ISS vulnerabilities

[VictorKaum]

New vulnerabilities are discovered (April 11th 2002), all customers using M$ IIS on NT4.0 / Win 2K and Win XP systems should consider reading the following info and apply the patches or solutions mentioned.

source: www.securityspace.com

Title: MS FTPd DoS
ID: 10934
Category: FTP
URL: http://www.securityspace.com/smysecu....html?id=10934
Summary: Checks if the remote ftp can be crashed
Description:
It was possible to make the remote FTP server crash
by sending the command 'STAT *?AAAAA....AAAAA'

An attacker may use this flaw to prevent your FTP server
from working properly


Solution : see
http://www.microsoft.com/technet/sec...n/ms02-018.asp
Risk factor : Medium



Title: IIS XSS via 404 error
ID: 10936
Category: CGI abuses
URL: http://www.securityspace.com/smysecu....html?id=10936
Summary: Tests for IIS XSS via 404 errors
Description:
This IIS Server appears to vulnerable to one of the cross site scripting
attacks described in MS020-018. The default '404' file returned by IIS uses
scripting to output a link to
top level domain part of the url requested. By crafting a particular URL it
is possible to insert arbitrary script into the
page for execution.

The presence of this vulnerability also indicates that you are vulnerable to
the other issues identified in MS020-018 (various remote buffer overflow and
cross site scripting attacks...)

References:
http://www.microsoft.com/technet/sec...n/MS02-018.asp
http://jscript.dk/adv/TL001/

Risk factor : Medium



Title: IIS .HTR ISAPI filter applied
ID: 10932
Category: CGI abuses
URL: http://www.securityspace.com/smysecu....html?id=10932
Summary: Tests for IIS .htr ISAPI filter
Description:
The IIS server appears to have the .HTR ISAPI filter mapped.

At least one remote vulnerability has been discovered for the .HTR
filter. This is detailed in Microsoft Advisory
MS02-018, and gives remote SYSTEM level access to the web server.

It is recommended that even if you have patched this vulnerability that
you unmap the .HTR extension, and any other unused ISAPI extensions
if they are not required for the operation of your site.

Solution:
To unmap the .HTR extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .htr from the list.

Risk factor : High



Title: IIS FrontPage ISAPI Denial of Service
ID: 10937
Category: Denial of Service
URL: http://www.securityspace.com/smysecu....html?id=10937
Summary: Tests for a DoS in IIS
Description:
There's a denial of service vulnerability on the remote host
in the Front Page ISAPI filter.

An attacker may use this flaw to prevent the remote service
from working properly.

Solution: See http://www.microsoft.com/technet/sec...n/ms02-018.asp
Risk factor : Medium



Title: IIS ASP ISAPI filter Overflow
ID: 10935
Category: Gain root remotely
URL: http://www.securityspace.com/smysecu....html?id=10935
Summary: Tests for a remote buffer overflow in IIS
Description:
There's a buffer overflow in the remote web server through
the ASP ISAPI filter.

It is possible to overflow the remote web server and execute
commands as user SYSTEM.

Solution: See http://www.microsoft.com/technet/sec...n/ms02-018.asp
Risk factor : High

[ac1dsp3ctrum]

M$ Strikes again... I wonder how many new IIS Vulnerabilities are discovered daily ?

[VictorKaum]

Ohh, sorry ppl I made a mistype ISS instead of IIS and it does not change on the forum page when you change the topic with edit your post... I got to report this bug to JP.

Next sorry to Souleman, seems that his post http://www.antionline.com/showthread...hreadid=224754 handles about a patch release that also covers 4 of the 5 vulnerabilities I mentioned in this thread. They are all covered in the Microsoft Advisory MS02-018.

[ArmyOfOne]

One word: Apache. Even if it's for Windows, it still runs great and Apache 2.0 alpha is out now... Why bother with IIS and for that matter Windows?