Microsoft Security Bulletin 02 - 07 - 02
Results 1 to 8 of 8

Thread: Microsoft Security Bulletin 02 - 07 - 02

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Arrow Microsoft Security Bulletin 02 - 07 - 02

    Title
    =====

    Microsoft Security Bulletin - MS02-028 (Revision to UNIRAS Briefing 184/02):
    Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise

    Detail
    ======

    - -----BEGIN PGP SIGNED MESSAGE-----

    - - -
    - - ----------------------------------------------------------------------
    Title: Heap Overrun in HTR Chunked Encoding Could Enable Web
    Server Compromise (Q321599)
    Released: 12 June 2002
    Revised: 01 July 2002 (version 2.0)
    Software: Internet Information Server
    Impact: Run Code of Attacker's Choice
    Max Risk: Critical
    Bulletin: MS02-028

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/sec.../MS02-028.asp.
    - - -
    - - ----------------------------------------------------------------------

    Reason for Revision:
    ====================
    On June 12, 2002, Microsoft released the original version of this bulletin. On July 1, 2002, the bulletin was updated to revise the severity rating. Specifically, Microsoft has increased the severity rating of this issue to "critical ." The revision is in response to a significant change in the threat environment due to an increased focus on chunked encoding vulnerabilities in general, and the discovery of hostile code attempting to exploit similar vulnerabilities on other platforms. Customers who have already disabled HTR or applied this patch need not take any action. Customers who have not disabled HTR should do so as soon as possible. Alternately, customers who cannot disable HTR should apply the patch immediately.

    Issue:
    ======
    This patch eliminates a newly discovered vulnerability affecting Internet Information Services. Although Microsoft typically delivers cumulative patches for IIS, in this case we have delivered a patch that eliminates only this new vulnerability, while completing a cumulative patch. When the cumulative patch is customer-ready, we will update this bulletin with information on its availability. The FAQ provides information on the circumstances surrounding the vulnerability, and why we believe releasing a singleton patch immediately is in customers' best interests. To ensure that servers are fully protected against past as well as current vulnerabilities, we strongly recommend installing the previous cumulative patch (discussed in Microsoft Security Bulletin MS02-018) before installing this patch.

    The vulnerability is similar to the first vulnerability discussed in Microsoft Security Bulletin MS02-018. Like that vulnerability, this one involves a buffer overrun in the Chunked Encoding data transfer mechanism in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on the system, with the result of either causing the IIS service to fail or allowing code to be run on the server. The chief difference between the vulnerabilities is that the newly discovered one lies in the ISAPI extension that implements HTR - an older, largely obsolete scripting technology - where the previous one lay in the ISAPI extension that implements ASP.

    Mitigating Factors:
    ====================
    - Microsoft has long recommended disabling HTR functionality unless there is a business-critical reason for retaining it. Systems on which HTR is disabled would not be at risk from this vulnerability.

    - The IIS Lockdown Tool disables HTR by default in all server configurations.

    - The current version of the URLScan tool provides a means of blocking chunked encoding transfer requests by default.

    - On default installations of IIS 5.0, exploiting the vulnerability to run code would grant the attacker the privileges of the IWAM_computername account, which has only the privileges commensurate with those of an interactively logged-on unprivileged user.

    Risk Rating:
    ============
    - Internet systems: Critical
    - Intranet systems: Critical
    - Client systems: Critical

    Patch Availability:
    ===================
    - A patch is available to fix this vulnerability. Please read the
    Security Bulletin at
    http://www.microsoft.com/technet/sec...n/ms02-028.asp
    for information on obtaining this patch.

    Acknowledgment:
    ===============
    - eEye Digital Security (http://www.eeye.com/)

    - - -
    - - ---------------------------------------------------------------------

    THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
    BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

    - -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1

    iQEVAwUBPSDcFI0ZSRQxA/UrAQFOGQgApiLeKU6152INPuPhROJLkJf5hR/YSB49
    6Y21xuegR5M2JscjPnxi+rjYBKuOofjQM+0HRm/urZ4MCxEv6p3os1rCw0YmyqIt
    v0U59t1dLUUNycO7doIPWjCVgILQGBsoQzZkIQ3799WJewzU8UBlfHiyZ5lInq0I
    6O7b3VFU5jLKHPeE7XQfdjm1QXlYkA8klqEWmVMQu7HYGxD20MNn0huLPEprs1aL
    UVfcNdry2PJ1Cuh3m0uYYP/6hlySNktmnBwj9OPRAHWolHlLSNoQdAII5VbwWHdW
    cM/EJ2Etib0vVmgszl+3DbHL+d9ZV3cacJ0K7YrBgnd5GBSZ2DWmSg==
    =DnVB
    - -----END PGP SIGNATURE-----

    *******************************************************************

    Reprinted with permission of Microsoft Corporation.

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    310
    Hrms..interesting. But i thought there was a new rule (and U.S federal Law) about cuting and pasting? Isn't this suppose to be illegal?
    script language=\"M$cript\";
    function beginError(bsod) {
    return true; }
    onLoad.windows = beginError;

  3. #3
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    huh? if that were true, we all violated the law since we all are doing some cut and paste from time to time..

    Anyhow.. this article wasnt taken from ANY website.. or whatsoever.. u would know its from a site coz i would quote the source

    If the articles i post doesnt have a source, that means that i have exclusive access to that article. this one came to me via e-mail.

    lol and if i read this right, this article is something that would make any cracker's sweet tooth cause to tingle..

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    This is actually a resend of a security bulletin that they released last week. They just bumped up the severity of the issue which warrants a resend of the notification. Notice the (Version2.0).

  5. #5
    The Iceman Cometh
    Join Date
    Aug 2001
    Posts
    1,209
    s0nic, I get the Microsoft Security Bulletin as well. Maybe, instead of copying and pasting the whole thing, post a the affected software, a short quote describing the problem, and then a link to the security bulletin online. You could, theoretically, just copy the following box, and it should be enough, without violating any laws:

    - - ----------------------------------------------------------------------
    Title: Heap Overrun in HTR Chunked Encoding Could Enable Web
    Server Compromise (Q321599)
    Released: 12 June 2002
    Revised: 01 July 2002 (version 2.0)
    Software: Internet Information Server
    Impact: Run Code of Attacker's Choice
    Max Risk: Critical
    Bulletin: MS02-028

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/se...n/MS02-028.asp.
    - - -
    - - ----------------------------------------------------------------------
    Just a thought.

    AJ

  6. #6
    Senior Member
    Join Date
    Jun 2002
    Posts
    144
    Who cares about weather cutting and pasting a bullitin is illegal? The purpose is to disseminate the information to those who need it. Some of us may not get these bullitins. Is disseminating critical information illegal? I don't think so. If it is, then someone needs to pull their heads out of their collective arses and smell the roses, if thier nostrils aren't filled with sh*t.
    M$ support is like shooting yourself in the left foot and then putting a band-aid on the right one.

  7. #7
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I usually follow the way avdven suggests (it is usually nice to get a summary and a link because there is less reading to get the general idea and if I am really interested, I can just follow the URL); however, in regards to the legality, this information is public. It is freely available on the web and links to it are posted everywhere. IMHO, pasting the article to a post is no different than any of the other security sites out there that provide the information/discussions and then link to Micro$oft or whatever other vendors having problems that day, so long as it is clearly marked to be a COPY of an original and the source is properly referenced (URL for example)...

    Just a thought...

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  8. #8
    hey im running iis 5.0 with windows 2000 server. I wanted to know if there are any rootkits available so that i can understand how these hackers are exploiting my system (some sources of source would be nice too). If you could post the links I would greatly appreciate it. Thx.
    X-raV


    [shadow][gloworange]
    PHP Code:
    esrever_kniht./ 
    [/gloworange] [/shadow]

    i have the source from secureroot.com adn dont need it anymore.. sorry for wasting space

    http://www.ussrback.com/
    .::nataS is WaTchiNg::.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •