OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: researchteam5esecurityonline.com
Date: Mon Apr 29 2002 - 15:09:15 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    eSO Security Advisory: 3595
    Discovery Date: April 30, 2001
    ID: eSO:3595
    Title: Microsoft Internet Information Server denial
                            of service vulnerabilities
    Impact: Remote attackers can cause a denial of service
                            condition
    Affected Technology: Microsoft IIS 5.0
                            Microsoft Windows 2000 Server
                            Microsoft Windows 2000 Server SP1
                            Microsoft Windows 2000 Server SP2
                            Microsoft Windows 2000 Advanced Server
                            Microsoft Windows 2000 Advanced Server SP1
                            Microsoft Windows 2000 Advanced Server SP2
    Vendor Status: Patches are available (MS01-026)
    Discovered By: Kevin Kotas of the eSecurityOnline Research
                            and Development Team
    CVE Reference: CVE-2001-0336, CAN-2001-0337

    Advisory Location:
    http://www.eSecurityOnline.com/advisories/eSO3595.asp

    Description:
    Microsoft Internet Information Server is vulnerable to flaws that
    allow a remote attacker to cause a denial of service condition. The
    first problem is related to the way the web server handles character
    processing requests to a certain application mapping. A special
    request can be sent to the web server, which will cause 100% CPU
    utilization and effectively prevent web server response to all
    incoming requests. The second issue involves a memory leak that can
    occur when processing a particular type of HTTP request. As a result
    of the memory leak, the server will eventually stop responding to
    requests.

    Technical Recommendation:
    Upgrade with the latest available patch.

    Microsoft Internet Information Server 4.0:
    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787

    Microsoft Internet Information Server 5.0:
    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764

    Vendor Advisory:
    MS01-026

    Acknowledgements:
    eSecurityOnline would like to thank Microsoft security for their
    cooperation in resolving the issue.

    Copyright 2002 eSecurityOnline LLC. All rights reserved.

    THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY
    ESECURITYONLINE LLC "AS IS", "WHERE IS", WITH NO WARRANTY OF ANY KIND,
    AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF
    NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE,
    CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN
    THIS VULNERABILITY ALERT.