SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft Internet Information Server ASP HTTP Header Processing Buffer Overflow Lets Remote Users Execute Arbitrary Code on the Server
SecurityTracker Alert ID:  1004014
SecurityTracker URL:  http://securitytracker.com/id/1004014
CVE Reference:   CVE-2002-0150   (Links to External Site)
Date:  Apr 10 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0, 5.0, 5.1
Description:   A vulnerability has been reported in Microsoft's Internet Information Server in the processing of HTTP headers. A remote user can send a specially crafted request to the web server to cause arbitrary code to be executed by the server. A remote user could also cause the IIS service to be temporarily disrupted.

Microsoft reports that customers that have applied the IIS Lockdown Tool to configure their servers as static web servers are already protected against this vulnerability. In addition, when the URLScan tool is deployed deployed with the default rule set, the arbitrary code execution vulnerability is prevented.

The vulnerability results because of an error that occurs when Active Server Pages parse HTTP header information. An initial check is performed to determine if the required delimiters are present in the appropriate locations before copying the information to a buffer for processing. However, the check can be spoofed, with a buffer overrun as the result.

When Active Server Pages parse HTTP header information, the headers are broken into pieces and placed into an appropriate buffer. The end of each piece is reportedly determined based on a delimiting character. It is reportedly possible for a remote user to construct a particular HTTP header that spoofs the delimiter check so that IIS interprets the delimiting characters as present when they are not present. This allows a buffer overflow to occur.

Microsoft credits Entrust with reporting this vulnerability.

Impact:   A remote user could cause the IIS service to crash. In IIS 4.0, this would require a manual restart to return to normal operations. In IIS 5.0 and 5.1, the service would be restarted automatically.

A remote user could cause arbitrary code to be executed by the web server. On IIS 4.0, this code would be executed with full System privileges, giving the remote user full control of the system. On IIS 5.0 and 5.1, the code would be executed with Web Application Manager (IWAM_computername) privileges.

Solution:   The vendor has released a fix:

For Microsoft IIS 4.0:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37931

For Microsoft IIS 5.0:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37824

For Microsoft IIS 5.1:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37857

The IIS 4.0 patch can be installed on systems running Windows NT 4.0 SP6a. The IIS 5.0 patch can be installed on systems running Windows 2000 SP1 or SP2. The IIS 5.1 patch can be installed on systems running Windows XP Professional Gold.

Microsoft notes that the IIS 5.0 fixes will be included in Windows 2000 SP3 and the IIS 5.1 fixes will be included in Windows XP SP1.

For IIS 4.0 and 5.0, this patch reportedly supersedes the one previously provided in Microsoft Security Bulletin MS01-044.

There is a very large list of 'caveats' associated with this patch. See the Vendor URL for the list.

The vendor will issue Microsoft Knowledge Base article Q319733 shortly, to be available on the Microsoft Online Support web site.

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS02-018.asp (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Microsoft Security Bulletin MS02-018 Cumulative Patch for Internet Information Services (Q319733)


<HTML>
<HEAD>
<STYLE TYPE="text/css">
<!--
	A:link {color:"#003399";}
	A:visited {color:"#800080";}
	A:hover {color:"#FF3300";}
-->
</STYLE>
</HEAD>
<BODY>

<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" WIDTH="100%">
<TR VALIGN="TOP">
<TD WIDTH="7px" />
<TD>
</TD>
<TD WIDTH="5px" />
</TR>
</TABLE>
<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" WIDTH="100%">
<TR VALIGN="TOP"><TD WIDTH="7px" />
<TD>
-----BEGIN PGP SIGNED MESSAGE-----

- -
- ----------------------------------------------------------------------
Title:      Cumulative Patch for Internet Information Services 
            (Q319733)
Date:       10 April 2002
Software:   Microsoft Internet Information Server 4.0, 
            Microsoft Internet Information Services 5.0, 
            Microsoft Internet Information Services 5.1 
Impact:     Ten new vulnerabilities, the most serious of which 
            could enable code of an attacker's choice to be run 
            on a server.
Max Risk:   High
Bulletin:   MS02-018

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp.
- - -
- -
- ----------------------------------------------------------------------

Issue:
======
This patch is a cumulative patch that includes the functionality of 
all security patches released for IIS 4.0 since Windows NT 4.0 
Service Pack 6a, and all security patches released to date for IIS 
5.0 and 5.1. A complete listing of the patches superseded by this
patch is provided below, in the section titled "Additional 
information about this patch". Before applying the patch, system
administrators should take note of the caveats discussed in the 
same section. 

In addition to including previously released security patches, 
this patch also includes fixes for the following newly 
discovered security vulnerabilities affecting IIS 4.0, 5.0 and/or
5.1: 

 - A buffer overrun vulnerability involving the operation of 
   the chunked encoding transfer mechanism via Active Server 
   Pages in IIS 4.0 and 5.0. An attacker who exploited this 
   vulnerability could overrun heap memory on the system, with 
   the result of either causing the IIS service to fail or 
   allowing code to be run on the server. 
 - A Microsoft-discovered vulnerability that is related to the 
   preceding one, but which lies elsewhere within the ASP data 
   transfer mechanism. It could be exploited in a similar manner 
   as the preceding vulnerability, and would havethe same scope. 
   However, it affects IIS 4.0, 5.0, and 5.1. 
 - A buffer overrun involving how IIS 4.0, 5.0 and 5.1 process 
   HTTP header information in certain cases. IIS performs a 
   safety check prior to parsing the fields in HTTP headers, to
   ensure that expected delimiter fields are present and in 
   reasonable places. However, it is possible to spoof the check,
   and convince IIS that the delimiters are present even when they
   are not. This flaw could enable an attacker to create an URL 
   whose HTTP header field values would overrun a buffer used to 
   process them. 
 - A Microsoft-discovered buffer overrun vulnerability in IIS 4.0,
   5.0 and 5.1 that results from an error in safety check that 
   is performed during server-side includes. In some cases, a user
   request for a web page is properly processed by including the 
   file into an ASP script and processing it. Prior to processing 
   the include request, IIS performs an operation on the user-
   specified file name, designed to ensure that the file name is 
   valid and sized appropriately to fit in a static buffer. However,
   in some cases it could be possible to provide a bogus, extremely
   long file name in a way that would pass the safety check, thereby
   resulting in a buffer overrun. 
 - A buffer overrun affecting the HTR ISAPI extension in IIS 4.0 
   and 5.0.  By sending a series of specially malformed HTR 
   requests, it could be possible to either cause the IIS service to
   fail or, under a very difficult operational scenario, to cause 
   code to run on the server. 
 - A denial of service vulnerability involving the way IIS 4.0, 
   5.0, and 5.1 handle an error condition from ISAPI filters. 
   At least one ISAPI filter (which ships as part of FrontPage 
   Server Extensions and ASP.NET), and possibly others, generate 
   an error when a request is received containing an URL that 
   exceeds the maximum length set by the filter. In processing 
   this error, the filter replaces the URL with a null value. A 
   flaw results because IIS attempts to process the URL in the course
   of sending the error message back to the requester, resulting in 
   an access violation that causes the IIS service to fail. 
 - A denial of service vulnerability involving the way the FTP 
   service in IIS 4.0, 5.0 and 5.1 handles a request for the status
   of the current FTP session. If an attacker were able to establish
   an FTP session with an affected server,and levied a status 
   request that created a particular error condition, a flaw in the
   FTP code would prevent it from correctly reporting the error. 
   Other code within the FTP service would then attempt to use 
   uninitialized data, with an access violation as the result. This
   would result in the disruption of not only FTP services, but also
   of web services. 
 - A trio of Cross-Site Scripting (CSS) vulnerabilities affecting 
   IIS 4.0, 5.0 and 5.1: one involving the results page that's 
   returned when searching the IIS Help Files, one involving HTTP 
   error pages; and one involving the error message that's returned
   to advise that a requested URL has been redirected. All of these
   vulnerabilities have the same scope and effect: an attacker who 
   was able to lure a user into clicking a link on his web site 
   could relay a request containing script to a third-party web 
   site running IIS, thereby causing the third-party site's response
   (still including the script) to be sent to the user. The script
   would then render using the security settings of the third-party
   site rather than the attacker's.


Mitigating Factors:
====================
Buffer overrun in Chunked Encoding transfer: 
  - On default installations of IIS 5.0 and 5.1, exploiting the 
   vulnerability to run code would grant the attacker the privileges 
   of the IWAM_computername account, which has only the privileges
   commensurate with those of an interactively logged-on 
   unprivileged user. 
 - The vulnerability requires that Active Server Pages (ASP) be 
   enabled on the system in order to be exploited. Version 1.0 of 
   the IIS Lockdown Tool removes ASP by default, and the current 
   version (version 2.1) removes it by default if Static Web Server
   has been selected. 
 - The URLScan tool can be configured to prevent chunked encoding 
   requests. If this has been done, the vulnerability could not be 
   exploited. 

Microsoft-discovered variant of Chunked Encoding buffer overrun: 
 - This vulnerability is subject to exactly the same mitigating 
   factors as the buffer overrun in the Chunked Encoding transfer,
   with one exception. The URLScan tool could not be used to protect 
   against the vulnerability. 

Buffer Overrun in HTTP header handling: 
 - On default installations of IIS 5.0 and 5.1, exploiting the 
   vulnerability to run code would grant the attacker the 
   privileges of the IWAM_computername account, which has only
   the privileges commensurate with those of an interactively 
   logged-on unprivileged user. 
 - The vulnerability requires that Active Server Pages (ASP) be
   enabled on the systemin order to be exploited. Version 1.0 
   of the IIS Lockdown Tool removes ASP by default, and the 
   current version (version 2.1) removes it by default if 
   Static Web Server has been selected. 
 - The URLScan tool's default ruleset would likely limit the 
   attacker to using this vulnerability for denial of service 
   attacks only. 

Buffer Overrun in ASP Server-Side Include Function: 
 - On default installations of IIS 5.0 and 5.1, exploiting the 
   vulnerability to run code would grant the attacker the privileges
   of the IWAM_computername account, which has only the privileges
   commensurate with those of an interactively logged-on user. 
 - The vulnerability requires that Active Server Pages (ASP) be
   enabled on the system in order to be exploited. Version 1.0 
   of the IIS Lockdown Tool removes ASP by default, and the current 
   version (version 2.1) removes it by default if Static Web Server
   has been selected. 
 - The URLScan tool's default ruleset would likely limit the 
   attacker to using this vulnerability for denial of service 
   attacks only. 

Buffer overrun in HTR ISAPI extension: 
 - Microsoft has long recommended disabling the HTR ISAPI extension. 
   Systems on which this has been done would be at no risk from the 
   vulnerability. (All versions of the IIS Lockdown Tool disable HTR 
   support by default). 
 - The URLScan tool, if using its default ruleset, would prevent 
   this vulnerability from being exploited to run code on the server
   even if HTR support was enabled. 
 - The vulnerability could only be used to run code on the server if
   the attacker knew the locations of certain information in memory.
   In practice,  the most likely such situation would occur if the
   web server had never served any web content since being rebooted.
   In all other cases, it would only be possible to use the 
   vulnerability for denial of service attacks. 
 - On default installations of IIS 5.0 and 5.1, exploiting the 
vulnerability to run code would grant the attacker the privileges 
of the IWAM_computername account, which has only the privileges 
commensurate with those of an interactively logged-on user. 
 - If the vulnerability were used in a denial of service attack, 
   normal operation could be restored on an IIS 4.0 server by 
   restarting the IIS service; on IIS 5.0 and higher, the service 
   would automatically restart itself. 

Access violation in URL error handling: 
 - An IIS 4.0 server could be put back into normal operation by 
   restarting the service. An IIS 5.0 or 5.1 server would 
   automatically restart the service. 
 - The vulnerability could only be used for denial of service 
   attacks. There is no capability to use the vulnerability to gain 
   privileges on the system. 
 - The sole ISAPI filter known to generate the error that results in
   the access violation ships only as part of FrontPage Server
   Extensions and ASP.NET. ASP.NET is not installed by default, and 
   FPSE can be uninstalled if desired. 

Denial of service via FTP Status request: 
 - The IIS Lockdown Tool disables FTP support by default. 
 - An IIS 4.0 server could be put back into normal operation by 
   restarting the service. An IIS 5.0 or 5.1 server would 
   automatically restart the service. 
 - The vulnerability could only be used for denial of service 
   attacks. There is no capability to use the vulnerability to gain 
   privileges on the system. 

Cross-site Scripting in IIS Help File search facility, HTTP Error 
Page, and Redirect Response message: 
 - The vulnerabilities could only be exploited if the attacker could 
   entice another user into visiting a web page and clicking a link
   on it, or opening an HTML mail. 
 - The Redirect Response vulnerability could only be exploited if 
   the user was running a browser other than Internet Explorer. IE 
   does not actually render the text in the Redirect Response, but 
   instead recognizes it by its response header and processes the
   redirect without displaying any text. 


Risk Rating:
============
 - Internet systems: Critical
 - Intranet systems: Critical
 - Client systems: Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - eEye Digital Security (http://www.eeye.com) for reporting the
   buffer overrun in the ASP chunked encoding implementation. 
 - Entrust Technologies (http://www.entrust.com) for reporting the 
   buffer overrun affecting the HTTP header handling. 
 - Chris Wysopal of @Stake (http://www.atstake.com) and Peter
   Grundl of KPMG for reporting the buffer overrun in the HTR 
   ISAPI extension and the access violation in URL error handling. 
 - Joe Smith (jsm1th@hotmail.com) and zenomorph
   (admin@cgisecurity.com) of http:// www.cgisecurity.com) for 
   reporting the cross-site scripting vulnerability in the IIS 
   Help File search facility. 
 - Keigo Yamazaki of the LAC SNS Team 
   (http://www.lac.co.jp/security/) for reporting the 
   cross-site scripting vulnerability affecting redirect 
   response messages. 
 - Thor Larholm of Jubii A/S for reporting the cross-site scripting 
   vulnerability affecting HTTP error pages.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPLOoZ40ZSRQxA/UrAQEuCAf8DwKKY6aPNBKfp7Rf0Sy0NU9RQBYlb7v6
4R5eCKF0F3h6C2TemIistdgiZAcoAXW8gHVwNNH9SAU708JLIYzLJFB24h0D5qdo
bV1rJjv4f0JCrp1fvIHCpBE5evLy7Wz4dHAg4qxCaRE/7bIvuR+GHwVZnJBBdNV5
JkPpyTJYHIW6/wkdLgWgCX2mOtiNVLMMM5m/EnnG3zP075fEJRSD5sJdvj8H3Dqf
RPqBHHmRUsFZni8481ga9uzrqq+svJfksv189PYVXNPUsSBFHsksB8tlrVkmFSgH
ZiGwDb+y60zuH40jDUytnQJJt+lt6wVIXjdZyQvolJb+M79EIhSvSw==
=hk9a
-----END PGP SIGNATURE-----
<BR />
<HTML>
<body><A name= footer>
<TABLE border="0" CELLPADDING="0" CELLSPACING="0" WIDTH=680>
<TR>
<TD COLSPAN=6 VALIGN=TOP>
<FONT FACE="Verdana, Arial, Helvetica" SIZE=1>
<FONT SIZE=1>
<br><A href="http://communities.microsoft.com/home/default.asp">Microsoft Communities</a>
is your launching pad for communicating online with peers and experts about
Microsoft products, technologies, and services.<br>

<br>~~~~~~~~~~~~~~~~~~~~~~~~~ How to use this mailing list~~~~~~~~~~~~~~~~~~~~~~~~<br><br>

To cancel your subscription to this newsletter, either <A href="mailto:1_29006_************************************_US@Newsletters.Microsoft.com?subject=UNSUBSCRIBE">click
 here</A> to send an unsubscribe e-mail or reply to this message with the word UNSUBSCRIBE in the Subject line. To stop all e-mail
 newsletters from microsoft.com, either <A href="mailto:2_29006_************************************_US@Newsletters.Microsoft.com?subject=STOPMAIL">click
 here</A> to send your request or reply to this message with the word STOPMAIL in the Subject Line. 
You can also unsubscribe at <A href="http://www.microsoft.com/misc/unsubscribe.htm">http//:www.microsoft.com/misc/unsubscribe.htm</A>.
 You can manage all your Microsoft.com communication preferences from this site. <br><br>

THIS DOCUMENT AND OTHER DOCUMENTS PROVIDED PURSUANT TO THIS PROGRAM ARE FOR INFORMATIONAL PURPOSES ONLY. The information type should
 not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information presented
 after the date of publication. INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND. The user assumes
 the entire risk as to the accuracy and the use of this document. 
microsoft.com newsletter e-mail may be copied and distributed subject to the following conditions:
<OL><LI> All text must be copied without modification and all pages must be included</LI>
<LI> All copies must contain Microsoft's copyright notice and any other notices provided therein</LI>
<LI> This document may not be distributed for profit</LI>
</OL><br> <br></FONT>
</TD>
</TR>
</TABLE>
</BODY>
</HTML><BR />
</TD>
</TR>
</TABLE>
</BODY>
</HTML>

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC