Microsoft IIS ssinc.dll Long Filename Overflow

2003-05-30T09:01:17
ID OSVDB:4655
Type osvdb
Reporter OSVDB
Modified 2003-05-30T09:01:17

Description

Vulnerability Description

A local overflow exists in the Microsoft IIS web server. The service fails to validate the length of the parameter passed to the SSI include() function, resulting in a stack overflow. With a specially crafted SHTML page, an attacker can execute arbitrary code on this system, resulting in a loss of confidentiality, integrity, and/or availability.

Solution Description

The vendor has released hotfix Q811114 to address this issue. This hotfix is dependent on the patch associated with Microsoft Security Bulletin MS02-050. It is also possible to correct the flaw by implementing the following workaround:

Disable the ssinc.dll mapping, using a tool such as IIS Lockdown.

Short Description

A local overflow exists in the Microsoft IIS web server. The service fails to validate the length of the parameter passed to the SSI include() function, resulting in a stack overflow. With a specially crafted SHTML page, an attacker can execute arbitrary code on this system, resulting in a loss of confidentiality, integrity, and/or availability.

References:

Nessus Plugin ID:11683 Microsoft Security Bulletin: MS03-018 Mail List Post: http://lists.netsys.com/pipermail/full-disclosure/2003-May/005232.html CVE-2003-0224 Bugtraq ID: 7734