Alert: Microsoft Security Bulletin - MS02-062

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 10/31/02


Date:         Thu, 31 Oct 2002 00:10:46 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

http://www.microsoft.com/technet/security/bulletin/MS02-062.asp

Cumulative Patch for Internet Information Service (Q327696)

Originally posted: October 30, 2002

Summary

Who should read this bulletin: Customers hosting web servers using Microsoft® Windows NT® 4.0, Windows® 2000, or Windows XP.

Impact of vulnerability: Four vulnerabilities, the most serious of which could enable applications on a server to gain system-level privileges.

Maximum Severity Rating: Moderate

Recommendation: Customers using IIS 4.0, 5.0 or 5.1 should consider applying the patch

Affected Software:
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Services 5.0
- Microsoft Internet Information Services 5.1

Technical description:

This patch is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 and 5.1. A complete listing of the patches superseded by this patch is provided below, in the section titled "Additional information about this patch". Before applying the patch, system administrators should take note of the caveats discussed in the same section.

In addition to including previously released security patches, this patch also includes fixes for the following newly discovered security vulnerabilities affecting IIS 4.0, 5.0 and/or 5.1:
- A privilege elevation vulnerability affecting the way ISAPIs are launched when an IIS 4.0, 5.0 or 5.1 server is configured to run them out of process. By design, the hosting process (dllhost.exe) should run only in the security context of the IWAM_computername account; however, it can actually be made to acquire LocalSystem privileges under certain circumstances, thereby enabling an ISAPI to do likewise.
- A denial of service vulnerability that results because of a flaw in the way IIS 5.0 and 5.1 allocate memory for WebDAV requests. If a WebDAV request were malformed in a particular way, IIS would allocate an extremely large amount of memory on the server. By sending several such requests, an attacker could cause the server to fail.
- A vulnerability involving the operation of the script source access permission in IIS 5.0. This permission operates in addition to the normal read/write permissions for a virtual directory, and regulates whether scripts, .ASP files and executable file types can be uploaded to a write-enabled virtual directory. A typographical error in the table that defines the file types subject to this permission has the effect of omitting .COM files from the list of files subject to the permission. As a result, a user would need only write access to upload such a file.
- A pair of Cross-Site Scripting (CSS) vulnerabilities affecting IIS 4.0, 5.0 and 5.1, and involving administrative web page. Each of these vulnerabilities have the same scope and effect: an attacker who was able to lure a user into clicking a link on his web site could relay a request containing script to a third-party web site running IIS, thereby causing the third-party site's response (still including the script) to be sent to the user. The script would then render using the security settings of the third-party site rather than the attacker's.

In addition, the patch causes 5.0 and 5.1 to change how frequently the socket backlog list - which, when all connections on a server are allocated, holds the list of pending connection requests - is purged. The patch changes IIS to purge the list more frequently in order to make it more resilient to flooding attacks. The backlog monitoring feature is not present in IIS 4.0.

Mitigating factors:
Out of Process Privilege Elevation:
- This vulnerability could only be exploited by an attacker who already had the ability to load and execute applications on an affected web server. Normal security practices recommend that untrusted users not be allowed to load applications onto a server, and that even trusted users' applications be scrutinized before allowing them to be loaded.WebDAV Denial of Service:
- The vulnerability does not affect IIS 4.0, as WebDAV is not supported in this version of IIS.
- The vulnerability could only be exploited if the server allowed WebDAV requests to be levied on it. The IIS Lockdown Tool, if deployed in its default configuration, disables such requests.Script Source Access Vulnerability:
- The vulnerability could only be exploited if the administrator had granted all users write and execute permissions to one or more virtual directories on the server. Default configurations of IIS would be at no risk from this vulnerability.
- The vulnerability does not affect IIS 4.0, as WebDAV is not supported in this version of IIS.
- The vulnerability could only be exploited if the server allowed WebDAV requests to be levied on it. The IIS Lockdown Tool, if deployed in its default configuration, disables such requests.Cross-site Scripting in IIS Administrative Pages:
- The vulnerabilities could only be exploited if the attacker could entice another user into visiting a web page and clicking a link on it, or opening an HTML mail.
- By default, the pages containing the vulnerability are restricted to local IP address. As a result, the vulnerability could only be exploited if the client itself were running IIS.

Vulnerability identifier:
- Out of Process Privilege Elevation: CAN-2002-0869
- WebDAV Denial of Service: CAN-2002-1182
- Script Source Access Vulnerability: CAN-2002-1180
- Script Source Access Vulnerability: CAN-2002-1181

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor



Relevant Pages

  • [NT] Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise
    ... This patch eliminates a newly discovered vulnerability affecting Internet ... in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on ... allowing code to be run on the server. ... * Microsoft has long recommended disabling HTR functionality unless there ...
    (Securiteam)
  • FW: Microsoft Security Advisory MS 03-007
    ... am trying to find a vulnerability tester/script and I could test it out ... Department of the Army server that had been compromised and that this ... announcement covers IIS 5.1 but not IIS 6, ... How a Hacker Uses SQL Injection to Steal Your SQL Data! ...
    (Focus-Microsoft)
  • [NT] Cumulative Patch for Internet Information Services
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... security patches released for IIS 4.0 since Windows NT 4.0 Service Pack ... encoding transfer mechanism via Active Server Pages in IIS 4.0 and 5.0. ... attacker who exploited this vulnerability could overrun heap memory on the ...
    (Securiteam)
  • October Webcasts
    ... Information Services (IIS) Product Team have helped shape the way Microsoft ... Using APPCMD Command Line or UI with IIS 7 in Windows Server ... What's New in Microsoft Internet Information Services 7 ... through features like Runtime Status & Control data that allow you to see ...
    (microsoft.public.windows.server.general)
  • Alert: Microsoft Security Bulletin - MS02-018
    ... Cumulative Patch for Internet Information Services ... Impact of vulnerability: Ten new vulnerabilities, the most serious of which could enable code of an attacker's choice to be run on a server. ... Microsoft-discovered variant of Chunked Encoding buffer overrun: ...
    (NT-Bugtraq)