-=>Microsoft IIS .htr ISAPI buffer overrun<=-
courtesy of KPMG Denmark
There is a buffer overrun condition in the isapi extension that
handles .htr extensions that could allow an attacker to crash the
service and possibly execute arbitrary code on the server.
This vulnerability was discovered by Dave Aitel from @stake and by
Peter Gründl from KPMG. It was done independently, and both
reported the same two vulnerabilities to the same vendor at around
the same time.
Dave Aitel released an advisory on this issue:
http://archives.neohapsis.com/archives/bugtraq/2002-04/0114.html
Ism.dll handles files with the extension .htr and a flaw in the
module could allow an attack to disable parts of or all of the
functionality of a website. It is theoretically possibly to
execute code with this overflow, although attempted exploitation
would most likely result in a Denial of Service situation.
The problem is with the modules parameter handling, as declared
variables are subject to a buffer overrun ("/foo.htr?<buffer>=x").
The number of overflows needed and the result depends on the
internal state of the IIS memory allocations. A determined
attacker could proceed to crash the service, and repeatedly send
the malicious payload as the injection vector would now be
relatively fixed, when the server was rebooted.
You can visit the vendors webpage here: http://www.microsoft.com
The vendor was contacted on the 31st of January, 2002. On the 18th
of March we received a private hotfix, which corrected the issue.
On the 10th of April, the vendor released a public bulletin.
The vendor has released a patched ism.dll, which is included in
the security rollup package MS02-018, available here:
http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
Author: Peter Gründl ([email protected])