Microsoft Security Bulletin 02 - 07 - 02
Title
=====
Microsoft Security Bulletin - MS02-028 (Revision to UNIRAS Briefing 184/02):
Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise
Detail
======
- -----BEGIN PGP SIGNED MESSAGE-----
- - -
- - ----------------------------------------------------------------------
Title: Heap Overrun in HTR Chunked Encoding Could Enable Web
Server Compromise (Q321599)
Released: 12 June 2002
Revised: 01 July 2002 (version 2.0)
Software: Internet Information Server
Impact: Run Code of Attacker's Choice
Max Risk: Critical
Bulletin: MS02-028
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/sec.../MS02-028.asp.
- - -
- - ----------------------------------------------------------------------
Reason for Revision:
====================
On June 12, 2002, Microsoft released the original version of this bulletin. On July 1, 2002, the bulletin was updated to revise the severity rating. Specifically, Microsoft has increased the severity rating of this issue to "critical ." The revision is in response to a significant change in the threat environment due to an increased focus on chunked encoding vulnerabilities in general, and the discovery of hostile code attempting to exploit similar vulnerabilities on other platforms. Customers who have already disabled HTR or applied this patch need not take any action. Customers who have not disabled HTR should do so as soon as possible. Alternately, customers who cannot disable HTR should apply the patch immediately.
Issue:
======
This patch eliminates a newly discovered vulnerability affecting Internet Information Services. Although Microsoft typically delivers cumulative patches for IIS, in this case we have delivered a patch that eliminates only this new vulnerability, while completing a cumulative patch. When the cumulative patch is customer-ready, we will update this bulletin with information on its availability. The FAQ provides information on the circumstances surrounding the vulnerability, and why we believe releasing a singleton patch immediately is in customers' best interests. To ensure that servers are fully protected against past as well as current vulnerabilities, we strongly recommend installing the previous cumulative patch (discussed in Microsoft Security Bulletin MS02-018) before installing this patch.
The vulnerability is similar to the first vulnerability discussed in Microsoft Security Bulletin MS02-018. Like that vulnerability, this one involves a buffer overrun in the Chunked Encoding data transfer mechanism in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on the system, with the result of either causing the IIS service to fail or allowing code to be run on the server. The chief difference between the vulnerabilities is that the newly discovered one lies in the ISAPI extension that implements HTR - an older, largely obsolete scripting technology - where the previous one lay in the ISAPI extension that implements ASP.
Mitigating Factors:
====================
- Microsoft has long recommended disabling HTR functionality unless there is a business-critical reason for retaining it. Systems on which HTR is disabled would not be at risk from this vulnerability.
- The IIS Lockdown Tool disables HTR by default in all server configurations.
- The current version of the URLScan tool provides a means of blocking chunked encoding transfer requests by default.
- On default installations of IIS 5.0, exploiting the vulnerability to run code would grant the attacker the privileges of the IWAM_computername account, which has only the privileges commensurate with those of an interactively logged-on unprivileged user.
Risk Rating:
============
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/sec...n/ms02-028.asp
for information on obtaining this patch.
Acknowledgment:
===============
- eEye Digital Security (http://www.eeye.com/)
- - -
- - ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPSDcFI0ZSRQxA/UrAQFOGQgApiLeKU6152INPuPhROJLkJf5hR/YSB49
6Y21xuegR5M2JscjPnxi+rjYBKuOofjQM+0HRm/urZ4MCxEv6p3os1rCw0YmyqIt
v0U59t1dLUUNycO7doIPWjCVgILQGBsoQzZkIQ3799WJewzU8UBlfHiyZ5lInq0I
6O7b3VFU5jLKHPeE7XQfdjm1QXlYkA8klqEWmVMQu7HYGxD20MNn0huLPEprs1aL
UVfcNdry2PJ1Cuh3m0uYYP/6hlySNktmnBwj9OPRAHWolHlLSNoQdAII5VbwWHdW
cM/EJ2Etib0vVmgszl+3DbHL+d9ZV3cacJ0K7YrBgnd5GBSZ2DWmSg==
=DnVB
- -----END PGP SIGNATURE-----
*******************************************************************
Reprinted with permission of Microsoft Corporation.
Reply With Quote
