ISSalert: ISS Alert: Heap Overflow in IIS HTR Chunked Encoding

From: X-Force (xforce@iss.net)
Date: 06/14/02 

Date: Fri, 14 Jun 2002 10:10:42 -0400 (EDT)
To: alert@iss.net
From: X-Force <xforce@iss.net>

TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Alert
June 14, 2002

Heap Overflow in IIS HTR Chunked Encoding

Synopsis:

ISS X-Force has learned that Microsoft Internet Information Server (IIS)
is vulnerable to a remote heap overflow due to a flaw in its HTR chunked
encoding functionality. A remote user with the ability to establish a
Web connection to a vulnerable target may execute arbitrary commands on
the server or cause the server to crash.

Affected Versions:

Microsoft IIS 4.0
Microsoft IIS 5.0

Older versions of IIS are not supported. Beta versions of IIS 6.0 are
not eligible for patches, but are known to be unaffected.

Description:

Microsoft IIS is vulnerable to a heap overflow error in its "chunked
encoding" processing functionality coupled with the way in which IIS
handles HTR requests. This vulnerability is similar to the issue
described in Microsoft Security Bulletin MS02-18, and the ISS X-Force
Security Alert, titled: "Multiple Remote Vulnerabilities in Microsoft
IIS." Refer to these documents for more information about HTR and
chunked encoding.

HTR is a scripting technology shipped with IIS 2.0 that was not widely
implemented due to the popularity of Active Server Pages (.ASP), which
became popular when the technology shipped with IIS 4.0. IIS still
provides legacy HTR scripts to provide services for NT users to change
passwords via the Web server.

The vulnerability described in this advisory manifests itself when a
remote attacker attempts to query the legacy ISAPI HTR extension with a
specially crafted "chunked" request. An arithmetic error exists within
the ISAPI HTR extension that incorrectly calculates the size of incoming
chunks, which can lead to a heap overflow. Heap overflows are considered
more difficult to exploit in real-world conditions due the dynamic
nature of the heap. However, it has been shown that reliable heap
overflow exploits have been developed and used by the underground
community.

Recommendations:

Internet Scanner X-Press Update 6.12 includes a check,
IisHtrChunkedEncodingBo, to detect the installation of the patch for
this IIS HTR vulnerability. XPU 6.12 is available from the ISS Download
Center at: http://www.iss.net/download. For questions about downloading
and installing this XPU, email support@iss.net.

RealSecure 7.0 customers can configure a user-defined event to detect
exploitation of this vulnerability.

For more information on RealSecure 7.0 TRONS events, refer to the ISS
Knowledgebase Article 020603-000014 at
http://www.iss.net/support/knowledgebase/.

To configure a user defined TRONS event, follow these steps:
1. Create a file named "trons.rules." Copy and paste the following
information to this file. Note: On the line (var WEBSERVER
[xxx.xxx.xxx.xxx/32,xxx.xxx.xxx.xxx/32]), replace xxx.xxx.xxx.xxx/32
with the IP address(es) of the Web server to monitor.

#/////////////
#
# TRONS IIS HTR Chunked Encoding
#
# Assign vars used in the rules
var WEBSERVER [xxx.xxx.xxx.xxx/32,xxx.xxx.xxx.xxx/32]

alert tcp any any -> $WEBSERVER 80 (msg:"HTR IIS Chunked
Encoding";content:".htr";content:"Transfer-Encoding: chunked";nocase;
sid:1;rev:1;) #/////////////

2. Copy the rules file to any location within the Network Sensor
subdirectory, i.e. C:\Program
Files\ISS\issSensors\network_sensor_1\trons.rules

3. Under the Workgroup Manager, select the properties of the sensor.
Navigate to the Advanced tab of the properties. A list of parameters
will be shown on this tab. Scroll through the list until you find the
following parameters and make these changes:
trons.enabled = true
trons.filename = C:\Program
Files\ISS\issSensors\network_sensor_1\trons.rules

4. Click OK. Users should then observe low priority events indicating
that the trons module is enabled, and that trons.rules has been parsed.

Detection support for these attacks will be included in future X-Press
Updates for RealSecure Network Sensor 6.x and 7.0. These XPUs will be
available from the ISS Download Center, and this alert will be updated
when these updates become available.

ISS X-Force recommends that IIS users consider disabling unused ISAPI
filters on their IIS installations. Exposure to this vulnerability and
several others can be successfully mitigated by disabling unused ISAPI
filters.

Microsoft recommends that all IIS administrators consider using the "IIS
Lockdown Tool" located at
http://www.microsoft.com/technet/security/tools/locktool.asp. This will
remove the ISAPI HTR filter and other services and features that may be
unnecessary and are enabled by default.

Microsoft has made the following patches available for this
vulnerability:

Microsoft IIS 4.0
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39579

Microsoft IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39217

Additional Information:

http://www.microsoft.com/technet/security/bulletin/MS02-029.asp
http://www.iss.net/security_center/
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp

______

About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email xforce@iss.net for
permission.

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server,
as well as at http://www.iss.net/security_center/sensitive.php

Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPQn5JDRfJiV99eG9AQGPywQAgpKMZaTHmPyJ/fIn0Jz+X+BZP9ggQpPh
WpY8y38R0zOwdySB4jfp3hNr+HdwsK8DO2wYjJnQdREXEAAACnudJ1/htYwLa0zg
1RH3T8cW6hKkzdg4cjS6WTHmXSg5XwhGz6hdy+vkw7uk2l5MIKii3RHK2oKAOfck
lbg3EK93/mQ=
=du/7
-----END PGP SIGNATURE-----