knowledge Base Articles:
    - Q319733: MS02-018: April 2002 Cumulative
    Patch for Internet Information Services,
    http://support.microsoft.com/default...;EN-US;q319733
    * CVE Information:
    - Buffer overrun in Chunked Encoding mechanism: CAN-2002-0079,
    http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0079
    - Microsoft-discovered variant of Chunked
    Encoding buffer overrun: CAN-2002-0079,
    http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0147
    - Buffer overrun in HTTP header handling: CAN-2002-0150,
    http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0150
    - Buffer overrun in ASP Server-Side Include function: CAN-2002-149,
    http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0149
    - Buffer overrun in HTR ISAPI extension: CAN-2002-0071,
    http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0071
    - Access violation in URL error handling: CAN-2002-0072,
    http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0072
    - Denial of service via FTP status request: CAN-2002-0073,
    http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0073 -
    Cross-site scripting in IIS Help File search facility: CAN-2002-0074,
    http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0074
    - Cross-site scripting in HTTP error page: CAN-2002-0148,
    http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0148 -
    Cross-site scripting in Redirect Response message: CAN-2002-0075,
    http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0075
    * Additional references:
    - CERT Advisory: CA-2002-09 Multiple Vulnerabilities in Microsoft
    IIS (includes links to individual CERT Vulnerability Notes),
    http://www.cert.org/advisories/CA-2002-09.html
    - - ISS Alert: Multiple Remote Vulnerabilities in Microsoft IIS,
    http://www.iss.net/security_center/alerts/advise114.php
    - eEye Security original advisory:
    http://www.eeye.com/html/Research/Ad...D20020410.html
    - Original @Stake advisory:
    http://www.atstake.com/research/advi.../a041002-1.txt
    - Original KPMG advisories:
    http://marc.theaimsgroup.com/?l=bugt...087828265&w=2,
    http://marc.theaimsgroup.com/?l=bugt...3851025208&w=2 -
    Thor Larholm's original advisory: http://jscript.dk/adv/TL001/
    - Keigo Yamazaki's original advisory:
    http://marc.theaimsgroup.com/?l=bugt...4677802990&w=2

    Lovely.

  2. #2
    Banned
    Join Date
    Oct 2001
    Posts
    1,463
    Jeez, So many vulnerabilities... So little time to patch them... My suggestion, switch to Apache

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides