I spoke to Russ before sending this message and he suggested I send the
information to the group. In Russ' message below he talks about in- and
out-of-process with IIS 4 & 5. Some of the information isn't quite right.
This is what I sent to him earlier:

In your item 1, IIS 4 does not necessarily run all Web applications
in-process. That is the default, but you can set a Web to run out-of-process
(just like in IIS 5) if you want it to run that way (which, as you probably
know, is a good way for IIS servers that host multiple sites to keep each
site from Stepping on other sites and/or the main IIS process, although you
take a small performance hit running out-of-process).

Therefore, I don't believe this is true: "IIS 4.0 *must not* allow untrusted
apps to run since any of them can gain escalated privileges (since they all
run in-process)".

IIS 5 has added a third level of protection to run Web apps in. Along with
the usual in-process (Low) and out-of-process (High) there is now a Medium
setting that can be applied which allows multiple Web apps to share the same
process space (I suppose you'd set Web apps to this setting when you know
they play well together).

-glenn-

-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQLISTSERV.NTBUGTRAQ.COM]On Behalf Of Russ
Sent: Thursday, August 16, 2001 10:40 AM
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Re: Microsoft Security Bulletin MS01-044

-----BEGIN PGP SIGNED MESSAGE-----

Microsoft have released a new Security Bulletin, MS01-044, which is a
cumulative IIS security patch (with versions of the patch for IIS 4.0
and IIS 5.0, which includes Personal Web Server and Outlook Web
Access servers). It includes all IIS hotfixes since NT 4.0 SP5 or W2K
Gold Release (original) and can be applied to any system with those
minimums.

I understand that you've probably just finished ensuring that all of
your IIS servers have had MS01-033 (the IDQ.DLL patch) applied. Maybe
you even went so far as to apply MS01-026 (the last IIS cumulative
patch).

I'm loath to ask you to now go back to all of these machines and
apply yet another patch, however...there are several circumstances
that may apply to your systems that might make it necessary for you
to get this new Security Bulletin patch applied quickly;

a) You're a web hosting environment.

b) You permit authoring on your IIS systems.

c) You have a web site on an IIS 4.0 box that does URL redirects
only.

Otherwise, you can probably schedule this to be applied in your next
maintenance window.

Five new vulnerabilities are addressed in this Security Bulletin, two
privilege escalation issues and three Denial of Service issues. In
particular, if you're running IIS 4.0 still make sure you read the
information under #1 below;

1. IIS 4.0 runs all processes executed by IIS as "in-process"
applications. This means they can attain the privilege of the W3SVC
service. By default W3SVC runs as LocalSystem.

IIS 5.0 allows processes to be defined as in-process or
out-of-process. However, several unspecified applications will always
be trusted by IIS 5.0 and run in-process. Like the vulnerability
identified as MS00-052, IIS was determining whether an application
was one of these trusted applications by relative path. So implanting
a correctly named application in a directory which was seen by IIS
(or invoking it directly, say by placing it in the \scripts
directory), IIS 5.0 would trust it and grant it in-process
privileges. It could then gain the privilege of the parent process
(IIS), granting it escalated privileges regardless of privileges
specified within IIS configuration.

Pretty serious problem. MS has not released the names of the trusted
applications (which, I think, it should so those applications can be
searched for and appropriate action taken).

Affects IIS 5.0 only because only IIS 5.0 can allow out-of-process
applications to be spawned by IIS. IIS 4.0 *must not* allow untrusted
apps to run since any of them can gain escalated privileges (since
they all run in-process).

2. There exists a Buffer Overrun on IIS 4.0 and IIS 5.0 related to
server side includes. If a properly formatted SSI file is placed on a
web server, and IIS is asked to deliver it, its possible to gain
LocalSystem privilege and run arbitrary commands on the server.

Affects IIS 4.0 and IIS 5.0

3. When Code Red (any existing known variant) is received by an IIS
4.0 box that has not applied MS01-033, the W3SVC service fails. Once
MS01-033 is applied, this should not occur, the service should
continue to operate despite Code Red attacks.

However, if the IIS 4.0 box has configured a web site to perform URL
redirection only (as an IP addressed web site), if Code Red attacks
that IP address it will cause the W3SVC service to fail, regardless
of MS01-033 being present or not.

There was speculation that this was due to a fault in MS01-033. MS
state that is not the case, and so have offered this fix for this new
vulnerability.

Affects IIS 4.0 only.

4. Yet another WebDAV problem. This one doesn't handle a long
malformed request well, leading to a DoS.

To disable WebDAV see;

http://support.microsoft.com/support/kb/articles/Q241/5/20.ASP

Previous WebDAV security issue documented in;

http://www.microsoft.com/technet/security/bulletin/MS01-016.asp

Affects 5.0 only (WebDAV is not available in IIS 4.0)

5. Invalid MIME Content-Type field value can cause IIS 5.0 to stop
processing requests.

If your IIS 5.0 system appears to hang, check the following;

- - Open the Internet Services Manager
- - Right-click on the virtual directory containing the content
- - Select HTTP Headers, then click on File Types
- - Search for an entry in the list whose MIME type is empty, and
delete it.

Affects 5.0 only

Full Details of the patch can be found at;

http://www.microsoft.com/technet/security/bulletin/MS01-044.asp

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO3vbVxBh2Kw/l7p5AQHouwP+MLq384J55j9RUXrfKYUGHr7D3fNE5WGu
bvwyeySVaprf/JJHWrgioTjdBNdfXdfMmtbZw1LmshksiagJ9VOf4PsMFpMLHvGF
hPjjeGxmhhWFNW1EEqcjNp/f3MxKaEjCKGgx4De8ifoG4oie3M7KcKUNvPtlQffF
Nr8eDx8iiVI=
=Enkz
-----END PGP SIGNATURE-----

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE

If you are worried about email viruses, you need Trend Micro ScanMail for
Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
ensures 100% inbound and outbound email virus scanning and provides remote
software management. Download a FREE 30-day trial copy of ScanMail and find
out why it is the best:
http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
============================================================================

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]