http://www.microsoft.com/technet/security/bulletin/MS02-028.asp

Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise (Q321599)

Originally posted: June 12, 2002

Summary

Who should read this bulletin: Customers hosting web servers using Microsoft® Windows NT® 4.0 or Windows® 2000.

Impact of vulnerability: Run code of an attacker's choice on the system

Maximum Severity Rating: Moderate

Recommendation: Customers who have a business-critical reason for retaining HTR scripting should apply the patch immediately. All others should ensure HTR is disabled.

Affected Software:
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Services 5.0

Technical description:

This patch eliminates a newly discovered vulnerability affecting Internet Information Services. Although Microsoft typically delivers cumulative patches for IIS, in this case we have delivered a patch that eliminates only this new vulnerability, while completing a cumulative patch. When the cumulative patch is customer-ready, we will update this bulletin with information on its availability.The FAQ provides information on the circumstances surrounding the vulnerability, and why we believe releasing a singleton patch immediately is in customers' best interests. To ensure that servers are fully protected against past as well as current vulnerabilities, we strongly recommend installing the previous cumulative patch (discussed in Microsoft Security Bulletin MS02-018) before installing this patch.

The vulnerability is similar to the first vulnerability discussed in Microsoft Security Bulletin MS02-018. Like that vulnerability, this one involves a buffer overrun in the Chunked Encoding data transfer mechanism in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on the system, with the result of either causing the IIS service to fail or allowing code to be run on the server. The chief difference between the vulnerabilities is that the newly discovered one lies in the ISAPI extension that implements HTR - an older, largely obsolete scripting technology - where the previous one lay in the ISAPI extension that implements ASP.

Mitigating factors:
- Microsoft has long recommended disabling HTR functionality unless there is a business-critical reason for retaining it. Systems on which HTR is disabled would not be at risk from this vulnerability.
- The IIS Lockdown Tool disables HTR by default in all server configurations.
- The current version of the URLScan tool provides a means of blocking chunked encoding transfer requests by default.
- On default installations of IIS 5.0, exploiting the vulnerability to run code would grant the attacker the privileges of the IWAM_computername account, which has only the privileges commensurate with those of an interactively logged-on unprivileged user.

Vulnerability identifier: CAN-2002-0364

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]