iis-GET-DoS.txt

`Date: Mon, 21 Dec 1998 15:56:44 -0600  
From: Rattle <[email protected]>  
Reply-To: Bugtraq List <[email protected]>  
To: [email protected]  
Subject: Microsoft Security Bulletin (MS98-019) (fwd)  
  
Another IIS DoS attack? Of course!  
  
...  
. Nick Levay  
. [email protected]  
. "There are two major products that come out of Berkeley: LSD and UNIX.  
. We do not believe this to be a coincidence."  
  
  
>The following is a Security Bulletin from the Microsoft Product Security  
>Notification Service.  
>  
>Please do not reply to this message, as it was sent from an unattended  
>mailbox.  
> ********************************  
>  
>Microsoft Security Bulletin (MS98-019)  
>--------------------------------------  
>  
>Patch Available for IIS "GET" Vulnerability  
>  
>Originally Posted: December 21, 1998  
>  
>Summary  
>=======  
>Microsoft has released a patch that fixes a vulnerability in Microsoft(r)  
>Internet Information Server(r) that could allow denial-of-service attacks  
>to be mounted against web servers.  
>  
>There have been no reports of customers being affected by this  
>vulnerability. However, Microsoft is publishing this bulletin and  
releasing  
>the patch to allow customers to address the potential security risk it  
>poses. As detailed below in What Customers Should Do, Microsoft recommends  
>that users evaluate whether they are at risk from this attack and install  
>the patch if appropriate.  
>  
>Issue  
>=====  
>This vulnerability involves the HTTP GET method, which is used to obtain  
>information from an IIS web server. Specially-malformed GET requests can  
>create a denial of service situation that consumes all server resources,  
>causing a server to "hang." In some cases, the server can be put back into  
>service by stopping and restarting IIS; in others, the server may need to  
be  
>rebooted. This situation cannot happen accidentally. The malformed GET  
>requests must be deliberately constructed and sent to the server. It is  
>important to note that this vulnerability does not allow data on the  
server  
>to be compromised, nor does it allow any privileges on it to be usurped.  
>  
>Affected Software Versions  
>==========================  
> - Microsoft Internet Information Server, versions 3.0 and 4.0, on x86 and  
>Alpha platforms.  
>  
>What Microsoft is Doing  
>=======================  
>On December 21, Microsoft released a patch that fixes the problem. This  
>patch is available for download from the sites listed below. Please see  
>What Customers Should Do for additional information on the patch.  
>  
>Microsoft has sent this security bulletin to customers subscribing  
>to the Microsoft Product Security Notification Service (see  
>http://www.microsoft.com/security/services/bulletin.asp for  
>more information about this free customer service).  
>  
>Microsoft has published the following Knowledge Base (KB) article on this  
>issue:  
> - Microsoft Knowledge Base (KB) article Q192296,  
> IIS: Patch Available for IIS "GET" Vulnerability,  
> http://support.microsoft.com/support/kb/articles/q192/2/96.asp.  
> (Note: It might take 24 hours from the original posting of this  
> bulletin for the updated KB article to be visible in the Web-based  
> Knowledge Base.)  
>  
>Microsoft has released the following hot fixes:  
> - Fix for IIS 3.0 on X86 platforms:  
> ftp://ftp.microsoft.com/bussys/iis/iis-public  
> /fixes/usa/security/Infget-fix/infget3i.exe  
> - Fix for IIS 4.0 on X86 platforms:  
> ftp://ftp.microsoft.com/bussys/iis/iis-public  
> /fixes/usa/security/Infget-fix/infget4i.exe  
> - Fix for IIS 3.0 on Alpha platforms:  
> ftp://ftp.microsoft.com/bussys/iis/iis-public  
> /fixes/usa/security/Infget-fix/infget3a.exe  
> - Fix for IIS 4.0 on Alpha platforms:  
> ftp://ftp.microsoft.com/bussys/iis/iis-public  
> /fixes/usa/security/Infget-fix/infget4a.exe  
>(Note: the URLs above have been wrapped for readability)  
>  
>What Customers Should Do  
>========================  
>The patch for this vulnerability is fully supported. However, it has not  
>been fully regression tested and should only be applied to systems  
>determined to be at risk of attack. A fully regression-tested version of  
>the patch will be available as part of the next Windows NT service pack.  
>  
>Microsoft recommends that customers evaluate the degree of risk that this  
>vulnerability poses to their systems, based on physical accessibility,  
>network and Internet connectivity, and other factors, and determine  
whether  
>the appropriate course of action is to apply the patch or wait for the  
next  
>service pack.  
>  
>More Information  
>================  
>Please see the following references for more information related to this  
>issue.  
> - Microsoft Security Bulletin 98-019,  
> Patch Available for IIS "GET" Vulnerability  
> (the Web-posted version of this bulletin),  
> http://www.microsoft.com/security/bulletins/ms98-019.asp.  
> - Microsoft Knowledge Base (KB) article Q192296,  
> IIS: Patch Available for IIS "GET" Vulnerability,  
> http://support.microsoft.com/support/kb/articles/q192/2/96.asp.  
> (Note: It might take 24 hours from the original posting of this  
> bulletin for the updated KB article to be visible in the Web-based  
> Knowledge Base.)  
>  
>Obtaining Support on this Issue  
>===============================  
>This is a supported patch. If you have problems installing  
>this patch or require technical assistance with this patch,  
>please contact Microsoft Technical Support. For information  
>on contacting Microsoft Technical Support, please see  
>http://support.microsoft.com/support/contact/default.asp.  
>  
>Acknowledgements  
>================  
>Microsoft wishes to acknowledge the contribution made by  
>Brian Steele of Cable and Wireless Grenada, Ltd. (www.candw.com),  
>and Eugene Kalinin of the N. N.Burdenko Neurosurgery Institute,  
>who reported the problem to us.  
>  
>Revisions  
>=========  
> - December 21, 1998: Bulletin Created  
>  
>  
>For additional security-related information about Microsoft products,  
>please visit http://www.microsoft.com/security  
>  
>  
>---------------------------------------------------------------------------  
>  
>THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS  
IS"  
>WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER  
>EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND  
FITNESS  
>FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS  
>SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,  
>INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,  
>EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE  
>POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR  
>LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE  
>FOREGOING LIMITATION MAY NOT APPLY.  
>  
>(c) 1998 Microsoft Corporation. All rights reserved. Terms of Use.  
>  
> *******************************************************************  
>You have received this e-mail bulletin as a result of your registration  
>to the Microsoft Product Security Notification Service. You may  
>unsubscribe from this e-mail notification service at any time by sending  
>an e-mail to [email protected]  
>The subject line and message body are not used in processing the request,  
>and can be anything you like.  
>  
>For more information on the Microsoft Security Notification Service  
>please visit http://www.microsoft.com/security/bulletin.htm. For  
>security-related information about Microsoft products, please visit the  
>Microsoft Security Advisor web site at http://www.microsoft.com/security.  
`