Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2755
HistoryApr 11, 2002 - 12:00 a.m.

KPMG-2002009: Microsoft IIS W3SVC Denial of Service

2002-04-1100:00:00
vulners.com
12
JSON
        -=>Microsoft IIS W3SVC Denial of Service<=-
                  courtesy of KPMG Denmark

BUG-ID: 2002009
CVE: CAN-2002-0072
Released: 11th Apr 2002

Problem:

A flaw in internal object interaction could allow a malicious user
to bring down Internet Information Server 4.0, 5.0 and 5.1.

Vulnerable:

  • Microsoft Internet Information Server 4.0 with FP2002
  • Microsoft Internet Information Server 5.0 with FP2002
  • Microsoft Internet Information Server 5.1 with FP2002

Details:

This vulnerability was discovered by Dave Aitel from @stake and by
Peter Gründl from KPMG. It was done independently, and both
reported the same two vulnerabilities to the same vendor at around
the same time.

Frontpage contains URL parsers for dynamic components (shtml.exe/dll)
If a malicious user issues a request for /_vti_bin/shtml.exe where
the URL for the dynamic contents is replaced with a long URL, the
submodule will filter out the URL, and return a null value to the
web service URL parser. An example string would be 35K of ascii 300.
This will cause an access violation and Inetinfo.exe will be shut
down. Due to the nature of the crash, we do not feel that it is
exploitable beyond the point of a Denial of Service.

Although servers are supposed to restart the service with "iisreset",
this only works a few times (if any), and the service is crashed
until an admin manually restarts the service or reboots the server.

Vendor URL:

You can visit the vendors webpage here: http://www.microsoft.com

Vendor response:

The vendor was contacted on the 4th of February, 2002. On the 9th
of April we received a private hotfix, which corrected the issue.
On the 10th of April, the vendor released a public bulletin.

Corrective action:

The vendor has released a patched w3svc.dll, which is included in
the security rollup package MS02-018, available here:
http://www.microsoft.com/technet/security/bulletin/ms02-018.asp

Author: Peter Gründl ([email protected])

KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.

Related

cert 1
cve 1
packetstorm 1
checkpoint_advisories 1
nessus 1
securityvulns 2
cisco 1
cert
cert
Microsoft Internet Information Server (IIS) vulnerable to DoS when URL request exceeds maximum allowed length
2002-04-10 00:00:00
cve
cve
CVE-2002-0072
2002-04-22 04:00:00
packetstorm
packetstorm
iisfux0r.txt
2002-04-23 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft IIS URL Access Violation DoS - Ver2 (CVE-2002-0072)
2014-12-28 00:00:00
nessus
nessus
Microsoft IIS Multiple Remote DoS (MS02-018 / Q319733)
2002-04-11 00:00:00
securityvulns
securityvulns
Advisory CA-2002-09 Multiple Vulnerabilities in Microsoft IIS
2002-04-12 00:00:00
Multiple Remote Vulnerabilities in Microsoft IIS
2002-04-11 00:00:00
cisco
cisco
Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
2002-04-15 18:00:00
JSON
Related for SECURITYVULNS:DOC:2755
cert1cve1packetstorm1checkpoint_advisories1nessus1securityvulns2cisco1