Multiple Remote Vulnerabilities in Microsoft IIS

TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
[email protected] Contact [email protected] for help with any problems!

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Alert
April 10, 2002

Multiple Remote Vulnerabilities in Microsoft IIS

Synopsis:

ISS X-Force has learned that Microsoft Internet Information Server (IIS)
is affected by ten new remote vulnerabilities. These vulnerabilities
vary in severity from mild to critical. A remote attacker may exploit
one or more of these vulnerabilities to cause a target Web server to
crash, execute arbitrary commands on the server, or gain complete
control of a target IIS server.

Affected Versions:

Microsoft Internet Information Server 4.0
Microsoft Internet Information Server 5.0
Microsoft Internet Information Server 5.1

Note: IIS 6.0 Beta build 3605 and earlier are also affected.

Description:

Microsoft released a Security Bulletin on April 10, 2002 detailing new
cumulative patches for IIS 4.0, 5.0, and 5.1. These patches contain all
previous security patches for each version as well as patches for ten
new vulnerabilities.

Heap Buffer overflow in ASP chunked encoding routines
(CAN-2002-0079)

ASP (Active Server Pages) is enabled on all IIS installations by
default. ASP is used to dynamically generate HTML pages on the server
and deliver them to a client. IIS improperly handles specially-crafted
chunked encoding queries to ASP pages. Chunked encoding is used in
situations when a client supplies the server with a variable amount of
information. If the client supplies data using chunked encoding, the
server dynamically allocates memory according to the size of each
incoming chunk. IIS improperly adds the sizes of these allocated chunks,
which may overwrite memory. Successful exploitation of this
vulnerability may crash a vulnerable server, allowing remote attackers
to execute arbitrary commands on the server with IWAM_computername
privileges. This account is equivalent to an unprivileged normal user.
This vulnerability affects IIS versions 4.0 and 5.0.

Buffer overflow within the ASP data transfer mechanism
(CAN-2002-0147)

This vulnerability is similar to the previous vulnerability and affects
IIS versions 4.0, 5.0, and 5.1.

Buffer overflow in IIS HTTP header delimiter parsing
(CAN-2002-0150)

It may be possible for remote attackers to create a special request to
bypass IIS delimiter parsing. IIS 4.0, 5.0, and 5.1 may incorrectly
parse this request and overflow a buffer, which may lead to a denial of
service attack or the ability to execute arbitrary code on the target
server with IWAM_computername privileges.

Buffer overflow in IIS ASP Server-Side Include routines
(CAN-2002-0149)

ASP scripts sometimes process external files in order to function
correctly. If an attacker sends a specific query to an overly long
filename, this name may be processed within the ASP script as a server-
side include (SSI). A buffer overflow may be triggered if the length of
the filename is longer than the static buffer within the SSI routine.
This vulnerability affects IIS 4.0, 5.0, and 5.1. Successful
exploitation of this vulnerability may crash the server or allow an
attacker to execute arbitrary code on the target server with
IWAM_computername privileges.

Buffer overflow in the HTR ISAPI extension
(CAN-2002-0071)

HTR was the predecessor to ASP and is considered a legacy technology.
HTR remains in use today to handle password management in IIS. It may be
possible for an attacker to send a malformed HTR request to a vulnerable
IIS 4.0 or 5.0 server to cause a denial of service attack. An attacker
may also use this vulnerability to run arbitrary commands with
IWAM_computername privileges. HTR files need not be present on the
server for attackers to exploit this vulnerability.

Denial of service caused by improper handling of error conditions in
ISAPI filters
(CAN-2002-0072)

If vulnerable ISAPI filters within IIS 4.0, 5.0, and 5.1 receive a URL
of an illegal length, IIS will improperly rewrite the URL with a null
value and attempt to send the error back to the client that requested
the URL. Before the request is sent, IIS attempts to operate on the null
value, which causes a fault that crashes the server.

Denial of service in the IIS 4.0, 5.0 and 5.1 FTP (File Transfer
Protocol) service
(CAN-2002-0073)

IIS improperly handles specially-crafted status requests on current FTP
sessions. When an attacker sends this type of request to an IIS server,
it may lead to improper access of uninitialized memory, which may result
in a denial of service to FTP and Web services.

Cross-Site Scripting (CSS) vulnerabilities present in IIS 4.0, 5.0 and
5.1
(CAN-2002-0074)
(CAN-2002-0148)
(CAN-2002-0075)

CSS vulnerabilities rely on the ability of an attacker to lure users to
their rogue Web servers. When a user visits a specific page on a rogue
Web server, the request for the URL is relayed to a third-party site
using active scripting. If this third-party site is trusted by the user,
the attacker’s Web site is trusted just like the third-party site,
inheriting that the same level of privilege. IIS contains CSS
vulnerabilities when searching IIS help files, viewing HTTP error pages,
and notifying a user when a request has been redirected.

Recommendations:

X-Force recommends that all affected IIS customers apply the following
Microsoft supplied patches immediately:

Microsoft IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37931
Microsoft IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37824
Microsoft IIS 5.1:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37857

RealSecure Network Sensor may trigger several signatures in response to
the IIS attacks described in this advisory. RealSecure Network Sensor
administrators
should closely examine the following events if they are detected by
RealSecure. The list below details the signatures and their
corresponding vulnerabilities.

HTTP_NCSA_BufferOverflow
(CAN-2002-0147)

HTTP_NCSA_BufferOverflow
HTTP_Netscape_Method_Overflow
(CAN-2002-0149)

HTTP_NCSA_BufferOverflow
(CAN-2002-0071)

HTTP_Netscape_Method_Overflow
(CAN-2002-0072)

FTP_Glob_Expansion
(CAN-2002-0073)

BlackICE products currently detect potential exploitation of three of
the vulnerabilities
described in this advisory. BlackICE users and administrators should
closely examine the
following events if they are detected by BlackICE:

FTP Command line overflow
(CAN-2002-0073)

HTTP URL overflow
(CAN-2002-0149)

IIS malformed .HTR request
(CAN-2002-0071)

Additional detection support will be added in a future update for
BlackICE products.

Internet Scanner X-Press Update 6.8 includes a check, IisMs02018Patch,
to detect the installation of the patch for the vulnerabilities
described in this advisory. XPU 6.8 is available from the ISS Download
Center at: http://www.iss.net/download. For questions about downloading
and installing this XPU, email [email protected].

Detection support for these attacks will be included in future X-Press
Updates for RealSecure Network Sensor and RealSecure Server Sensor.
These XPUs will be available from the ISS Download Center, and this
alert will be updated when these updates become available.

---

About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email [email protected] for
permission.

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server,
as well as at http://www.iss.net/security_center/sensitive.php

Please send suggestions, updates, and comments to: X-Force
[email protected] of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPLTUcjRfJiV99eG9AQHAXAP/bZAmOetnSGZ2EdIaX8UzWgj6wrdiMAp6
6m36F8ABJEXR3K9pRbX7P3qYs8fUkwHQtGi6WXhW4N/5Q7K8XBRqosT6gxa0Uu32
HeENRPb3oNJoQkZoCqjBiIn09qgMeFF9dMWeowneJu30Cz0+4SWl60dpbU+tPLmd
PAhqVshkH14=
=qtZH
-----END PGP SIGNATURE-----