SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
(More Information is Provided on the ssinc.dll Flaw) Re: Microsoft IIS Web Server Contains Multiple Vulnerabilities That Allow Local Users to Gain System Privileges and Allow Remote Users to Cause the Web Server to Crash
SecurityTracker Alert ID:  1002238
SecurityTracker URL:  http://securitytracker.com/id/1002238
CVE Reference:   CVE-2001-0506   (Links to External Site)
Updated:  Dec 1 2003
Original Entry Date:  Aug 23 2001
Impact:   Denial of service via network, Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): IIS 4.0 and 5.0
Description:   Microsoft announced that five new vulnerabilities have been discovered in its Internet Information Server (IIS) web server 4.0 and 5.0 releases. These vulnerabilities allow remote users to disrupt the web server and allow local users to gain system level privileges on the server.

NSFOCUS has provided details on one of the IIS vulnerabilities. This Alert covers the buffer overflow vulnerability in the ssinc.dll component of Microsoft IIS 4.0/5.0 that can be triggered when processing server side include files.

IIS apparently uses ssinc.dll as a SSI interpreter. Under the default configuration, file extensions such as .stm, .shtm and .shtml are mapped to the interpreter process (Ssinc.dll).

When processing "#include" SSI directives, ssinc.dll checks for the name of the directory in which the .shtml file resides and prepends the directory name to the include file name, forming a new path string.

It is reported that the dll checks the length of the filename and crops lengths in execess of 0x801 (2449) bytes but it fails to check the length of the new path string. If a local user sets the filename to longer than 0x801 bytes and saves the file in a directory with a directory name that is longer than 9 bytes, a buffer overflow occurs, overwriting the EBP and EIP.

Because ssinc.dll runs in the LOCAL SYSTEM context, a local user can execute arbitrary code with SYSTEM privileges.

A demonstration exploit method is described in the Source Message.

Impact:   The ssinc.dll buffer overflow vulnerability allows a local user to gain system privileges and take full control of the server. For other vulnerabilities described by Microsoft in the referenced security bulletin, see the Message History.
Solution:   Microsoft has released a cumulative patch that includes the functionality of all security patches released to date for IIS 5.0, and all patches released for IIS 4.0 since Windows NT(r) 4.0 Service Pack 5:

Microsoft IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32061

The IIS 4.0 patch can be installed on systems running Windows NT 4.0 Service Pack 5 or Service Pack 6a.

Microsoft IIS 5.0:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32011

The IIS 5.0 patch can be installed on systems running Windows 2000 Service Pack 1 and Service Pack 2.

The vendor reportedly plans to include the fix for these issues in Windows 2000 Service Pack 3.

This patch superceeds several previous Microsoft patches. In addition, there are several caveats listed. Please read the Vendor URL for additional information.

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS01-044.asp (Links to External Site)
Cause:   Boundary error, Exception handling error, Resource error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Aug 17 2001 Microsoft IIS Web Server Contains Multiple Vulnerabilities That Allow Local Users to Gain System Privileges and Allow Remote Users to Cause the Web Server to Crash



 Source Message Contents

Subject:  NSFOCUS SA2001-06 : Microsoft IIS ssinc.dll Buffer Overflow Vulnerability



NSFOCUS Security Advisory(SA2001-06)

Topic:  Microsoft IIS ssinc.dll Buffer Overflow Vulnerability


CVE CAN ID : CAN-2001-0506
BUGTRAQ ID : 3190

Affected system:
================

 - Microsoft IIS 4.0 
 - Microsoft IIS 5.0 

Impact: 
=========

NSFOCUS Security Team has found a buffer overflow vulnerability in a dynamic 
link library (ssinc.dll) of Microsoft IIS 4.0/5.0 when processing server side
include files. Exploitation of it, an attacker could obtain SYSTEM privilege.

============

Microsoft IIS supports SSI (Server Side Include) function. IIS use ssinc.dll as 
a SSI interpreter. By default setting, extensions like .stm, .shtm and .shtml 
would be mapped to interpreter process (Ssinc.dll).

SSI supports "#include" directive, mostly in this form:

<!--#include file="Filename"-->

When processing "#include" directive, ssinc.dll would check for the name of 
the directory under which the .shtml file resides, append it before the 
include file and form a new path string.

For example:

Create a file named "test.shtml" with the following content and save it under 
"wwwroot/abcd/":

<!--#include file="ABCD"-->

The new path string would be "/abcd/ABCD". Ssinc.dll would copy it to a 
buffer of 0x804(2052) bytes. 

When obtaining Server-side include filename from test.shtml, ssinc.dll would 
perform length check for it. In case that it is longer than 0x801 bytes, 
ssinc.dll would cut it to 0x801 bytes and append '\0' at the end. Thus, the 
include filename (including the trailing '\0') won't be longer than 0x802(2550)
bytes.

But it does not check the length of the new path string appending current
directory name. Thus, if we set the contained filename to be a string
longer than 0x801 bytes and save "test.shtml" under a directory (name of which
is longer than 9 bytes), a buffer overflow would occur and overwrite the EBP 
and EIP saved in stack completely (The trailing '\0' would overwrite the first 
argument).

As ssinc.dll is running in LOCAL SYSTEM context, in case that an attacker 
carefully form the overflow data, he might change the procedure flow and run
arbitrary code with SYSTEM privilege.

To launch an attack, the attacker would need the following two conditions:

1. Privilege to create file or directory under Web directory.
2. Ability to access created file through Web service.


Exploit:
==========

1. Create a file "test.shtml" with following file content:

   <!--#include file="AAAA[...]AA"-->

   Number of 'A' should be over 2049.

2. Create a directory "a" under Web directory.
   Copy "test.shtml" to "a" directory.
   
3. Request "test.shtml" through web browser:
   http://webhost/a/test.shtml

4. IIS would return a blank page which indicates that an overflow has occurred.
   Meanwhile the trailing '\0' has overwritten the last byte of saved EBP.
   
   On the contrary, in case that the contained file has a shorter name like 
   'AA', IIS would return a SSI file '/a/AA' error message when receiving
   the request.



Workaround:
===================

 1. Disable the write access to Web directory of untrusted user.
 2. Remove .shtml, .shtm and .stm mappings if SSI service is not needed.

Vendor Status:
==============

2001.6.11  We informed Microsoft of this vulnerability.
2001.6.11  Microsoft replied that the bug has been reproduced.
2001.8.15  Microsoft has released one security bulletin(MS01-044) concerning 
           this flaw.

The bulletin is live at :

http://www.microsoft.com/technet/security/bulletin/MS01-044.asp

Patches are available at:
 
. Microsoft IIS 4.0:
  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32061

. Microsoft IIS 5.0:
  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32011 

Additional Information:
========================

The Common Vulnerabilities and Exposures (CVE) project has 
assigned the name CAN-2001-0506 to this issue. This is a 
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems.  Candidates 
may change significantly before they become official CVE entries.

DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, 
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS 
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, 
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, 
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 
DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE 
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2001 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)
 





 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC