OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Peter Gründl (pgrundlkpmg.dk)
Date: Thu Apr 11 2002 - 04:34:08 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    --------------------------------------------------------------------

                -=>Microsoft IIS W3SVC Denial of Service<=-
                          courtesy of KPMG Denmark

    BUG-ID: 2002009
    CVE: CAN-2002-0072
    Released: 11th Apr 2002
    --------------------------------------------------------------------
    Problem:
    ========
    A flaw in internal object interaction could allow a malicious user
    to bring down Internet Information Server 4.0, 5.0 and 5.1.

    Vulnerable:
    ===========
    - Microsoft Internet Information Server 4.0 with FP2002
    - Microsoft Internet Information Server 5.0 with FP2002
    - Microsoft Internet Information Server 5.1 with FP2002

    Details:
    ========
    This vulnerability was discovered by Dave Aitel from stake and by
    Peter Gründl from KPMG. It was done independently, and both
    reported the same two vulnerabilities to the same vendor at around
    the same time.

    Frontpage contains URL parsers for dynamic components (shtml.exe/dll)
    If a malicious user issues a request for /_vti_bin/shtml.exe where
    the URL for the dynamic contents is replaced with a long URL, the
    submodule will filter out the URL, and return a null value to the
    web service URL parser. An example string would be 35K of ascii 300.
    This will cause an access violation and Inetinfo.exe will be shut
    down. Due to the nature of the crash, we do not feel that it is
    exploitable beyond the point of a Denial of Service.

    Although servers are supposed to restart the service with "iisreset",
    this only works a few times (if any), and the service is crashed
    until an admin manually restarts the service or reboots the server.

    Vendor URL:
    ===========
    You can visit the vendors webpage here: http://www.microsoft.com

    Vendor response:
    ================
    The vendor was contacted on the 4th of February, 2002. On the 9th
    of April we received a private hotfix, which corrected the issue.
    On the 10th of April, the vendor released a public bulletin.

    Corrective action:
    ==================
    The vendor has released a patched w3svc.dll, which is included in
    the security rollup package MS02-018, available here:
    http://www.microsoft.com/technet/security/bulletin/ms02-018.asp

    Author: Peter Gründl (pgrundlkpmg.dk)

    --------------------------------------------------------------------
    KPMG is not responsible for the misuse of the information we provide
    through our security advisories. These advisories are a service to
    the professional security community. In no event shall KPMG be lia-
    ble for any consequences whatsoever arising out of or in connection
    with the use or spread of this information.
    --------------------------------------------------------------------