SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft IIS Buffer Overflow Lets Remote Users With Upload Privileges Execute Code - Remote Users Can Also Crash the Service
SecurityTracker Alert ID:  1006867
SecurityTracker URL:  http://securitytracker.com/id/1006867
CVE Reference:   CVE-2003-0223, CVE-2003-0224, CVE-2003-0225, CVE-2003-0226   (Links to External Site)
Updated:  Dec 7 2003
Original Entry Date:  May 28 2003
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0, 5.0, 5.1
Description:   Several vulnerabilities were reported in Microsoft Internet Information Server (IIS). A remote user can cause denial of service conditions. A remote user with upload privileges can execute arbitrary code on the target system. A remote user can also conduct cross-site scripting attacks.

It is reported that IIS 5.0 does not properly validate requests for Server Side Includes (SSI) web pages. A remote user with the ability to upload SSI pages to the target server can then call the page to trigger a buffer overflow and execute arbitrary code on the server. The code will reportedly run with user-level permissions.

It is also reported that a remote user with the ability to upload an ASP page to the target server can then call the page to cause denial of service conditions. This is due to the lack of memory limitations in IIS 4.0 and 5.0 when the server constructs HTML headers to be displayed using the 'Response.AddHeader' function. A remote user can thus create a specially crafted ASP page to cause IIS to crash due to insufficient memory.

Another denial of service flaw is reported in IIS 5.0 and 5.1 in the processing of overly long WebDAV requests containing XML. A remote user can create a specific XML error condition that will cause the error handling sequence to get out of order, resulting in an IIS crash. According to the report, IIS will (by default) automatically restart after this occurs.

It is reported that IIS 4.0, 5.0, and 5.1 return a redirection error message that includes user-supplied HTML (without filtering). A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running IIS and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. The affected page reportedly uses the 'Response.Redirect' function.

Microsoft reports that Internet Information Services 6.0 is not affected by any of these flaws.

Microsoft credits SPI Dynamics for reporting the Redirection Cross Site Scripting and WebDAV Denial of Service vulnerabilities and NSFocus for reporting the Server Side Include Web Pages Buffer Overrun vulnerability.

Impact:   A remote user can cause IIS to crash.

A remote user with the ability to upload files to the web server can then call the files to cause IIS to crash or to execute arbitrary code with user-level privileges.

A remote user can conduct cross-site scripting attacks to access the target user's cookies (including authentication cookies), if any, associated with the site running IIS, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   Microsoft has released the following patches:

IIS 4.0:

http://microsoft.com/downloads/details.aspx?FamilyId=1DBC1914-98E9-4DED-ADBF-E9B374A1F79D&displaylang=en

IIS 5.0:

http://microsoft.com/downloads/details.aspx?FamilyId=2F5D9852-4ADD-44F8-8715-AC3D7D7D94BF&displaylang=en

IIS 5.1:

32-bit Edition:

http://microsoft.com/downloads/details.aspx?FamilyId=77CFE3EF-C5C5-401C-BC12-9F08154A5007&displaylang=en

64-bit Edition:

http://microsoft.com/downloads/details.aspx?FamilyId=86F4407E-B9BF-4490-9421-008407578D11&displaylang=en


The IIS 4.0 patch can be installed on Windows NT 4.0 SP6a. The IIS 5.0 patch can be installed on Windows 2000 SP2 or SP3. The IIS 5.1 patch can be installed on Windows XP Professional Gold or SP1.

Microsoft plans to include the IIS 5.0 fixes in Windows 2000 SP4 and the IIS 5.1 fixes in Windows XP SP2.

A reboot may or may not be needed, depending on the version number you are using and on other factors [see the Microsoft bulletin for clarification].

This patch supersedes MS02-062, MS02-028, and MS02-018. Note that MS02-018 is itself a cumulative patch that supersedes additional patches not listed here.

This patch reportedly requires the patch addressed in Microsoft Security Bulletin MS02-050. If you have not installed MS02-050, IIS will reportedly reject client-side certificates.

There is a very long list of additional caveats associated with patch MS03-018. For example, some IIS 4.0 vulnerability fixes are not included. Also, some vulnerabilities in IIS-related products (e.g., FrontPage, Index Server) are not fixed by this patch. Please be sure to read the Microsoft advisory:

http://www.microsoft.com/technet/security/bulletin/MS03-018.asp

Microsoft has issued Knowledge Base article 811114 regarding this issue, available at:

http://support.microsoft.com/?id=811114

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS03-018.asp (Links to External Site)
Cause:   Boundary error, Exception handling error, Input validation error, State error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)
Underlying OS Comments:  Windows NT 4.0, 2000, XP

Message History:   None.


 Source Message Contents

Subject:  MS03-018


www.microsoft.com/technet/security/bulletin/MS03-018.asp

MS03-018

Windows NT 4.0, 2000, XP

4.0, 5.0, 5.1

Cumulative Patch for Internet Information Service (811114)

Maximum Severity Rating: Important


Microsoft Internet Information Server Buffer Overflow and Memory Flaw Let Remote Users 
With Upload Privileges Execute Code or Consume Excessive Memory

Several vulnerabilities were reported in Microsoft Internet Information Server (IIS).  A 
remote user with upload privileges can execute arbitrary code on the target system or 
cause denial of service conditions.  A remote user can also conduct cross-site scripting 
attacks.

It is reported that IIS 5.0 does not properly validate requests for Server Side Includes 
(SSI) web pages.  A remote user with the ability to upload SSI pages to the target server 
can then call the page to trigger a buffer overflow and execute arbitrary code on the 
server.  The code will reportedly run with user-level permissions.

It is also reported that a remote user with the ability to upload an ASP page to the 
target server can then call the page to cause denial of service conditions.  This is due 
to the lack of memory limitations in IIS 4.0 and 5.0 when the server constructs HTML 
headers to be displayed using the 'Response.AddHeader' function.  A remote user can thus 
cause IIS to crash due to insufficient memory.

Another denial of service flaw is reported in IIS 5.0 and 5.1 in the processing of overly 
long WebDAV requests containing XML.  A remote user can create a specific XML error 
condition that will cause the error handling sequence to get out of order, resulting in an 
IIS crash.  According to the report, IIS will (by default) automatically restart after 
this occurs.

It is reported that IIS 4.0, 5.0, and 5.1 return a redirection error message that includes 
user-supplied HTML (without filtering).  A remote user can create a specially crafted URL 
that, when loaded by a target user, will cause arbitrary scripting code to be executed by 
the target user's browser. The code will originate from the site running IIS and will run 
in the security context of that site. As a result, the code will be able to access the 
target user's cookies (including authentication cookies), if any, associated with the 
site, access data recently submitted by the target user via web form to the site, or take 
actions on the site acting as the target user.  The affected page reportedly uses the 
'Response.Redirect' function.

Microsoft reports that Internet Information Services 6.0 is not affected by any of these 
flaws.

Microsoft credits SPI Dynamics for reporting the Redirection Cross Site Scripting and 
WebDAV Denial of Service vulnerabilities and NSFocus for reporting the Server Side Include 
Web Pages Buffer Overrun vulnerability.


Microsoft has released the following patches:

IIS 4.0:

http://microsoft.com/downloads/details.aspx?FamilyId=1DBC1914-98E9-4DED-ADBF-E9B374A1F79D&displaylang=en

IIS 5.0:

http://microsoft.com/downloads/details.aspx?FamilyId=2F5D9852-4ADD-44F8-8715-AC3D7D7D94BF&displaylang=en

IIS 5.1:

32-bit Edition:

http://microsoft.com/downloads/details.aspx?FamilyId=77CFE3EF-C5C5-401C-BC12-9F08154A5007&displaylang=en

64-bit Edition:

http://microsoft.com/downloads/details.aspx?FamilyId=86F4407E-B9BF-4490-9421-008407578D11&displaylang=en


The IIS 4.0 patch can be installed on Windows NT 4.0 SP6a.  The IIS 5.0 patch can be 
installed on Windows 2000 SP2 or SP3.  The IIS 5.1 patch can be installed on Windows XP 
Professional Gold or SP1.

Microsoft plans to include the IIS 5.0 fixes in Windows 2000 SP4 and the IIS 5.1 fixes in 
Windows XP SP2.

A reboot may or may not be needed, depending on the version number you are using and on 
other factors [see the Microsoft bulletin for clarification].

This patch supersedes MS02-062, MS02-028, and MS02-018.  Note that MS02-018 is itself a 
cumulative patch that supersedes additional patches not listed here.

This patch reportedly requires the patch addressed in Microsoft Security Bulletin 
MS02-050.  If you have not installed MS02-050, IIS will reportedly reject client-side 
certificates.

There is a very long list of additional caveats associated with patch MS03-018.  For 
example, some IIS 4.0 vulnerability fixes are not included.  Also, some vulnerabilities in 
IIS-related products (e.g., FrontPage, Index Server) are not fixed by this patch.  Please 
be sure to read the Microsoft advisory:

http://www.microsoft.com/technet/security/bulletin/MS03-018.asp

Microsoft has issued Knowledge Base article 811114 regarding this issue, available at:
http://support.microsoft.com/?id=811114


Aggregate Severity of all Vulnerabilities
	
IIS 4.0	Moderate
IIS 5.0	Important
IIS 5.1	Important

CVE:  CAN-2003-0223, CAN-2003-0224, CAN-2003-0225, CAN-2003-0226




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC