Microsoft IIS HTR ISAPI Overflow

2002-04-10T00:00:00
ID OSVDB:3325
Type osvdb
Reporter Riley Hassell(riley@eeye.com)
Modified 2002-04-10T00:00:00

Description

Vulnerability Description

A remote overflow exists in the Internet Services Application Programming Interface (ISAPI) ISM.DLL extensions used in HTR scripting. With a specially crafted URL, an attacker can cause either a DoS or the execution of arbitrary code, resulting in a loss of confidentiality, integrity, and/or availability.

Technical Description

Arbitrary code will be executed with the privileges of the IWAM_computername account for default installations of IIS 5.0 and 5.1.

If the vulnerability is exploited to cause a DoS, the IIS service must be restarted manually on for version 4.0, while the service would automatically restart in IIS 5.0.

Solution Description

Install Patch Q319733, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workarounds:

  1. Disable HTR ISAPI extension - All versions of the IIS Lockdown Tool disable HTR by default.

  2. The URLScan tool can be used to prevent code execution (even if HTR is enabled), but not the DoS.

Short Description

A remote overflow exists in the Internet Services Application Programming Interface (ISAPI) ISM.DLL extensions used in HTR scripting. With a specially crafted URL, an attacker can cause either a DoS or the execution of arbitrary code, resulting in a loss of confidentiality, integrity, and/or availability.

References:

Vendor Specific Solution URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/urlscan.asp Vendor Specific Solution URL: http://www.microsoft.com/downloads/search.aspx?opsysid=1&search=Keyword&value='security_patch'&displaylang=en Vendor Specific Solution URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp Vendor Specific Advisory URL Other Advisory URL: http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2002-04/0137.html Other Advisory URL: http://www.nipc.gov/warnings/advisories/2002/02-002.htm Other Advisory URL: http://xforce.iss.net/xforce/alerts/id/advise114 Other Advisory URL: http://www.atstake.com/research/advisories/2002/a041002-1.txt Other Advisory URL: http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0013.html Nessus Plugin ID:10932 Nessus Plugin ID:10943 Microsoft Security Bulletin: MS02-018 Microsoft Knowledge Base Article: 318091 Microsoft Knowledge Base Article: 319733 ISS X-Force ID: 8799 CVE-2002-0071 CIAC Advisory: M-066 CERT VU: 363715 CERT: CA-2002-09 Bugtraq ID: 4474