Microsoft IIS ASP Server-Side Include Buffer Overflow

2002-04-10T00:00:00
ID OSVDB:3320
Type osvdb
Reporter OSVDB
Modified 2002-04-10T00:00:00

Description

Vulnerability Description

A remote overflow exists in a safety check that IIS perfoms during server-side includes (SSI). IIS performs this safety check to ensure that a client-specified file is valid. It is possible to specify an invalid filename in such a way that bypasses the safety check. With a specially crafted URL, an attacker can cause either a DoS or the execution of arbitrary code, resulting in a loss of confidentiality, integrity, and/or availability.

Technical Description

Arbitrary code will be executed with the privileges of the IWAM_computername account for default installations of IIS 5.0 and 5.1 The attacker would need the ability to influence the path name used by the SSI include function. In most cases, this limits exploitation of this flaw to users who can upload ASP scripts to the web server.

Solution Description

Install Patch Q319733, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s):

  1. Disable ASP - Version 1.0 of the IIS Lockdown Tool disables ASP by default, and version 2.1 disables ASP if "Static Web Server" is selected.

  2. The URLScan tool can be used to prevent code execution, but not the DoS.

Short Description

A remote overflow exists in a safety check that IIS perfoms during server-side includes (SSI). IIS performs this safety check to ensure that a client-specified file is valid. It is possible to specify an invalid filename in such a way that bypasses the safety check. With a specially crafted URL, an attacker can cause either a DoS or the execution of arbitrary code, resulting in a loss of confidentiality, integrity, and/or availability.

References:

Vendor Specific Solution URL: http://www.microsoft.com/technet/security/URLScan.asp Vendor Specific Solution URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp Vendor Specific Advisory URL Other Solution URL: http://www.microsoft.com/downloads/search.aspx?opsysid=1&search=Keyword&value='security_patch'&displaylang=en Other Advisory URL: http://www.nipc.gov/warnings/advisories/2002/02-002.htm Other Advisory URL: http://xforce.iss.net/xforce/alerts/id/advise114 Microsoft Security Bulletin: MS02-018 ISS X-Force ID: 8798 CVE-2002-0149 CIAC Advisory: M-066 CERT VU: 721963 CERT: CA-2002-09 Bugtraq ID: 4478