SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft Issues Bulletin Re: Microsoft IIS 5.0 Web Server Can Be Restarted Remotely By Any User
SecurityTracker Alert ID:  1001053
SecurityTracker URL:  http://securitytracker.com/id/1001053
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 9 2001
Impact:   Denial of service via network
Vendor Confirmed:  Yes  
Version(s): v5.0
Description:   Georgi Guninski reports a vulnerability with Microsoft's Internet Information Server (IIS) v5.0 in which a remote user can send a certain packet to the server, causing the server to automatically restart

Microsoft has issued a bulletin (MS01-016) regarding this vulnerability. Microsoft confirms that malformed WebDAV requests can cause IIS to exhaust all CPU resources.

WebDAV is an extension to the HTTP protocol that permits remote authoring and management of web content. According to the vendor, IIS 5.0 under Windows 2000 performs some initial processing of all WebDAV requests, then forwards the relevant commands to the WebDAV process. The manner in which WebDAV handles a particular type of malformed request results in this vulnerability. If a stream of malformed requests is directed at an IIS 5.0 server, the WebBAV process would reportedly use up all CPU resources on the server.

For more information, see:

http://www.microsoft.com/technet/security/bulletin/MS01-016.asp

Impact:   A remote user with access to the web server's port (which is basically everyone in the case of a public web server) can cause the server to crash and restart.
Solution:   Microsoft has developed a workaround that is described in Knowledge Base article Q241520 to effectively disable WebDAV on the server. Microsoft will issue a patch at a future date.
Vendor URL:  www.microsoft.com/technet/security/bulletin/MS01-016.asp (Links to External Site)
Cause:   Boundary error, State error
Underlying OS:  Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 8 2001 Microsoft IIS 5.0 Web Server Can Be Restarted Remotely By Any User



 Source Message Contents

Subject:  Microsoft Security Bulletin MS01-016


The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Malformed WebDAV Request Can Cause IIS 
            to Exhaust CPU Resources
Date:       08 March 2001
Software:   IIS 5.0
Impact:     Denial of Service
Bulletin:   MS01-016

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-016.asp.
- ----------------------------------------------------------------------

Issue:
======
WebDAV is an extension to the HTTP protocol that allows remote
authoring and management of web content. In the Windows 2000
implementation of the protocol, IIS 5.0 performs initial processing
of all WebDAV requests, then forwards the appropriate commands to the
WebDAV process. However, a flaw exists in the way WebDAV handles a
particular type of malformed request. If a stream of such requests
were directed at an affected server, it would consume all CPU
availability on the server. 

Because the discoverer of this vulnerability has chosen to publish
code to exploit this vulnerability before a patch could be developed,
Microsoft has developed a workaround that can be used to defend
against attack. Knowledge Base article Q241520 provides step-by-step
instructions for changing the permissions on the .DLL that provides
WebDAV services in order to effectively disable it on the machine.
When a patch is available, we will re-release this bulletin and
provide updated information. 

Microsoft recommends that customers consider applying the workaround
to any servers running IIS 5.0. Although this obviously includes web
servers, other services, notably Exchange 2000, may also require that
IIS 5.0 be enabled.

Mitigating Factors:
====================
 - The effect of an attack via this vulnerability would be temporary.
The
   server would automatically resume normal service as soon as the
malformed
   requests stopped arriving. 

 - The vulnerability does not provide an attacker with any capability
to
   carry out WebDAV requests. 

 - The vulnerability does not provide any capability to compromise
data on
   the server or gain administrative control over it.

Patch Availability:
===================
 - A patch is currently under development and will be released
shortly. In
   the meantime, Knowledge Base article Q241520
   (http://www.microsoft.com/technet/support/kb.asp?ID=241520)
   provides a workaround that can be used to protect against this
   vulnerability. 

Please read the Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms01-016.asp
for more information on this vulnerability.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOqgEso0ZSRQxA/UrAQEfuAf7B/9Ba0KygUxx4GYoPaNQu6mmwlJ7nQy1
firxtPeQPSaNriq8mHKPPh1lvWrlSX0iCaIA4UP7bS7By94NBAwGB4h0vmcmwAvT
bL0U0bPJZRPeRs7OQpkztzOLUlmCbvHHK7QoHhQ+QY7TmNzM6uXjXJ/jVJZVPZpo
a3gKPrRyR0gXPzN2g10i4rHMKGROe+yRWmQvTh4lRXMATD0d59H5me1MvVbGSa5W
pNnKbeOZPpphQVMIqjZflNaLko7ccUjL4Wu/ldNUl31bQGdZkB2izoqieuhwU1mQ
F2wfVzLkBmQF+CLooFtzurX9FVvTbwOys3ZPVWitZILUL3dvmbs+RQ==
=zZRX
-----END PGP SIGNATURE-----

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

For  more  information on  the  Microsoft  Security Notification  Service
please  visit  http://www.microsoft.com/technet/security/notify.asp.  For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC