ISSalert: ISS Alert: Multiple Remote Vulnerabilities in Microsoft IIS

From: X-Force (
Date: 04/11/02

Date: Wed, 10 Apr 2002 20:11:19 -0400 (EDT)
From: X-Force <>

TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to Contact for help with any problems!


Internet Security Systems Security Alert
April 10, 2002

Multiple Remote Vulnerabilities in Microsoft IIS


ISS X-Force has learned that Microsoft Internet Information Server (IIS)
is affected by ten new remote vulnerabilities. These vulnerabilities
vary in severity from mild to critical. A remote attacker may exploit
one or more of these vulnerabilities to cause a target Web server to
crash, execute arbitrary commands on the server, or gain complete
control of a target IIS server.

Affected Versions:

Microsoft Internet Information Server 4.0
Microsoft Internet Information Server 5.0
Microsoft Internet Information Server 5.1

Note: IIS 6.0 Beta build 3605 and earlier are also affected.


Microsoft released a Security Bulletin on April 10, 2002 detailing new
cumulative patches for IIS 4.0, 5.0, and 5.1. These patches contain all
previous security patches for each version as well as patches for ten
new vulnerabilities.

Heap Buffer overflow in ASP chunked encoding routines

ASP (Active Server Pages) is enabled on all IIS installations by
default. ASP is used to dynamically generate HTML pages on the server
and deliver them to a client. IIS improperly handles specially-crafted
chunked encoding queries to ASP pages. Chunked encoding is used in
situations when a client supplies the server with a variable amount of
information. If the client supplies data using chunked encoding, the
server dynamically allocates memory according to the size of each
incoming chunk. IIS improperly adds the sizes of these allocated chunks,
which may overwrite memory. Successful exploitation of this
vulnerability may crash a vulnerable server, allowing remote attackers
to execute arbitrary commands on the server with IWAM_computername
privileges. This account is equivalent to an unprivileged normal user.
This vulnerability affects IIS versions 4.0 and 5.0.

Buffer overflow within the ASP data transfer mechanism

This vulnerability is similar to the previous vulnerability and affects
IIS versions 4.0, 5.0, and 5.1.

Buffer overflow in IIS HTTP header delimiter parsing

It may be possible for remote attackers to create a special request to
bypass IIS delimiter parsing. IIS 4.0, 5.0, and 5.1 may incorrectly
parse this request and overflow a buffer, which may lead to a denial of
service attack or the ability to execute arbitrary code on the target
server with IWAM_computername privileges.

Buffer overflow in IIS ASP Server-Side Include routines

ASP scripts sometimes process external files in order to function
correctly. If an attacker sends a specific query to an overly long
filename, this name may be processed within the ASP script as a server-
side include (SSI). A buffer overflow may be triggered if the length of
the filename is longer than the static buffer within the SSI routine.
This vulnerability affects IIS 4.0, 5.0, and 5.1. Successful
exploitation of this vulnerability may crash the server or allow an
attacker to execute arbitrary code on the target server with
IWAM_computername privileges.

Buffer overflow in the HTR ISAPI extension

HTR was the predecessor to ASP and is considered a legacy technology.
HTR remains in use today to handle password management in IIS. It may be
possible for an attacker to send a malformed HTR request to a vulnerable
IIS 4.0 or 5.0 server to cause a denial of service attack. An attacker
may also use this vulnerability to run arbitrary commands with
IWAM_computername privileges. HTR files need not be present on the
server for attackers to exploit this vulnerability.

Denial of service caused by improper handling of error conditions in
ISAPI filters

If vulnerable ISAPI filters within IIS 4.0, 5.0, and 5.1 receive a URL
of an illegal length, IIS will improperly rewrite the URL with a null
value and attempt to send the error back to the client that requested
the URL. Before the request is sent, IIS attempts to operate on the null
value, which causes a fault that crashes the server.

Denial of service in the IIS 4.0, 5.0 and 5.1 FTP (File Transfer
Protocol) service

IIS improperly handles specially-crafted status requests on current FTP
sessions. When an attacker sends this type of request to an IIS server,
it may lead to improper access of uninitialized memory, which may result
in a denial of service to FTP and Web services.

Cross-Site Scripting (CSS) vulnerabilities present in IIS 4.0, 5.0 and

CSS vulnerabilities rely on the ability of an attacker to lure users to
their rogue Web servers. When a user visits a specific page on a rogue
Web server, the request for the URL is relayed to a third-party site
using active scripting. If this third-party site is trusted by the user,
the attacker’s Web site is trusted just like the third-party site,
inheriting that the same level of privilege. IIS contains CSS
vulnerabilities when searching IIS help files, viewing HTTP error pages,
and notifying a user when a request has been redirected.


X-Force recommends that all affected IIS customers apply the following
Microsoft supplied patches immediately:

Microsoft IIS 4.0:
Microsoft IIS 5.0:
Microsoft IIS 5.1:

RealSecure Network Sensor may trigger several signatures in response to
the IIS attacks described in this advisory. RealSecure Network Sensor
should closely examine the following events if they are detected by
RealSecure. The list below details the signatures and their
corresponding vulnerabilities.






BlackICE products currently detect potential exploitation of three of
the vulnerabilities
described in this advisory. BlackICE users and administrators should
closely examine the
following events if they are detected by BlackICE:

FTP Command line overflow

HTTP URL overflow

IIS malformed .HTR request

Additional detection support will be added in a future update for
BlackICE products.

Internet Scanner X-Press Update 6.8 includes a check, IisMs02018Patch,
to detect the installation of the patch for the vulnerabilities
described in this advisory. XPU 6.8 is available from the ISS Download
Center at: For questions about downloading
and installing this XPU, email

Detection support for these attacks will be included in future X-Press
Updates for RealSecure Network Sensor and RealSecure Server Sensor.
These XPUs will be available from the ISS Download Center, and this
alert will be updated when these updates become available.


About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email for

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and's key
as well as at

Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc.

Version: 2.6.2