Microsoft Internet Information Server (IIS) Heap Overflow in HTR ISAPI Extension While Processing Chunked Encoded Data Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1004526|
SecurityTracker URL: http://securitytracker.com/id/1004526
(Links to External Site)
Date: Jun 12 2002
Execution of arbitrary code via network, Root access via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 4, 5|
A vulnerability was reported in Microsoft's Internet Information Server (IIS). A remote user can execute arbitrary code on the server. On IIS 4.0, this may let the remote user gain full control over the system.|
eEye Digital Security reported a buffer overrun in the Chunked Encoding data transfer mechanism that allows a remote user to overrun heap memory on the system. The vulnerability reportedly exists in the ISAPI extension that implements HTR.
A remote user can send a specially crafted session to overwrite a section of the heap. Data structures in the overwritten heap can thus be manipulated to move user-supplied data to a memory addresses specified by the remote user. This can cause the code execution flow to be changed to a user-supplied section of code.
A remote user can overwrite static global variables, stored function pointers, process management structures, memory management structures, or other data types to gain control of the IIS server. The code would execute with the privileges of the HTR ISAPI extension. On IIS 4.0, this extension runs as part of the operating system, so the code would be run with system level privileges, giving the user full control of the system. On IIS 5.0, the code would run with the privileges of the Web Application Manager (the IWAM_computername account).
A demonstration exploit session is provided:
POST /EEYE.htr HTTP/1.1
This example will overwrite a section of the heap that contains data structures related to the memory management system. A remote user can manipulate the content of these structures to overwrite 4 bytes of memory with an arbitrary address, thereby redirecting execution to the user's arbitrary code.
A remote user can execute arbitrary code on the server. The code would run with System level privileges on IIS 4.0 and with IWAM_computername privileges on IIS 5.0|
The vendor has issued a fix.|
For Microsoft IIS 4.0:
For Microsoft IIS 5.0:
Microsoft notes that the IIS 4.0 patch can be installed on systems running Windows NT 4.0 SP 6a and the IIS 5.0 patch can be installed on systems running Windows 2000 SP1 or SP2.
Microsoft plans to include the IIS 5.0 fix in Windows 2000 SP3.
Microsoft will issue Knowledge Base article Q321599 regarding this, to be available shortly from the Microsoft Online Support web site:
Vendor URL: www.microsoft.com/technet/security/bulletin/MS02-028.asp (Links to External Site)
|Underlying OS: Windows (NT), Windows (2000)|
Source Message Contents
Subject: ADVISORY: Windows 2000 and NT4 IIS .HTR Remote Buffer Overflow [AD20020612]|
Windows 2000 and NT4 IIS .HTR Remote Buffer Overflow
June 12, 2002
High (Remote code execution)
Microsoft Windows NT 4.0 Internet Information Services 4.0
Microsoft Windows 2000 Internet Information Services 5.0
A vulnerability in transfer chunking, in combination with the processing of
HTR request sessions can be exploited to remotely execute code of an
attackers choice on the vulnerable machine. By sending a carefully crafted
session, an attacker can overwrite a section of the heap. Data structures in
the overwritten heap can be manipulated to move attacker-supplied data to
attacker supplied memory addresses, thereby altering the flow of execution
into an attacker supplied payload.
This is a very serious vulnerability and eEye suggests that administrators
install the Microsoft supplied patch as soon as possible.
The following example will show the vulnerable condition. The dllhost.exe
child process will silently die because the developers have replaced the
default exception filter. So if you want to examine this closer, load a
debugger up on the dllhost child process before you send this example
session over the wire.
POST /EEYE.htr HTTP/1.1
The example session above overwrites a section of the heap that contains
data structures related to the memory management system. By manipulating the
content of these structures we can overwrite an arbitrary 4 bytes of memory
with an attacker supplied address.
While many may believe that the risk for these types of vulnerabilities is
fairly low due to the fact that addressing is dynamic and brute force
techniques would need to be use in an attack, eEye strongly disagrees. This
premise is false as successful exploitation can be made with one attempt,
across dll versions. An attacker can overwrite static global variables,
stored function pointers, process management structures, memory management
structures, or any number of data types that will allow him to gain control
of the target application in one session.
SecureIIS(tm) Application Firewall for Microsoft IIS
It should be noted that clients using any version of SecureIIS from eEye
Digital Security are secure from this vulnerability. This vulnerability was
discovered by the eEye team while testing a new version of SecureIIS to help
further its protection abilities from similar classes of attack. To learn
more visit http://www.eeye.com/SecureIIS
Microsoft has released a security bulletin and patch:
Beyond installing the Microsoft security patch it is also recommend to
security advisory references more information on the steps of how to disable
the .htr ISAPI filter.
Credit: Riley Hassell
Greetings: Caesar, K2, Dark Spyrit, Solar Designer, Joey, Halvar, Gera,
Scut, Ilfak Guilfanov. And last but not least, Kasia and Jenn ;) and as
Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
Please send suggestions, updates, and comments to:
eEye Digital Security
Go to the Top of This SecurityTracker Archive Page