Results 1 to 4 of 4

Thread: Bulletin: MS02-028

  1. #1
    Senior Member
    Join Date
    Nov 2001

    Bulletin: MS02-028

    Title: Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise (Q321599)
    Date: 12 June 2002
    Software: Internet Information Server
    Impact: Run Code of Attacker's Choice
    Max Risk: Moderate
    Bulletin: MS02-028

    Microsoft encourages customers to review the Security Bulletin at:

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Some more information.

    Source: securityfocus.com (bugtraq)

    Windows 2000 and NT4 IIS .HTR Remote Buffer Overflow

    Release Date:
    June 12, 2002

    High (Remote code execution)

    Systems Affected:
    Microsoft Windows NT 4.0 Internet Information Services 4.0
    Microsoft Windows 2000 Internet Information Services 5.0

    A vulnerability in transfer chunking, in combination with the processing of
    HTR request sessions can be exploited to remotely execute code of an
    attackers choice on the vulnerable machine. By sending a carefully crafted
    session, an attacker can overwrite a section of the heap. Data structures in
    the overwritten heap can be manipulated to move attacker-supplied data to
    attacker supplied memory addresses, thereby altering the flow of execution
    into an attacker supplied payload.

    This is a very serious vulnerability and eEye suggests that administrators
    install the Microsoft supplied patch as soon as possible.

    The following example will show the vulnerable condition. The dllhost.exe
    child process will silently die because the developers have replaced the
    default exception filter. So if you want to examine this closer, load a
    debugger up on the dllhost child process before you send this example
    session over the wire.

    **************Begin Session****************
    POST /EEYE.htr HTTP/1.1
    Host: 0day.big5.com
    Transfer-Encoding: chunked

    **************End Session******************

    Technical Description:

    The example session above overwrites a section of the heap that contains
    data structures related to the memory management system. By manipulating the
    content of these structures we can overwrite an arbitrary 4 bytes of memory
    with an attacker supplied address.

    While many may believe that the risk for these types of vulnerabilities is
    fairly low due to the fact that addressing is dynamic and brute force
    techniques would need to be use in an attack, eEye strongly disagrees. This
    premise is false as successful exploitation can be made with one attempt,
    across dll versions. An attacker can overwrite static global variables,
    stored function pointers, process management structures, memory management
    structures, or any number of data types that will allow him to gain control
    of the target application in one session.

    SecureIIS(tm) Application Firewall for Microsoft IIS

    It should be noted that clients using any version of SecureIIS from eEye
    Digital Security are secure from this vulnerability. This vulnerability was
    discovered by the eEye team while testing a new version of SecureIIS to help
    further its protection abilities from similar classes of attack. To learn
    more visit http://www.eeye.com/SecureIIS

    Vendor Status:
    Microsoft has released a security bulletin and patch:

    Beyond installing the Microsoft security patch it is also recommend to
    disable the .htr ISAPI filter if you have not already done so. Microsoft’s
    security advisory references more information on the steps of how to disable
    the .htr ISAPI filter.

    Credit: Riley Hassell

    Greetings: Caesar, K2, Dark Spyrit, Solar Designer, Joey, Halvar, Gera,
    Scut, Ilfak Guilfanov. And last but not least, Kasia and Jenn and as
    always, http://www.securityfocus.com.

    Copyright (c) 1998-2002 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express consent of
    eEye. If you wish to reprint the whole or any part of this alert in any
    other medium excluding electronic medium, please e-mail alert@eEye.com for

    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There are
    NO warranties with regard to this information. In no event shall the author
    be liable for any damages whatsoever arising out of or in connection with
    the use or spread of this information. Any use of this information is at the
    user's own risk.

    Please send suggestions, updates, and comments to:

    eEye Digital Security

  3. #3
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    kewl article d00d

    An attacker can overwrite static global variables, stored function pointers, process management structures, memory management structures, or any number of data types that will allow him to gain control of the target application in one session.
    now i would like to know how this can be done

  4. #4
    Senior Member
    Join Date
    Oct 2001
    The main thing to learn from this hotfix is that if you are trying to run IIS in a secure manner, you should understand all of the different components that are enabled by default and disable them if not needed. HTR ISAPI has been exploited by atleast 3(probably more) vulnerabilities released recently. If you do not use HTR, disable it, please...

    If you can't figure out if you are using it or not, or how to disable it... Perhaps a different profession is in order.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts