-----BEGIN PGP SIGNED MESSAGE-----

Microsoft have released a new Security Bulletin, MS01-044, which is a
cumulative IIS security patch (with versions of the patch for IIS 4.0
and IIS 5.0, which includes Personal Web Server and Outlook Web
Access servers). It includes all IIS hotfixes since NT 4.0 SP5 or W2K
Gold Release (original) and can be applied to any system with those
minimums.

I understand that you've probably just finished ensuring that all of
your IIS servers have had MS01-033 (the IDQ.DLL patch) applied. Maybe
you even went so far as to apply MS01-026 (the last IIS cumulative
patch).

I'm loath to ask you to now go back to all of these machines and
apply yet another patch, however...there are several circumstances
that may apply to your systems that might make it necessary for you
to get this new Security Bulletin patch applied quickly;

a) You're a web hosting environment.

b) You permit authoring on your IIS systems.

c) You have a web site on an IIS 4.0 box that does URL redirects
only.

Otherwise, you can probably schedule this to be applied in your next
maintenance window.

Five new vulnerabilities are addressed in this Security Bulletin, two
privilege escalation issues and three Denial of Service issues. In
particular, if you're running IIS 4.0 still make sure you read the
information under #1 below;

1. IIS 4.0 runs all processes executed by IIS as "in-process"
applications. This means they can attain the privilege of the W3SVC
service. By default W3SVC runs as LocalSystem.

IIS 5.0 allows processes to be defined as in-process or
out-of-process. However, several unspecified applications will always
be trusted by IIS 5.0 and run in-process. Like the vulnerability
identified as MS00-052, IIS was determining whether an application
was one of these trusted applications by relative path. So implanting
a correctly named application in a directory which was seen by IIS
(or invoking it directly, say by placing it in the \scripts
directory), IIS 5.0 would trust it and grant it in-process
privileges. It could then gain the privilege of the parent process
(IIS), granting it escalated privileges regardless of privileges
specified within IIS configuration.

Pretty serious problem. MS has not released the names of the trusted
applications (which, I think, it should so those applications can be
searched for and appropriate action taken).

Affects IIS 5.0 only because only IIS 5.0 can allow out-of-process
applications to be spawned by IIS. IIS 4.0 *must not* allow untrusted
apps to run since any of them can gain escalated privileges (since
they all run in-process).

2. There exists a Buffer Overrun on IIS 4.0 and IIS 5.0 related to
server side includes. If a properly formatted SSI file is placed on a
web server, and IIS is asked to deliver it, its possible to gain
LocalSystem privilege and run arbitrary commands on the server.

Affects IIS 4.0 and IIS 5.0

3. When Code Red (any existing known variant) is received by an IIS
4.0 box that has not applied MS01-033, the W3SVC service fails. Once
MS01-033 is applied, this should not occur, the service should
continue to operate despite Code Red attacks.

However, if the IIS 4.0 box has configured a web site to perform URL
redirection only (as an IP addressed web site), if Code Red attacks
that IP address it will cause the W3SVC service to fail, regardless
of MS01-033 being present or not.

There was speculation that this was due to a fault in MS01-033. MS
state that is not the case, and so have offered this fix for this new
vulnerability.

Affects IIS 4.0 only.

4. Yet another WebDAV problem. This one doesn't handle a long
malformed request well, leading to a DoS.

To disable WebDAV see;

http://support.microsoft.com/support/kb/articles/Q241/5/20.ASP

Previous WebDAV security issue documented in;

http://www.microsoft.com/technet/security/bulletin/MS01-016.asp

Affects 5.0 only (WebDAV is not available in IIS 4.0)

5. Invalid MIME Content-Type field value can cause IIS 5.0 to stop
processing requests.

If your IIS 5.0 system appears to hang, check the following;

- - Open the Internet Services Manager
- - Right-click on the virtual directory containing the content
- - Select HTTP Headers, then click on File Types
- - Search for an entry in the list whose MIME type is empty, and
delete it.

Affects 5.0 only

Full Details of the patch can be found at;

http://www.microsoft.com/technet/security/bulletin/MS01-044.asp

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO3vbVxBh2Kw/l7p5AQHouwP+MLq384J55j9RUXrfKYUGHr7D3fNE5WGu
bvwyeySVaprf/JJHWrgioTjdBNdfXdfMmtbZw1LmshksiagJ9VOf4PsMFpMLHvGF
hPjjeGxmhhWFNW1EEqcjNp/f3MxKaEjCKGgx4De8ifoG4oie3M7KcKUNvPtlQffF
Nr8eDx8iiVI=
=Enkz
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]