Taken from SANs e-mail updates.
Cumulative Patch for Internet Information Services
(Q319733)
- released 10 April 2002
- revised 11 April 2002
- revised 12 April 2002
Risk: ****CRITICAL
- Internet systems: CRITICAL
- Intranet systems: CRITICAL
- Client systems: MODERATE
Impact: Run code of attacker's choice
Systems Affected:
- - Internet Information Server (IIS) 4.0
- - Internet Information Server (IIS) 5.0
- - Internet Information Server (IIS) 5.1 (ships with Windows XP
Professional)
- - Internet Information Server (IIS) 6.0 - this affects users running
the BETA version of .NET Server PRIOR to Build 3605.
- - Previous versions are no longer supported, were not tested, and
may or may not be vulnerable.
Summary:
Microsoft has released a patch intended to address all known
vulnerabilities in Internet Information Server (IIS) to date, including
several non-security fixes described in Q319733. In addition, this
patch addresses ten new security vulnerabilities. (NOTE: The patch
does NOT address four IIS 4.0 vulnerabilities that must be corrected
by "administrative action," nor does it address vulnerabilities
in add-on products such as Front Page Extensions or Index Server.
See MS02-018 for details.)
1. Buffer overrun in Chunked Encoding mechanism. The HTTP
specification allows clients to transmit large amounts of data to a web
server by encoding them in "chunks" of a size defined by the client.
eEye Digital Security discovered an arithmetic error in the ISAPI
extension that handles chunks via Active Server Pages causes IIS
to miscalculate the size of the buffer needed to handle the chunk.
This creates a buffer overrun condition where an attacker could cause
the IIS service to crash, or possible execute code in the context of
the IIS server (by default, SYSTEM on IIS 4.0 and IWAM_machinename on
IIS 5.0). IIS 5.1 is NOT affected by this vulnerability. Users who
have configured IIS to serve static pages only (i.e., by using the
IISLockdown tool) are also not affected. This attack could be blocked
by using Microsoft's URLScan tool.
2. Microsoft-discovered variant of Chunked Encoding buffer overrun.
This vulnerability is similar to the preceding one, but it affects all
versions of IIS (4.0, 5.0, and 5.1) and cannot be blocked by URLScan.
Microsoft did not release any additional details on this vulnerability.
3. Buffer overrun in HTTP header handling. When a client sends a
request to a web server, it includes various parameters in the HTTP
headers. Each header is bounded by delimiting characters, and IIS
normally checks for the existence of those characters to determine
that they are present and that each header is an appropriate length.
Serge Mister of Entrust discovered a vulnerability where it is
possible to spoof the normal checking that IIS performs so that IIS
would consider the headers valid when they were not. An attacker
could exploit this to send excess data to the server within the HTTP
headers, resulting in a buffer overrun that could crash the IIS service
or possibly run code in the context of the IIS server (SYSTEM on IIS
4.0, IWAM_machinename on IIS 5.0/5.1). Users who have configured
IIS to serve static pages only (i.e., using the IISLockdown tool) are
not vulnerable. URLScan can also be used to block this type of attack.
4. Buffer overrun in ASP Server-Side Include function. Microsoft has
discovered a flaw in the way that IIS handles file name requests as
part of Active Server Pages using Server-Side includes. An attacker
could craft a URL that requested an overly long, invalid file name.
When processed as part of a server-side include the file name length
is not checked before it is parsed, allowing an attacker to disrupt
the IIS service or possibly run code in the context of the IIS server
(SYSTEM on IIS 4.0, IWAM_machinename on IIS 5.0/5.1). Users who have
configured IIS to serve static pages only (i.e., using the IISLockdown
tool) are not vulnerable. URLScan can also be used to block this
type of attack.
5. Buffer overrun in HTR ISAPI extension. Dave Aitel of @Stake
and Peter Grundl of KPMG have discovered a vulnerability in the way
that the HTR ISAPI extension calculates the buffer required to handle
requests. Due to the miscalculation, an attacker could send a series
of malformed requests to the server and take advantage of this buffer
overrun condition to crash the IIS server or possibly run code in the
context of the IIS server (SYSTEM on IIS 4.0, IWAM_machinename on IIS
5.0). IIS 5.1 is NOT affected by this vulnerability. HTR extensions
are used primarily to enable web-based password management; Microsoft
recommends that they be disabled.
6. Access violation in URL error handling. Dave Aitel of @Stake has
discovered a flaw in the way IIS handles particular error conditions.
When one of the ISAPI filters installed with Front Page Server
Extensions or Microsoft ASP.NET receives a request for a URL that is
too long, IIS mishandles the error, resulting in an access violation
that will crash the IIS service and cause a denial of service.
7. Denial of service via FTP status request. A flaw in the way that
IIS processes requests for the status of an FTP connection would allow
an attacker to crash the FTP service by sending a specially malformed
request to the server. Because FTP services are provided by IIS,
the attacker could crash the IIS service via this attack as well.
8. - 10. Three cross-site scripting vulnerabilities (in the IIS Help
File search facility, in HTTP error pages, and in the IIS redirect
response message). IIS 4.0 is NOT affected by the vulnerability
in the IIS Help File search facility. Cross-site scripting
vulnerabilities in various IIS components could allow an attacker
to create a malicious web site that would run a script in the user's
browser in the context of a third-party web site. The script would
be able to access information in any cookies from the third-party
site, and might also be able to take other action on the user's
machine, depending on the security context of the third-party site.
These vulnerabilities were discovered by Joe Smith and zenomorph,
Thor Larholm, and Keigo Yamazaki, respectively.
Details:
* MS02-018(including patch information and availability):
http://www.microsoft.com/technet/sec...n/ms02-018.asp
* Knowledge Base Articles:
- Q319733: MS02-018: April 2002 Cumulative
Patch for Internet Information Services,
http://support.microsoft.com/default...;EN-US;q319733
* CVE Information:
- Buffer overrun in Chunked Encoding mechanism: CAN-2002-0079,
http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0079
- Microsoft-discovered variant of Chunked
Encoding buffer overrun: CAN-2002-0079,
http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0147
- Buffer overrun in HTTP header handling: CAN-2002-0150,
http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0150
- Buffer overrun in ASP Server-Side Include function: CAN-2002-149,
http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0149
- Buffer overrun in HTR ISAPI extension: CAN-2002-0071,
http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0071
- Access violation in URL error handling: CAN-2002-0072,
http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0072
- Denial of service via FTP status request: CAN-2002-0073,
http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0073 -
Cross-site scripting in IIS Help File search facility: CAN-2002-0074,
http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0074
- Cross-site scripting in HTTP error page: CAN-2002-0148,
http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0148 -
Cross-site scripting in Redirect Response message: CAN-2002-0075,
http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0075
* Additional references:
- CERT Advisory: CA-2002-09 Multiple Vulnerabilities in Microsoft
IIS (includes links to individual CERT Vulnerability Notes),
http://www.cert.org/advisories/CA-2002-09.html
- - ISS Alert: Multiple Remote Vulnerabilities in Microsoft IIS,
http://www.iss.net/security_center/alerts/advise114.php
- eEye Security original advisory:
http://www.eeye.com/html/Research/Ad...D20020410.html
- Original @Stake advisory:
http://www.atstake.com/research/advi.../a041002-1.txt
- Original KPMG advisories:
http://marc.theaimsgroup.com/?l=bugt...087828265&w=2,
http://marc.theaimsgroup.com/?l=bugt...3851025208&w=2 -
Thor Larholm's original advisory:
http://jscript.dk/adv/TL001/
- Keigo Yamazaki's original advisory:
http://marc.theaimsgroup.com/?l=bugt...4677802990&w=2
Reply With Quote