Microsoft Internet Information Server (IIS) 4.0 and 5.0 buffer overflow in chunked encoding transfer mechanism for ASP

Overview

A buffer overflow vulnerability in IIS 4.0 and 5.0 could allow an intruder to execute arbitrary code on an IIS server with the privileges of the ASP ISAPI extension.

Description

Chunked encoding is a means to transfer variable-sized units of data (called chunks) from a web client to a web server. There is an arithmetic error in the way IIS calculates the size of a buffer used to hold a chunk. The result is that IIS allocates a buffer that is too small, allowing an intruder to overflow the buffer.

Buffers used to store chunks are allocated on the heap, and therefore this vulnerability can be called a heap-based buffer overflow. Exploiting a heap-based buffer overflow to gain control of a system can sometimes be more difficult than exploiting other kinds of buffer overflows to gain control. However, the failure is more conducive to gaining control of the system than other typical heap-based buffer overflows. Quoting from Microsoft Security Bulletin MS02-018:

_[…] in addition to causing the wrong-sized buffer to be allocated, the arithmetic error also prevents IIS 4.0 and 5.0 from placing any real limits on the size of a chunk. As a result, it would be possible for a client to send a chunk that would overwrite most or all of the memory on the system.

This is a critical point, because it goes to the heart of why this vulnerability poses such a serious threat to servers. This vulnerability is an example of so-called heap overrun; these are frequently difficult or impossible to exploit, because of the dynamic nature of system memory. Data on the server can change locations from one moment to the next, impeding the attacker’s ability to overwrite selected programs or data. However, in this case, the attacker wouldn’t need to know where programs were located, but could instead simply overwrite large portions of system memory indiscriminately. _

This vulnerability was discovered by eEye Digital Security. For more information, see

<http://www.eeye.com/html/Research/Advisories/AD20020410.html&gt;

This vulnerability is very similar to VU#669779.

---

Impact

An intruder can interrupt the ordinary operation of a vulnerable IIS server or execute arbitrary code with the privileges of ASP ISAPI extension, ASP.DLL. On IIS 4.0, ASP.DLL runs as part of the operating system thus allowing an intruder to take full administrative control. On IIS 5.0, ASP.DLL runs with the privileges of the IWAM__computername_ account.

---

Solution

Apply a patch as described in Microsoft Security Bulletin MS02-018.

---

Until a patch can be applied, you may wish to disable the ASP ISAPI extension by using the IIS Lockdown tool, available at <http://www.microsoft.com/technet/security/tools/locktool.asp&gt;. In addition, you can use the URLScan tool to block URLs that contain non-ASCII data. This may be useful in limiting the damage an intruder could do through this vulnerability.

---

Vendor Information

610291

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Updated: April 10, 2002

Status

Affected

Vendor Statement

See http://www.microsoft.com/technet/security/bulletin/ms02-018.asp.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23610291 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.microsoft.com/technet/security/bulletin/MS02-018.asp&gt;
• <http://www.eeye.com/html/Research/Advisories/AD20020410.html&gt;
• <http://www.eeye.com/html/Research/Advisories/AD20020410.html&gt;
• <http://www.microsoft.com/technet/security/URLScan.asp&gt;
• <http://www.securityfocus.com/bid/4485&gt;

Acknowledgements

Our thanks to Microsoft Corporation, upon whose advisory this document is based, and eEye Digital Security who discovered the vulnerability and whose advisory provides additional technical detail.

This document was written by Shawn V. Hernan.

Other Information

CVE IDs:	CVE-2002-0079
Severity Metric:	62.44 Date Public: