Search...

Microsoft Internet Information Server (IIS) vulnerable to buffer overflow via inaccurate checking of delimiters in HTTP header fields

2002-04-10T00:00:00

ID VU:454091
Type cert
Reporter CERT
Modified 2002-04-10T20:39:00

Description

Overview

A buffer overflow in IIS could allow an intruder to execute arbitrary code the the privileges of the ASP ISAPI extension.

Description

Like all web servers, IIS parses HTTP headers and decomposes them into the constituent parts. As part of this processing, IIS checks for delimiters that are supposed to mark boundaries within the headers. By constructing a carefully chosen HTTP request, and intruder to cause IIS to incorrectly parse an HTTP header, and place the incorrect results into a buffer that is too small. For more information, see Microsoft Security Bulletin MS02-018.

Impact

An intruder can interrupt the ordinary operation of a vulnerable IIS server or execute arbitrary code with the privileges of ASP ISAPI extension, ASP.DLL. On IIS 4.0, ASP.DLL runs as part of the operating system thus allowing an intruder to take full administrative control. On IIS 5.0 and 5.1, ASP.DLL runs with the privileges of the IWAM__computername_ account.

Solution

Apply a patch as described in Microsoft Security Bulletin MS02-018.

Until a patch can be applied, you may wish to disable the ASP ISAPI extension by using the IIS Lockdown tool, available at <http://www.microsoft.com/technet/security/tools/locktool.asp>. Additionally, the URLScan tool can help reduce the impact of this vulnerability.

Vendor Information

Javascript is disabled. Click here to view vendors.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | |
Temporal | |
Environmental | |

References

<http://www.microsoft.com/technet/security/bulletin/MS02-018.asp>
<http://www.microsoft.com/technet/security/tools/locktool.asp>
<http://www.microsoft.com/technet/security/URLScan.asp>

Acknowledgements

Our thanks to Microsoft Corporation, upon whose advisory this document is based.

This document was written by Shawn V. Hernan.

Other Information

CVE IDs: | CVE-2002-0150
---|---
Severity Metric: | 51.30
Date Public: | 2002-04-10
Date First Published: | 2002-04-10
Date Last Updated: | 2002-04-10 20:39 UTC
Document Revision: | 6

JSON Vulners Source

Initial Source

{"id": "VU:454091", "type": "cert", "bulletinFamily": "info", "title": "Microsoft Internet Information Server (IIS) vulnerable to buffer overflow via inaccurate checking of delimiters in HTTP header fields", "description": "### Overview \n\nA buffer overflow in IIS could allow an intruder to execute arbitrary code the the privileges of the ASP ISAPI extension. \n\n### Description \n\nLike all web servers, IIS parses HTTP headers and decomposes them into the constituent parts. As part of this processing, IIS checks for delimiters that are supposed to mark boundaries within the headers. By constructing a carefully chosen HTTP request, and intruder to cause IIS to incorrectly parse an HTTP header, and place the incorrect results into a buffer that is too small. For more information, see [Microsoft Security Bulletin MS02-018](<http://www.microsoft.com/technet/security/bulletin/ms02-018.asp>). \n \n--- \n \n### Impact \n\nAn intruder can interrupt the ordinary operation of a vulnerable IIS server or execute arbitrary code with the privileges of ASP ISAPI extension, ASP.DLL. On IIS 4.0, ASP.DLL runs as part of the operating system thus allowing an intruder to take full administrative control. On IIS 5.0 and 5.1, ASP.DLL runs with the privileges of the IWAM__computername_ account. \n \n--- \n \n### Solution \n\nApply a patch as described in [Microsoft Security Bulletin MS02-018](<http://www.microsoft.com/technet/security/bulletin/ms02-018.asp>). \n \n--- \n \nUntil a patch can be applied, you may wish to disable the ASP ISAPI extension by using the IIS Lockdown tool, available at <http://www.microsoft.com/technet/security/tools/locktool.asp>. Additionally, the [URLScan](<http://www.microsoft.com/technet/security/URLScan.asp>) tool can help reduce the impact of this vulnerability. \n \n--- \n \n### Vendor Information\n\n**Javascript is disabled. Click here to view vendors.**\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.microsoft.com/technet/security/bulletin/MS02-018.asp>\n * <http://www.microsoft.com/technet/security/tools/locktool.asp>\n * <http://www.microsoft.com/technet/security/URLScan.asp>\n\n### Acknowledgements\n\nOur thanks to Microsoft Corporation, upon whose advisory this document is based. \n\nThis document was written by Shawn V. Hernan. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2002-0150](<http://web.nvd.nist.gov/vuln/detail/CVE-2002-0150>) \n---|--- \n**Severity Metric:** | 51.30 \n**Date Public:** | 2002-04-10 \n**Date First Published:** | 2002-04-10 \n**Date Last Updated: ** | 2002-04-10 20:39 UTC \n**Document Revision: ** | 6 \n", "published": "2002-04-10T00:00:00", "modified": "2002-04-10T20:39:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.kb.cert.org/vuls/id/454091", "reporter": "CERT", "references": ["http://www.microsoft.com/technet/security/bulletin/MS02-018.asp", "http://www.microsoft.com/technet/security/tools/locktool.asp", "http://www.microsoft.com/technet/security/URLScan.asp"], "cvelist": ["CVE-2002-0150"], "lastseen": "2020-09-18T20:44:58", "viewCount": 7, "enchantments": {"score": {"value": 8.0, "vector": "NONE", "modified": "2020-09-18T20:44:58", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-0150"]}, {"type": "osvdb", "idList": ["OSVDB:3316"]}, {"type": "openvas", "idList": ["OPENVAS:10943", "OPENVAS:136141256231010943", "OPENVAS:136141256231010936"]}, {"type": "nessus", "idList": ["IIS_XSS_404.NASL", "SMB_NT_MS02-018.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:2748", "SECURITYVULNS:DOC:2759"]}, {"type": "cisco", "idList": ["CISCO-SA-20020415-MS02-018"]}], "modified": "2020-09-18T20:44:58", "rev": 2}, "vulnersScore": 8.0}}

{"cve": [{"lastseen": "2020-10-03T11:36:59", "description": "Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values.", "edition": 3, "cvss3": {}, "published": "2002-04-22T04:00:00", "title": "CVE-2002-0150", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-0150"], "modified": "2018-10-30T16:25:00", "cpe": ["cpe:/a:microsoft:internet_information_server:4.0", "cpe:/a:microsoft:internet_information_services:5.0", "cpe:/a:microsoft:internet_information_server:5.1"], "id": "CVE-2002-0150", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0150", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:internet_information_services:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_information_server:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_information_server:4.0:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:19:57", "bulletinFamily": "software", "cvelist": ["CVE-2002-0150"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in how IIS processes HTTP header information. IIS performs a safety check to ensure that all header values are valid, however it is possible to spoof the results of the check and convince the application that delimiter fields are present when they are not. With a specially crafted URL, an attacker can cause either a DoS or the execution of arbitrary code, resulting in a loss of confidentiality, integrity, and/or availability.\n## Technical Description\nArbitrary code will be executed with the privileges of ASP ISAPI extension, ASP.DLL. On IIS 4.0, ASP.DLL runs as part of the OS, allowing full administrative control. On IIS 5.0 and 5.1, ASP.DLL runs with the privileges of the IWAM_computername account.\n## Solution Description\nInstall Patch Q319733, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s):\n\n1. Disable ASP - Version 1.0 of the IIS Lockdown Tool disables ASP by default, and version 2.1 disables ASP if \"Static Web Server\" is selected.\n\n2. The URLScan tool can be used to prevent code execution, but not the DoS.\n## Short Description\nA remote overflow exists in how IIS processes HTTP header information. IIS performs a safety check to ensure that all header values are valid, however it is possible to spoof the results of the check and convince the application that delimiter fields are present when they are not. With a specially crafted URL, an attacker can cause either a DoS or the execution of arbitrary code, resulting in a loss of confidentiality, integrity, and/or availability.\n## References:\nVendor Specific Solution URL: http://www.microsoft.com/technet/security/tools/locktool.asp\nVendor Specific Solution URL: http://www.microsoft.com/technet/security/URLScan.asp\nVendor Specific Solution URL: http://www.microsoft.com/downloads/search.aspx?opsysid=1&search=Keyword&value='security_patch'&displaylang=en\n[Vendor Specific Advisory URL](http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml)\nOther Advisory URL: http://www.nipc.gov/warnings/advisories/2002/02-002.htm\nOther Advisory URL: http://xforce.iss.net/xforce/alerts/id/advise114\nMicrosoft Security Bulletin: MS02-018\nISS X-Force ID: 8797\n[CVE-2002-0150](https://vulners.com/cve/CVE-2002-0150)\nCIAC Advisory: M-066\nCERT VU: 454091\nCERT: CA-2002-09\nBugtraq ID: 4476\n", "modified": "2002-04-10T00:00:00", "published": "2002-04-10T00:00:00", "id": "OSVDB:3316", "href": "https://vulners.com/osvdb/OSVDB:3316", "title": "Microsoft IIS HTTP Header Field Delimiter Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2020-05-12T15:08:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1325", "CVE-2002-0148", "CVE-2002-0150"], "description": "This IIS Server appears to vulnerable to one of the cross site scripting\n attacks described in MS02-018.", "modified": "2020-05-08T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010936", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010936", "type": "openvas", "title": "IIS XSS via 404 error", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# IIS XSS via 404 error\n#\n# Authors:\n# Matt Moore <matt.moore@westpoint.ltd.uk>\n# www.westpoint.ltd.uk\n#\n# Copyright:\n# Copyright (C) 2002 Matt Moore\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\n# admins who installed this patch would necessarily not be vulnerable to CVE-2001-1325\n\nCPE = \"cpe:/a:microsoft:iis\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10936\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_bugtraq_id(4476, 4483, 4486);\n script_name(\"IIS XSS via 404 error\");\n script_cve_id(\"CVE-2002-0148\", \"CVE-2002-0150\"); # lots of bugs rolled into one patch...\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2002 Matt Moore\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_ms_iis_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"IIS/installed\");\n\n script_xref(name:\"IAVA\", value:\"2002-A-0002\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-018\");\n script_xref(name:\"URL\", value:\"http://jscript.dk/adv/TL001/\");\n\n script_tag(name:\"summary\", value:\"This IIS Server appears to vulnerable to one of the cross site scripting\n attacks described in MS02-018.\");\n\n script_tag(name:\"insight\", value:\"The default '404' file returned by IIS uses scripting to output a link to\n top level domain part of the url requested. By crafting a particular URL it is possible to insert arbitrary\n script into the page for execution.\n\n The presence of this vulnerability also indicates that the host is vulnerable to the other issues identified\n in MS02-018 (various remote buffer overflow and cross site scripting attacks...)\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n exit(0);\n}\n\n# nb: Check makes a request for non-existent HTML file. The server should return a 404 for this request.\n# The unpatched server returns a page containing the buggy JavaScript, on a patched server this has been\n# updated to further check the input...\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! get_app_location( cpe:CPE, port:port ) ) # To have a reference to the detection NVT\n exit( 0 );\n\nbanner = http_get_remote_headers( port:port );\nif( \"Microsoft-IIS\" >!< banner ) exit( 0 );\n\nreq = http_get( item:\"/blah.htm\", port:port );\nr = http_keepalive_send_recv( port:port, data:req );\nif( ! r ) exit( 0 );\n\nstr1 = \"urlresult\";\nstr2 = \"+ displayresult +\";\n\nif( ( str1 >< r ) && ( str2 >< r ) ) {\n security_message( port:port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-12-08T11:44:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1180", "CVE-2002-0149", "CVE-2002-0147", "CVE-2002-1181", "CVE-2002-0869", "CVE-2002-0224", "CVE-2002-1182", "CVE-2002-0150"], "description": "Cumulative Patch for Microsoft IIS (Q327696)\n\nImpact of vulnerability: Ten new vulnerabilities, the most\nserious of which could enable code of an attacker's choice\nto be run on a server.\n\nRecommendation: Users using any of the affected\nproducts should install the patch immediately.\n\nMaximum Severity Rating: Critical \n\nAffected Software: \n\nMicrosoft Internet Information Server 4.0 \nMicrosoft Internet Information Services 5.0 \nMicrosoft Internet Information Services 5.1 \n\nSee\nhttp://www.microsoft.com/technet/security/bulletin/ms02-062.mspx\n\nSupersedes\n\nhttp://www.microsoft.com/technet/security/bulletin/ms02-018.mspx", "modified": "2017-12-07T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:10943", "href": "http://plugins.openvas.org/nasl.php?oid=10943", "type": "openvas", "title": "Cumulative Patch for Internet Information Services (Q327696)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: smb_nt_ms02-018.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: Cumulative Patch for Internet Information Services (Q327696)\n#\n# Authors:\n# Michael Scheidell <scheidell at secnap.net>\n# Updated: 2009/04/23\n# Chandan S <schandan@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2002 Michael Scheidell\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"Cumulative Patch for Microsoft IIS (Q327696)\n\nImpact of vulnerability: Ten new vulnerabilities, the most\nserious of which could enable code of an attacker's choice\nto be run on a server.\n\nRecommendation: Users using any of the affected\nproducts should install the patch immediately.\n\nMaximum Severity Rating: Critical \n\nAffected Software: \n\nMicrosoft Internet Information Server 4.0 \nMicrosoft Internet Information Services 5.0 \nMicrosoft Internet Information Services 5.1 \n\nSee\nhttp://www.microsoft.com/technet/security/bulletin/ms02-062.mspx\n\nSupersedes\n\nhttp://www.microsoft.com/technet/security/bulletin/ms02-018.mspx\";\n\nif(description)\n{\n script_id(10943);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(4006, 4474, 4476, 4478, 4490, 6069, 6070, 6071, 6072);\n script_cve_id(\"CVE-2002-0147\", \"CVE-2002-0149\",\n \t \"CVE-2002-0150\", \"CVE-2002-0224\",\n \t \"CVE-2002-0869\", \"CVE-2002-1182\",\n\t \"CVE-2002-1180\", \"CVE-2002-1181\");\n script_xref(name:\"IAVA\", value:\"2002-A-0002\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n name = \"Cumulative Patch for Internet Information Services (Q327696)\";\n \n script_name(name);\n \n\n\n \n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"registry\");\n \n script_copyright(\"This script is Copyright (C) 2002 Michael Scheidell\");\n family = \"Windows : Microsoft Bulletins\";\n script_family(family);\n \n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"secpod_reg.inc\");\n\nif ( hotfix_check_iis_installed() <= 0 ) exit(0);\nif ( hotfix_check_sp(nt:7, win2k:3, xp:1 ) <= 0 ) exit(0);\nif ( hotfix_missing(name:\"Q811114\") > 0 &&\n hotfix_missing(name:\"Q327696\") > 0 ) \n\tsecurity_message(get_kb_item(\"SMB/transport\"));\n \n\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-06-11T15:22:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1180", "CVE-2002-0149", "CVE-2002-0147", "CVE-2002-1181", "CVE-2002-0869", "CVE-2002-0224", "CVE-2002-1182", "CVE-2002-0150"], "description": "Check if the Cumulative Patch for Microsoft IIS (Q327696) is installed.", "modified": "2020-06-09T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010943", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010943", "type": "openvas", "title": "Cumulative Patch for Internet Information Services (Q327696)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Cumulative Patch for Internet Information Services (Q327696)\n#\n# Authors:\n# Michael Scheidell <scheidell at secnap.net>\n# Updated: 2009/04/23\n# Chandan S <schandan@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2002 Michael Scheidell\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10943\");\n script_version(\"2020-06-09T11:16:08+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 11:16:08 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(4006, 4474, 4476, 4478, 4490, 6069, 6070, 6071, 6072);\n script_cve_id(\"CVE-2002-0147\", \"CVE-2002-0149\",\n \"CVE-2002-0150\", \"CVE-2002-0224\",\n \"CVE-2002-0869\", \"CVE-2002-1182\",\n \"CVE-2002-1180\", \"CVE-2002-1181\");\n script_xref(name:\"IAVA\", value:\"2002-A-0002\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Cumulative Patch for Internet Information Services (Q327696)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2002 Michael Scheidell\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_mandatory_keys(\"SMB/registry_enumerated\");\n\n script_tag(name:\"summary\", value:\"Check if the Cumulative Patch for Microsoft IIS (Q327696) is installed.\");\n\n script_tag(name:\"impact\", value:\"Ten new vulnerabilities, the most serious of which could enable code of an attacker's choice\n to be run on a server.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Internet Information Services 4.0\n\n - Microsoft Internet Information Services 5.0\n\n - Microsoft Internet Information Services 5.1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-062\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"secpod_reg.inc\");\n\nif ( hotfix_check_iis_installed() <= 0 ) exit(0);\nif ( hotfix_check_sp(nt:7, win2k:3, xp:1 ) <= 0 ) exit(0);\nif ( hotfix_missing(name:\"Q811114\") > 0 &&\n hotfix_missing(name:\"Q327696\") > 0 )\n security_message(port:0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-09-14T15:39:59", "description": "This IIS Server appears to be vulnerable to one of the cross-site \nscripting attacks described in MS02-018. The default '404' file \nreturned by IIS uses scripting to output a link to the top level domain\npart of the url requested. By crafting a particular URL, it is possible\nto insert arbitrary script into the page for execution.\n\nThe presence of this vulnerability also indicates that you are \nvulnerable to the other issues identified in MS02-018 (various remote\nbuffer overflow and cross-site scripting attacks.)", "edition": 21, "published": "2002-04-11T00:00:00", "title": "Microsoft IIS Multiple Vulnerabilities (MS02-018)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1325", "CVE-2002-0074", "CVE-2002-0148", "CVE-2002-0150"], "modified": "2002-04-11T00:00:00", "cpe": ["cpe:/a:microsoft:iis"], "id": "IIS_XSS_404.NASL", "href": "https://www.tenable.com/plugins/nessus/10936", "sourceData": "#\n# This script was written by Matt Moore <matt.moore@westpoint.ltd.uk>\n#\n# www.westpoint.ltd.uk\n#\n# See the Nessus Scripts License for details\n#\n# admins who installed this patch would necessarily not be vulnerable to CVE-2001-1325\n#\n# Changes by Tenable:\n# - Revised script name (12/19/08)\n# - Changed plugin family [plugin covers more than XSS] (5/20/09)\n# - Revised plugin description (06/02/2011)\n# - Add MSKB script_xref (8/29/17)\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10936);\n script_version (\"1.46\");\n\n script_cve_id(\"CVE-2002-0074\", \"CVE-2002-0148\", \"CVE-2002-0150\"); # lots of bugs rolled into one patch...\n script_bugtraq_id(4476, 4483, 4486);\n script_xref(name:\"MSFT\", value:\"MS02-018\");\n script_xref(name:\"MSKB\", value:\"319733\");\n\n script_name(english:\"Microsoft IIS Multiple Vulnerabilities (MS02-018)\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"This IIS Server appears to be vulnerable to one of the cross-site \nscripting attacks described in MS02-018. The default '404' file \nreturned by IIS uses scripting to output a link to the top level domain\npart of the url requested. By crafting a particular URL, it is possible\nto insert arbitrary script into the page for execution.\n\nThe presence of this vulnerability also indicates that you are \nvulnerable to the other issues identified in MS02-018 (various remote\nbuffer overflow and cross-site scripting attacks.)\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2002/ms02-018\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7b1236eb\" );\n\n script_set_attribute(attribute:\"solution\", value:\"Update your web server\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2002/04/11\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2002/04/10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:iis\");\n script_end_attributes();\n\n \n script_summary(english:\"Tests for IIS XSS via 404 errors\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2020 Matt Moore\");\n script_family(english:\"CGI abuses\");\n script_dependencie(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n# Check makes a request for nonexistent HTML file. The server should return a 404 for this request.\n# The unpatched server returns a page containing the buggy JavaScript, on a patched server this has been\n# updated to further check the input...\n\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80, embedded:TRUE);\n\n\nbanner = get_http_banner(port:port);\nif ( \"Microsoft-IIS\" >!< banner ) exit(0);\n\nif(get_port_state(port))\n{ \n req = http_get(item:\"/blah.htm\", port:port);\n r = http_keepalive_send_recv(port:port, data:req);\n if ( ! r ) exit(0);\n str1=\"urlresult\";\n str2=\"+ displayresult +\";\n\n if((str1 >< r) && (str2 >< r))\n {\n security_warning(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-11-01T01:29:39", "description": "The remote version of Windows contains multiple flaws in the Internet\nInformation Service (IIS), such as heap overflow, DoS, and XSS that\ncould allow an attacker to execute arbitrary code on the remote host\nwith SYSTEM privileges.", "edition": 25, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2002-04-23T00:00:00", "title": "MS02-018: Cumulative Patch for Internet Information Services (327696)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1180", "CVE-2002-0149", "CVE-2002-0147", "CVE-2002-0071", "CVE-2002-1181", "CVE-2002-0869", "CVE-2002-0224", "CVE-2002-1182", "CVE-2002-0150"], "modified": "2020-11-02T00:00:00", "cpe": ["cpe:/a:microsoft:iis", "cpe:/o:microsoft:windows"], "id": "SMB_NT_MS02-018.NASL", "href": "https://www.tenable.com/plugins/nessus/10943", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10943);\n script_version(\"1.60\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\n \"CVE-2002-0071\",\n \"CVE-2002-0147\",\n \"CVE-2002-0149\",\n \"CVE-2002-0150\",\n \"CVE-2002-0224\",\n \"CVE-2002-0869\",\n \"CVE-2002-1180\",\n \"CVE-2002-1181\",\n \"CVE-2002-1182\"\n );\n script_bugtraq_id(4006, 4474, 4476, 4478, 4490, 6069, 6070, 6071, 6072);\n script_xref(name:\"CERT\", value:\"610291\");\n script_xref(name:\"CERT\", value:\"669779\");\n script_xref(name:\"CERT\", value:\"454091\");\n script_xref(name:\"CERT\", value:\"721963\");\n script_xref(name:\"CERT\", value:\"363715\");\n script_xref(name:\"CERT\", value:\"521059\");\n script_xref(name:\"CERT\", value:\"412203\");\n script_xref(name:\"CERT\", value:\"883091\");\n script_xref(name:\"CERT\", value:\"886699\");\n script_xref(name:\"MSFT\", value:\"MS02-018\");\n script_xref(name:\"MSFT\", value:\"MS02-062\");\n script_xref(name:\"MSKB\", value:\"319733\");\n\n script_name(english:\"MS02-018: Cumulative Patch for Internet Information Services (327696)\");\n script_summary(english:\"Determines whether October 30, 2002 IIS Cumulative patches (Q327696) are installed\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through the web\nserver.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote version of Windows contains multiple flaws in the Internet\nInformation Service (IIS), such as heap overflow, DoS, and XSS that\ncould allow an attacker to execute arbitrary code on the remote host\nwith SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2002/ms02-018\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2002/ms02-062\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for IIS 4.0, 5.0, 5.1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS02-018 Microsoft IIS 4.0 .HTR Path Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/01/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2002/04/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:iis\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS02-018';\nkb = '319733';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(nt:'6', win2k:'1,2', xp:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_iis_installed() <= 0) audit(AUDIT_NOT_INST, \"IIS\");\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n hotfix_is_vulnerable(os:\"5.1\", sp:0, file:\"W3svc.dll\", version:\"5.1.2600.1125\", dir:\"\\system32\\inetsrv\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"W3svc.dll\", version:\"5.0.2195.5995\", dir:\"\\system32\\inetsrv\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"4.0\", file:\"W3svc.dll\", version:\"4.2.780.1\", dir:\"\\system32\\inetsrv\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:05", "bulletinFamily": "software", "cvelist": ["CVE-2002-0074", "CVE-2002-0148", "CVE-2002-0149", "CVE-2002-0147", "CVE-2002-0071", "CVE-2002-0072", "CVE-2002-0073", "CVE-2002-0075", "CVE-2002-0079", "CVE-2002-0150"], "description": "\r\nTO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to\r\nmajordomo@iss.net Contact alert-owner@iss.net for help with any problems!\r\n---------------------------------------------------------------------------\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\n\r\nInternet Security Systems Security Alert\r\nApril 10, 2002\r\n\r\nMultiple Remote Vulnerabilities in Microsoft IIS\r\n\r\nSynopsis:\r\n\r\nISS X-Force has learned that Microsoft Internet Information Server (IIS)\r\nis affected by ten new remote vulnerabilities. These vulnerabilities\r\nvary in severity from mild to critical. A remote attacker may exploit\r\none or more of these vulnerabilities to cause a target Web server to\r\ncrash, execute arbitrary commands on the server, or gain complete\r\ncontrol of a target IIS server.\r\n\r\nAffected Versions:\r\n\r\nMicrosoft Internet Information Server 4.0\r\nMicrosoft Internet Information Server 5.0\r\nMicrosoft Internet Information Server 5.1\r\n\r\nNote: IIS 6.0 Beta build 3605 and earlier are also affected.\r\n\r\nDescription:\r\n\r\nMicrosoft released a Security Bulletin on April 10, 2002 detailing new\r\ncumulative patches for IIS 4.0, 5.0, and 5.1. These patches contain all\r\nprevious security patches for each version as well as patches for ten\r\nnew vulnerabilities.\r\n\r\nHeap Buffer overflow in ASP chunked encoding routines\r\n(CAN-2002-0079)\r\n\r\nASP (Active Server Pages) is enabled on all IIS installations by\r\ndefault. ASP is used to dynamically generate HTML pages on the server\r\nand deliver them to a client. IIS improperly handles specially-crafted\r\nchunked encoding queries to ASP pages. Chunked encoding is used in\r\nsituations when a client supplies the server with a variable amount of\r\ninformation. If the client supplies data using chunked encoding, the\r\nserver dynamically allocates memory according to the size of each\r\nincoming chunk. IIS improperly adds the sizes of these allocated chunks,\r\nwhich may overwrite memory. Successful exploitation of this\r\nvulnerability may crash a vulnerable server, allowing remote attackers\r\nto execute arbitrary commands on the server with IWAM_computername\r\nprivileges. This account is equivalent to an unprivileged normal user.\r\nThis vulnerability affects IIS versions 4.0 and 5.0.\r\n\r\nBuffer overflow within the ASP data transfer mechanism\r\n(CAN-2002-0147)\r\n\r\nThis vulnerability is similar to the previous vulnerability and affects\r\nIIS versions 4.0, 5.0, and 5.1.\r\n\r\nBuffer overflow in IIS HTTP header delimiter parsing\r\n(CAN-2002-0150)\r\n\r\nIt may be possible for remote attackers to create a special request to\r\nbypass IIS delimiter parsing. IIS 4.0, 5.0, and 5.1 may incorrectly\r\nparse this request and overflow a buffer, which may lead to a denial of\r\nservice attack or the ability to execute arbitrary code on the target\r\nserver with IWAM_computername privileges.\r\n\r\nBuffer overflow in IIS ASP Server-Side Include routines\r\n(CAN-2002-0149)\r\n\r\nASP scripts sometimes process external files in order to function\r\ncorrectly. If an attacker sends a specific query to an overly long\r\nfilename, this name may be processed within the ASP script as a server-\r\nside include (SSI). A buffer overflow may be triggered if the length of\r\nthe filename is longer than the static buffer within the SSI routine.\r\nThis vulnerability affects IIS 4.0, 5.0, and 5.1. Successful\r\nexploitation of this vulnerability may crash the server or allow an\r\nattacker to execute arbitrary code on the target server with\r\nIWAM_computername privileges.\r\n\r\n\r\nBuffer overflow in the HTR ISAPI extension\r\n(CAN-2002-0071)\r\n\r\nHTR was the predecessor to ASP and is considered a legacy technology.\r\nHTR remains in use today to handle password management in IIS. It may be\r\npossible for an attacker to send a malformed HTR request to a vulnerable\r\nIIS 4.0 or 5.0 server to cause a denial of service attack. An attacker\r\nmay also use this vulnerability to run arbitrary commands with\r\nIWAM_computername privileges. HTR files need not be present on the\r\nserver for attackers to exploit this vulnerability.\r\n\r\nDenial of service caused by improper handling of error conditions in\r\nISAPI filters\r\n(CAN-2002-0072)\r\n\r\nIf vulnerable ISAPI filters within IIS 4.0, 5.0, and 5.1 receive a URL\r\nof an illegal length, IIS will improperly rewrite the URL with a null\r\nvalue and attempt to send the error back to the client that requested\r\nthe URL. Before the request is sent, IIS attempts to operate on the null\r\nvalue, which causes a fault that crashes the server.\r\n\r\nDenial of service in the IIS 4.0, 5.0 and 5.1 FTP (File Transfer\r\nProtocol) service\r\n(CAN-2002-0073)\r\n\r\nIIS improperly handles specially-crafted status requests on current FTP\r\nsessions. When an attacker sends this type of request to an IIS server,\r\nit may lead to improper access of uninitialized memory, which may result\r\nin a denial of service to FTP and Web services.\r\n\r\nCross-Site Scripting (CSS) vulnerabilities present in IIS 4.0, 5.0 and\r\n5.1\r\n(CAN-2002-0074)\r\n(CAN-2002-0148)\r\n(CAN-2002-0075)\r\n\r\nCSS vulnerabilities rely on the ability of an attacker to lure users to\r\ntheir rogue Web servers. When a user visits a specific page on a rogue\r\nWeb server, the request for the URL is relayed to a third-party site\r\nusing active scripting. If this third-party site is trusted by the user,\r\nthe attacker\u2019s Web site is trusted just like the third-party site,\r\ninheriting that the same level of privilege. IIS contains CSS\r\nvulnerabilities when searching IIS help files, viewing HTTP error pages,\r\nand notifying a user when a request has been redirected.\r\n\r\nRecommendations:\r\n\r\nX-Force recommends that all affected IIS customers apply the following\r\nMicrosoft supplied patches immediately:\r\n\r\nMicrosoft IIS 4.0:\r\nhttp://www.microsoft.com/Downloads/Release.asp?ReleaseID=37931\r\nMicrosoft IIS 5.0:\r\nhttp://www.microsoft.com/Downloads/Release.asp?ReleaseID=37824\r\nMicrosoft IIS 5.1:\r\nhttp://www.microsoft.com/Downloads/Release.asp?ReleaseID=37857\r\n\r\nRealSecure Network Sensor may trigger several signatures in response to\r\nthe IIS attacks described in this advisory. RealSecure Network Sensor\r\nadministrators\r\nshould closely examine the following events if they are detected by\r\nRealSecure. The list below details the signatures and their\r\ncorresponding vulnerabilities.\r\n\r\nHTTP_NCSA_BufferOverflow\r\n(CAN-2002-0147)\r\n\r\nHTTP_NCSA_BufferOverflow\r\nHTTP_Netscape_Method_Overflow\r\n(CAN-2002-0149)\r\n\r\nHTTP_NCSA_BufferOverflow\r\n(CAN-2002-0071)\r\n\r\nHTTP_Netscape_Method_Overflow\r\n(CAN-2002-0072)\r\n\r\nFTP_Glob_Expansion\r\n(CAN-2002-0073)\r\n\r\nBlackICE products currently detect potential exploitation of three of\r\nthe vulnerabilities\r\ndescribed in this advisory. BlackICE users and administrators should\r\nclosely examine the\r\nfollowing events if they are detected by BlackICE:\r\n\r\nFTP Command line overflow\r\n(CAN-2002-0073)\r\n\r\nHTTP URL overflow\r\n(CAN-2002-0149)\r\n\r\nIIS malformed .HTR request\r\n(CAN-2002-0071)\r\n\r\nAdditional detection support will be added in a future update for\r\nBlackICE products.\r\n\r\nInternet Scanner X-Press Update 6.8 includes a check, IisMs02018Patch,\r\nto detect the installation of the patch for the vulnerabilities\r\ndescribed in this advisory. XPU 6.8 is available from the ISS Download\r\nCenter at: http://www.iss.net/download. For questions about downloading\r\nand installing this XPU, email support@iss.net.\r\n\r\nDetection support for these attacks will be included in future X-Press\r\nUpdates for RealSecure Network Sensor and RealSecure Server Sensor.\r\nThese XPUs will be available from the ISS Download Center, and this\r\nalert will be updated when these updates become available.\r\n\r\n______\r\n\r\nAbout Internet Security Systems (ISS)\r\nFounded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a\r\npioneer and world leader in software and services that protect critical\r\nonline resources from an ever-changing spectrum of threats and misuse.\r\nInternet Security Systems is headquartered in Atlanta, GA, with\r\nadditional operations throughout the Americas, Asia, Australia, Europe\r\nand the Middle East.\r\n\r\nCopyright (c) 2002 Internet Security Systems, Inc. All rights reserved\r\nworldwide.\r\n\r\nPermission is hereby granted for the electronic redistribution of this\r\ndocument. It is not to be edited or altered in any way without the\r\nexpress written consent of the Internet Security Systems X-Force. If you\r\nwish to reprint the whole or any part of this document in any other\r\nmedium excluding electronic media, please email xforce@iss.net for\r\npermission.\r\n\r\nDisclaimer: The information within this paper may change without notice.\r\nUse of this information constitutes acceptance for use in an AS IS\r\ncondition. There are NO warranties, implied or otherwise, with regard to\r\nthis information or its use. Any use of this information is at the\r\nuser's risk. In no event shall the author/distributor (Internet Security\r\nSystems X-Force) be held liable for any damages whatsoever arising out\r\nof or in connection with the use or spread of this information.\r\n\r\nX-Force PGP Key available on MIT's PGP key server and PGP.com's key\r\nserver,\r\nas well as at http://www.iss.net/security_center/sensitive.php\r\n\r\nPlease send suggestions, updates, and comments to: X-Force\r\nxforce@iss.net of Internet Security Systems, Inc.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: 2.6.2\r\n\r\niQCVAwUBPLTUcjRfJiV99eG9AQHAXAP/bZAmOetnSGZ2EdIaX8UzWgj6wrdiMAp6\r\n6m36F8ABJEXR3K9pRbX7P3qYs8fUkwHQtGi6WXhW4N/5Q7K8XBRqosT6gxa0Uu32\r\nHeENRPb3oNJoQkZoCqjBiIn09qgMeFF9dMWeowneJu30Cz0+4SWl60dpbU+tPLmd\r\nPAhqVshkH14=\r\n=qtZH\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2002-04-11T00:00:00", "published": "2002-04-11T00:00:00", "id": "SECURITYVULNS:DOC:2748", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:2748", "title": "Multiple Remote Vulnerabilities in Microsoft IIS", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:05", "bulletinFamily": "software", "cvelist": ["CVE-2002-0074", "CVE-2002-0148", "CVE-2002-0149", "CVE-2002-0147", "CVE-2002-0071", "CVE-2002-0072", "CVE-2002-0073", "CVE-2002-0075", "CVE-2002-0079", "CVE-2002-0150"], "description": "CERT Advisory CA-2002-09 Multiple Vulnerabilities in Microsoft IIS\r\n\r\n Original release date: April 11, 2002\r\n Last revised: --\r\n Source: CERT/CC\r\n\r\n A complete revision history can be found at the end of this file.\r\n\r\nSystems Affected\r\n\r\n * Microsoft IIS 4.0, 5.0, and 5.1\r\n\r\nOverview\r\n\r\n A variety of vulnerabilities exist in various versions of Microsoft\r\n IIS. Some of these vulnerabilities may allow an intruder to execute\r\n arbitrary code on vulnerable systems.\r\n\r\nI. Description\r\n\r\n There are a variety of vulnerabilities in Microsoft IIS. Many of these\r\n vulnerabilities are buffer overflows that could permit an intruder to\r\n execute arbitrary code on vulnerable systems.\r\n We strongly encourage all sites running IIS to read Microsoft's\r\n advisory on these and other vulnerabilities and take appropriate\r\n action as soon as practical. Microsoft's bulletin is available at\r\n\r\n http://www.microsoft.com/technet/security/bulletin/MS02-018.asp\r\n\r\n Additional information about these vulnerabilities is available at\r\n\r\n http://www.kb.cert.org/vuls\r\n\r\n\r\n VU#363715 CAN-2002-0071 Microsoft Internet Information Server (IIS)\r\n vulnerable to heap overflow during processing of crafted\r\n ".htr" request by "ISM.DLL" ISAPI filter\r\n\r\n VU#883091 CAN-2002-0074 Microsoft Internet Information Server (IIS)\r\n contains cross-site scripting vulnerability in IIS Help\r\n Files search facility\r\n\r\n VU#886699 CAN-2002-0148 Microsoft Internet Information Server (IIS)\r\n contains cross-site scripting vulnerability in HTTP error\r\n page results\r\n\r\n VU#520707 CAN-2002-0075 Microsoft Internet Information Server (IIS)\r\n contains cross-site scripting vulnerability in redirect\r\n response messages\r\n\r\n VU#412203 CAN-2002-0073 Microsoft Internet Information Server (IIS)\r\n vulnerable to DoS via malformed FTP connection status\r\n request\r\n\r\n VU#454091 CAN-2002-0150 Microsoft Internet Information Server (IIS)\r\n vulnerable to buffer overflow via inaccurate checking of\r\n delimiters in HTTP header fields\r\n\r\n VU#721963 CAN-2002-0149 Microsoft Internet Information Server (IIS)\r\n buffer overflow in server-side includes (SSI) containing\r\n long invalid file name\r\n\r\n VU#521059 CAN-2002-0072 Microsoft Internet Information Server (IIS)\r\n vulnerable to DoS when URL request exceeds maximum\r\n allowed length\r\n\r\n VU#610291 CAN-2002-0079 Microsoft Internet Information Server (IIS)\r\n buffer overflow in chunked encoding transfer mechanism\r\n\r\n VU#669779 CAN-2002-0147 Microsoft Internet Information Server (IIS)\r\n buffer overflow in chunked encoding transfer mechanism\r\n\r\n\r\nII. Impact\r\n\r\n For many of the vulnerabilities, an intruder could execute arbitrary\r\n code with privileges that vary according to which version of IIS is\r\n running. In general, IIS 4.0 permits an intruder to execute code with\r\n complete administrative privileges, while IIS 5.0 and 5.1 permit an\r\n intruder to execute code with the privileges of the IWAM_computername\r\n account.\r\n\r\nIII. Solution\r\n\r\n Microsoft Corporation has released Microsoft Security Bulletin\r\n MS02-018, which announces the availability of a cumulative patch to\r\n address a variety of problems. We strongly encourage you to read this\r\n bulletin and take the appropriate corrective measures. MS02-018 is\r\n available at\r\n\r\n http://www.microsoft.com/technet/security/bulletin/MS02-018.asp\r\n\r\n In addition to applying the patch, or until it can be applied, we\r\n recommend the following actions:\r\n\r\n * Use the IIS Lockdown tool and URLScan to eliminate or reduce the\r\n impact of some of these vulnerabilites; they may also eliminate or\r\n reduce other vulnerabilities that have not yet been discovered.\r\n The IIS Lockdown tool can also be used to disable ASP if it's not\r\n needed. More information about the IIS Lockdown tool and URLScan\r\n can be found at\r\n\r\n http://www.microsoft.com/technet/security/tools/locktool.asp\r\n \r\n http://www.microsoft.com/technet/security/URLScan.asp\r\n\r\n * As Microsoft has recommended for quite some time, disable the HTR\r\n ISAPI extension unless it is absolutely required.\r\n * Disable anonymous FTP unless it is required.\r\n * Don't give login credentials on IIS servers to untrusted users.\r\n _________________________________________________________________\r\n\r\n Our thanks to Microsoft Corporation for the information contained in\r\n their advisory. Additionally, our thanks go to the various individuals\r\n and organizations whom Microsoft identified as discovering the\r\n vulnerabilities, including eEye Digital Security\r\n (http://www.eeye.com), Serge Mister of Entrust, Inc.\r\n (http://www.entrust.com), Dave Aitel of @Stake\r\n (http://www.atstake.com), Peter Grundl of KPMG, Joe Smith\r\n (jsm1th@hotmail.com) and zenomorph (admin@cgisecurity.com) of\r\n http://www.cgisecurity.com, Keigo Yamazaki of the LAC SNS Team\r\n (http://www.lac.co.jp/security/), and Thor Larholm of Jubii A/S.\r\n _________________________________________________________________\r\n\r\n Author: Shawn V. Hernan\r\n ______________________________________________________________________\r\n\r\n This document is available from:\r\n http://www.cert.org/advisories/CA-2002-09.html\r\n ______________________________________________________________________\r\n\r\nCERT/CC Contact Information\r\n\r\n Email: cert@cert.org\r\n Phone: +1 412-268-7090 (24-hour hotline)\r\n Fax: +1 412-268-6989\r\n Postal address:\r\n CERT Coordination Center\r\n Software Engineering Institute\r\n Carnegie Mellon University\r\n Pittsburgh PA 15213-3890\r\n U.S.A.\r\n\r\n CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /\r\n EDT(GMT-4) Monday through Friday; they are on call for emergencies\r\n during other hours, on U.S. holidays, and on weekends.\r\n\r\nUsing encryption\r\n\r\n We strongly urge you to encrypt sensitive information sent by email.\r\n Our public PGP key is available from\r\n\r\n http://www.cert.org/CERT_PGP.key\r\n\r\n If you prefer to use DES, please call the CERT hotline for more\r\n information.\r\n\r\nGetting security information\r\n\r\n CERT publications and other security information are available from\r\n our web site\r\n\r\n http://www.cert.org/\r\n\r\n To subscribe to the CERT mailing list for advisories and bulletins,\r\n send email to majordomo@cert.org. Please include in the body of your\r\n message\r\n\r\n subscribe cert-advisory\r\n\r\n * "CERT" and "CERT Coordination Center" are registered in the U.S.\r\n Patent and Trademark Office.\r\n ______________________________________________________________________\r\n\r\n NO WARRANTY\r\n Any material furnished by Carnegie Mellon University and the Software\r\n Engineering Institute is furnished on an "as is" basis. Carnegie\r\n Mellon University makes no warranties of any kind, either expressed or\r\n implied as to any matter including, but not limited to, warranty of\r\n fitness for a particular purpose or merchantability, exclusivity or\r\n results obtained from use of the material. Carnegie Mellon University\r\n does not make any warranty of any kind with respect to freedom from\r\n patent, trademark, or copyright infringement.\r\n _________________________________________________________________\r\n\r\n Conditions for use, disclaimers, and sponsorship information\r\n\r\n Copyright 2002 Carnegie Mellon University.\r\n\r\n Revision History\r\nApril 11, 2002: Initial release\r\n", "edition": 1, "modified": "2002-04-12T00:00:00", "published": "2002-04-12T00:00:00", "id": "SECURITYVULNS:DOC:2759", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:2759", "title": "Advisory CA-2002-09 Multiple Vulnerabilities in Microsoft IIS", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cisco": [{"lastseen": "2020-06-22T10:59:13", "bulletinFamily": "software", "cvelist": ["CVE-2002-0071", "CVE-2002-0072", "CVE-2002-0073", "CVE-2002-0074", "CVE-2002-0075", "CVE-2002-0079", "CVE-2002-0147", "CVE-2002-0148", "CVE-2002-0149", "CVE-2002-0150", "CVE-2002-0364"], "description": "", "modified": "2002-04-15T18:00:00", "published": "2002-04-15T18:00:00", "id": "CISCO-SA-20020415-MS02-018", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020415-ms02-018", "type": "cisco", "title": "Microsoft IIS Vulnerabilities in Cisco Products - MS02-018", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}