SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft Internet Information Server (IIS) Script Access Control Bug May Let Remote Authenticated Users Upload Unauthorized Executable Files
SecurityTracker Alert ID:  1005505
SecurityTracker URL:  http://securitytracker.com/id/1005505
CVE Reference:   CVE-2002-1180   (Links to External Site)
Date:  Oct 31 2002
Impact:   Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.0
Description:   An access control vulnerability was reported in Microsoft Internet Information Server (IIS) version 5.0. A remote authenticated user may be able to upload unauthorized '.com' executable files to the system.

It is reported that the script source access permission function in IIS 5.0 contains a typographical flaw in a table that specifies what type of files may be uploaded to a write-enabled virtual directory. A remote authenticated user with permission to upload files to the directory can upload '.com' files even if "script source access" permissions have not been granted to that user.

Impact:   A remote authenticated user with permission to upload files can upload unauthorized '.com' files to the server.
Solution:   Microsoft has released patches. This is a cumulative patch notice that includes previously released security patches along with the issue described in this alert (as well as other newly reported issues that are addressed in separate alerts).

[Editor's note: This particular bug does not affect IIS 4.0 or 5.1. However, the Microsoft bulletin from which this alert was derived contains other bugs that do affect version 4.0 and 5.1, so we have listed the patch here.]

For IIS 4.0:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43566

For IIS 5.0:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43296

For IIS 5.1:

32-bit: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43578
64-bit: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43602

The IIS 4.0 patch can reportedly be installed on Windows NT 4.0 SP6a, the IIS 5.0 patch on Windows 2000 SP2 or SP3, and the IIS 5.1 patch on Windows XP Professional Gold and SP1.

Microsoft plans to include the IIS 5.0 fixes in Windows 2000 SP4 and the IIS 5.1 fixes in Windows XP SP2.

This patch supersedes the patches address in Microsoft Security Bulletins MS01-028 and MS01-018.

Please note that several caveats regarding these patches are described in Microsoft s bulletin.

Microsoft plans to issue Knowledge Base article Q327696 regarding this issue, to be available shortly on the Microsoft Online Support web site at:

http://support.microsoft.com/?scid=fh;en-us;kbhowto

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS02-062.asp (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Microsoft Security Bulletin MS02-062: Cumulative Patch for Internet Information Service (Q327696)


-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Cumulative Patch for Internet Information Service 
            (Q327696)
Date:       30 October 2002
Software:   Internet Information Service
Impact:     Four vulnerabilities, the most serious of which 
            could enable applications on a server to gain 
            system-level privileges.
Max Risk:   Moderate 
Bulletin:   MS02-062

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-062.asp.
- ----------------------------------------------------------------------

Issue:
======
This patch is a cumulative patch that includes the functionality of
all security patches released for IIS 4.0 since Windows 
NT 4.0 Service Pack 6a, and all security patches released to date for
IIS 5.0 and 5.1. A complete listing of the patches 
superseded by this patch is provided below, in the section titled
"Additional information about this patch". Before applying 
the patch, system administrators should take note of the caveats
discussed in the same section. 

In addition to including previously released security patches, this
patch also includes fixes for the following newly 
discovered security vulnerabilities affecting IIS 4.0, 5.0 and/or
5.1: 
 - A privilege elevation vulnerability affecting the way ISAPIs
   are launched when an IIS 4.0, 5.0 or 5.1 server is configured 
   to run them out of process. By design, the hosting process 
   (dllhost.exe) should run only in the security context of the 
   IWAM_computername account; however, it can actually be made to 
   acquire LocalSystem privileges under certain circumstances, 
   thereby enabling an ISAPI to do likewise. 
 - A denial of service vulnerability that results because of a flaw
   in the way IIS 5.0 and 5.1 allocate memory for WebDAV requests. 
   If a WebDAV request were malformed in a particular way, IIS would
   allocate an extremely large amount of memory on the server. By 
   sending several such requests, an attacker could cause the server
   to fail. 
 - A vulnerability involving the operation of the script source 
   access permission in IIS 5.0. This permission operates in 
   addition to the normal read/write permissions for a virtual 
   directory, and regulates whether scripts, .ASP files and 
   executable file types can be uploaded to a write-enabled virtual 
   directory. A typographical error in the table that defines the 
   file types subject to this permission has the effect of omitting
   .COM files from the list of files subject to the permission. As a 
   result, a user would need only write access to upload such a file.
 - A pair of Cross-Site Scripting (CSS) vulnerabilities affecting 
   IIS 4.0, 5.0 and 5.1, and involving administrative web page. Each
   of these vulnerabilities have the same scope and effect: an 
   attacker who was able to lure a user into clicking a link on his 
   web site could relay a request containing script to a third-party 
   web site running IIS, thereby causing the third-party site's
   response (still including the script) to be sent to the user. 
   The script would then render using the security settings of 
   the third-party site rather than the attacker's. 

In addition, the patch causes 5.0 and 5.1 to change how frequently
the socket backlog list - which, when all connections on a 
server are allocated, holds the list of pending connection requests -
is purged. The patch changes IIS to purge the list more 
frequently in order to make it more resilient to flooding attacks.
The backlog monitoring feature is not present in IIS 4.0.

Mitigating Factors:
====================
Out of Process Privilege Elevation: 
 - This vulnerability could only be exploited by an attacker 
   who already had the ability to load and execute applications
   on an affected web server. Normal security practices recommend
   that untrusted users not be allowed to load applications onto 
   a server, and that even trusted users' applications be 
   scrutinized before allowing them to be loaded. 

WebDAV Denial of Service: 
 - The vulnerability does not affect IIS 4.0, as WebDAV is not 
   supported in this version of IIS. 
 - The vulnerability could only be exploited if the server allowed
   WebDAV requests to be levied on it. The IIS Lockdown Tool 
  
(http://www.microsoft.com/technet/security/tools/tools/locktool.asp),
   if deployed in its default configuration, disables such requests. 

Script Source Access Vulnerability: 
 - The vulnerability could only be exploited if the administrator 
   had granted all users write and execute permissions to one or 
   more virtual directories on the server. Default configurations of 
   IIS would be at no risk from this vulnerability. 
 - The vulnerability does not affect IIS 4.0, as WebDAV is not 
   supported in this version of IIS. 
 - The vulnerability could only be exploited if the server allowed 
   WebDAV requests to be levied on it. The IIS Lockdown Tool, if 
   deployed in its default configuration, disables such requests. 

Cross-site Scripting in IIS Administrative Pages: 
 - The vulnerabilities could only be exploited if the attacker 
   could entice another user into visiting a web page and clicking
   a link on it, or opening an HTML mail. 
 - By default, the pages containing the vulnerability are restricted 
   to local IP address. As a result, the vulnerability could only
   be exploited if the client itself were running IIS.

Aggregate Risk Rating:
============
 - Internet systems: Moderate
 - Intranet systems: Moderate
 - Client systems: Low

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-062.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Li0n of A3 Security Consulting Co., Ltd. (http://www.a3sc.co.kr)
   for reporting the Out of process privilege elevation 
   vulnerability. 
 - Mark Litchfield of Next Generation Security Software Ltd. 
   (http://www.nextgenss.com) for reporting the WebDAV denial 
   of service vulnerability. 
 - Luciano Martins of Deloitte & Touche Argentina 
   (http://www.deloitte.com.ar) for recommending the change in the
   socket backlog list purge rate.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS 
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR 
SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME 
STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING 
LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPcA8dY0ZSRQxA/UrAQEvXggAjQWxW2TenrmT2UjlUQEfdWjVn1lBgqxI
iR1eoLWfx2LiJjhRU0LvQ0cGcwe/4EbSfv6AjpMue7PUch7W4O01mnLgjzgRhr/p
E4CYsGMpHq32oy1k6O1EElejmjpC5hC+7VTud1WOzLuxdnnKa8LcXpTcNtuLY5X8
f+0ClRuWIzC9gT4SOjdA0yUb0fRZwTEZRIQFRNbNmBDA0LfqpLOKagRGSbzSI4M1
h+n2KZv87BJdGvfAHWfn/a/s/r4bZr9gjXQzwFKp76jKUfmEw8otnC0XY5BFfzlL
Iu36V0Jo/oCe2FdVmsmh3qYdrdIS4Q/c/07kI8+KSLih6gpRYMisng==
=41ML
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more
 information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp
 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described
 below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC