[NT] Cumulative Patch for Internet Information Services
From: support@securiteam.comDate: 04/10/02
- Previous message: support@securiteam.com: "[NT] Windows 2000 Server Running Terminal Services Security Vulnerability (Licenses)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 10 Apr 2002 23:21:01 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Cumulative Patch for Internet Information Services
------------------------------------------------------------------------
SUMMARY
This patch is a cumulative patch that includes the functionality of all
security patches released for IIS 4.0 since Windows NT 4.0 Service Pack
6a, and all security patches released to date for IIS 5.0 and 5.1. A
complete listing of the patches superseded by this patch is provided
below, in the section titled "Additional information about this patch".
Before applying the patch, system administrators should take note of the
caveats discussed in the same section.
In addition to including previously released security patches, this patch
also includes fixes for the following newly discovered security
vulnerabilities affecting IIS 4.0, 5.0 and/or 5.1:
* A buffer overrun vulnerability involving the operation of the chunked
encoding transfer mechanism via Active Server Pages in IIS 4.0 and 5.0. An
attacker who exploited this vulnerability could overrun heap memory on the
system, with the result of either causing the IIS service to fail or
allowing code to be run on the server.
* A Microsoft-discovered vulnerability that is related to the preceding
one, but which lies elsewhere within the ASP data transfer mechanism. It
could be exploited in a similar manner as the preceding vulnerability, and
would have the same scope. However, it affects IIS 4.0, 5.0, and 5.1.
A buffer overrun involving how IIS 4.0, 5.0 and 5.1 process HTTP header
information in certain cases. IIS performs a safety check prior to parsing
the fields in HTTP headers, to ensure that expected delimiter fields are
present and in reasonable places. However, it is possible to spoof the
check, and convince IIS that the delimiters are present even when they are
not. This flaw could enable an attacker to create an URL whose HTTP header
field values would overrun a buffer used to process them.
* A Microsoft-discovered buffer overrun vulnerability in IIS 4.0, 5.0 and
5.1 that results from an error in safety check that is performed during
server-side includes. In some cases, a user request for a web page is
properly processed by including the file into an ASP script and processing
it. Prior to processing the include request, IIS performs an operation on
the user-specified file name, designed to ensure that the file name is
valid and sized appropriately to fit in a static buffer. However, in some
cases it could be possible to provide a bogus, extremely long file name in
a way that would pass the safety check, thereby resulting in a buffer
overrun.
* A buffer overrun affecting the HTR ISAPI extension in IIS 4.0 and 5.0.
By sending a series of especially malformed HTR requests, it could be
possible to either cause the IIS service to fail or, under a very
difficult operational scenario, to cause code to run on the server.
* A denial of service vulnerability involving the way IIS 4.0, 5.0, and
5.1 handle an error condition from ISAPI filters. At least one ISAPI
filter (which ships as part of FrontPage Server Extensions and ASP.NET),
and possibly others, generate an error when a request is received
containing an URL that exceeds the maximum length set by the filter. In
processing this error, the filter replaces the URL with a null value. A
flaw results because IIS attempts to process the URL in the course of
sending the error message back to the requester, resulting in an access
violation that causes the IIS service to fail.
* A denial of service vulnerability involving the way the FTP service in
IIS 4.0, 5.0 and 5.1 handles a request for the status of the current FTP
session. If an attacker were able to establish an FTP session with an
affected server, and levied a status request that created a particular
error condition, a flaw in the FTP code would prevent it from correctly
reporting the error. Other code within the FTP service would then attempt
to use uninitialized data, with an access violation as the result. This
would result in the disruption of not only FTP services, but also of web
services.
* A trio of Cross-Site Scripting (CSS) vulnerabilities affecting IIS 4.0,
5.0 and 5.1: one involving the results page that's returned when searching
the IIS Help Files, one involving HTTP error pages; and one involving the
error message that's returned to advise that a requested URL has been
redirected. All of these vulnerabilities have the same scope and effect:
an attacker who was able to lure a user into clicking a link on his web
site could relay a request containing script to a third-party web site
running IIS, thereby causing the third-party site's response (still
including the script) to be sent to the user. The script would then render
using the security settings of the third-party site rather than the
attacker's.
DETAILS
Affected Software:
* Microsoft Internet Information Server 4.0
* Microsoft Internet Information Services 5.0
* Microsoft Internet Information Services 5.1
Note: Beta versions of .NET Server after Build 3605 contains fixes for all
of the vulnerabilities affecting IIS 6.0. As discussed in the FAQ,
Microsoft is working directly with the small number of customers who are
using the .NET Server beta version in production environments to provide
immediate remediation for them.
Mitigating factors:
Buffer overrun in Chunked Encoding transfer:
* On default installations of IIS 5.0 and 5.1, exploiting the
vulnerability to run code would grant the attacker the privileges of the
IWAM_computername account, which has only the privileges commensurate with
those of an interactively logged-on unprivileged user.
* The vulnerability requires that Active Server Pages (ASP) be enabled on
the system in order to be exploited. Version 1.0 of the IIS Lockdown Tool
removes ASP by default, and the current version (version 2.1) removes it
by default if Static Web Server has been selected.
* The URLScan tool can be configured to prevent chunked encoding
requests. If this has been done, the vulnerability could not be exploited.
Microsoft-discovered variant of Chunked Encoding buffer overrun:
* This vulnerability is subject to exactly the same mitigating factors as
the buffer overrun in the Chunked Encoding transfer, with one exception.
The URLScan tool could not be used to protect against the vulnerability.
Buffer Overrun in HTTP header handling:
* On default installations of IIS 5.0 and 5.1, exploiting the
vulnerability to run code would grant the attacker the privileges of the
IWAM_computername account, which has only the privileges commensurate with
those of an interactively logged-on unprivileged user.
* The vulnerability requires that Active Server Pages (ASP) be enabled on
the system in order to be exploited. Version 1.0 of the IIS Lockdown Tool
removes ASP by default, and the current version (version 2.1) removes it
by default if Static Web Server has been selected.
* The URLScan tool's default ruleset would likely limit the attacker to
using this vulnerability for denial of service attacks only.
Buffer Overrun in ASP Server-Side Include Function:
* On default installations of IIS 5.0 and 5.1, exploiting the
vulnerability to run code would grant the attacker the privileges of the
IWAM_computername account, which has only the privileges commensurate with
those of an interactively logged-on user.
* The vulnerability requires that Active Server Pages (ASP) be enabled on
the system in order to be exploited. Version 1.0 of the IIS Lockdown Tool
removes ASP by default, and the current version (version 2.1) removes it
by default if Static Web Server has been selected.
* The URLScan tool's default ruleset would likely limit the attacker to
using this vulnerability for denial of service attacks only.
Buffer overrun in HTR ISAPI extension:
* Microsoft has long recommended disabling the HTR ISAPI extension.
Systems on which this has been done would be at no risk from the
vulnerability. (All versions of the IIS Lockdown Tool disable HTR support
by default).
* The URLScan tool, if using its default ruleset, would prevent this
vulnerability from being exploited to run code on the server even if HTR
support was enabled.
* The vulnerability could only be used to run code on the server if the
attacker knew the locations of certain information in memory. In practice,
the most likely such situation would occur if the web server had never
served any web content since being rebooted. In all other cases, it would
only be possible to use the vulnerability for denial of service attacks.
* On default installations of IIS 5.0 and 5.1, exploiting the
vulnerability to run code would grant the attacker the privileges of the
IWAM_computername account, which has only the privileges commensurate with
those of an interactively logged-on user.
* If the vulnerability were used in a denial of service attack, normal
operation could be restored on an IIS 4.0 server by restarting the IIS
service; on IIS 5.0 and higher, the service would automatically restart
itself.
Access violation in URL error handling:
* An IIS 4.0 server could be put back into normal operation by restarting
the service. An IIS 5.0 or 5.1 server would automatically restart the
service.
* The vulnerability could only be used for denial of service attacks.
There is no capability to use the vulnerability to gain privileges on the
system.
* The sole ISAPI filter known to generate the error that results in the
access violation ships only as part of FrontPage Server Extensions and
ASP.NET. ASP.NET is not installed by default, and FPSE can be uninstalled
if desired.
Denial of service via FTP Status request:
* The IIS Lockdown Tool disables FTP support by default.
* An IIS 4.0 server could be put back into normal operation by restarting
the service. An IIS 5.0 or 5.1 server would automatically restart the
service.
* The vulnerability could only be used for denial of service attacks.
There is no capability to use the vulnerability to gain privileges on the
system.
Cross-site Scripting in IIS Help File search facility, HTTP Error Page,
and Redirect Response message:
* The vulnerabilities could only be exploited if the attacker could
entice another user into visiting a web page and clicking a link on it, or
opening an HTML mail.
* The Redirect Response vulnerability could only be exploited if the user
was running a browser other than Internet Explorer. IE does not actually
render the text in the Redirect Response, but instead recognizes it by its
response header and processes the redirect without displaying any text.
Patch availability:
Download locations for this patch
* Microsoft IIS 4.0:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37931>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37931
* Microsoft IIS 5.0:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37824>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37824
* Microsoft IIS 5.1:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37857>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37857
ADDITIONAL INFORMATION
The information has been provided by
<mailto:0_28628_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US at
Newsletters.Microsoft.com> Microsoft Product Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Windows 2000 Server Running Terminal Services Security Vulnerability (Licenses)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
