OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mark E (mjeWIN2000MAG.COM)
Date: Wed Apr 10 2002 - 12:07:50 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    SUMMARY OF
       Microsoft Security Bulletin MS02-018

    SEE WEB SITE FOR COMPLETE BULLETIN DETAILS
    http://www.microsoft.com/technet/security/bulletin/MS02-018.asp

      Cumulative Patch for Internet Information Services
      (Q319733)

      Originally posted: April 10, 2002

      Summary

    Who should read this bulletin: Customers hosting web servers
    using Microsoft® Windows NT® 4.0, Windows® 2000, or Windows
    XP.

    Impact of vulnerability: Ten new vulnerabilities, the most serious of
    which could enable code of an attacker’s choice to be run on a
    server.

    Recommendation: Customers using any of the affected products
    should install the patch immediately.

           Maximum Severity Rating: Critical

           Affected Software:

                Microsoft Internet Information Server 4.0
                Microsoft Internet Information Services 5.0
                Microsoft Internet Information Services 5.1

    Note: Beta versions of .NET Server after Build 3605 contains fixes
    for all of the vulnerabilities affecting IIS 6.0. As discussed in the
    FAQ, Microsoft is working directly with the small number of
    customers who are using the .NET Server beta version in
    production environments to provide immediate remediation for
    them.

      Technical details

           Technical description:

    This patch is a cumulative patch that includes the functionality of
    all security patches released for IIS 4.0 since Windows NT 4.0
    Service Pack 6a, and all security patches released to date for IIS
    5.0 and 5.1. A complete listing of the patches superseded by this
    patch is provided below, in the section titled "Additional information
    about this patch". Before applying the patch, system
    administrators should take note of the caveats discussed in the
    same section.

    In addition to including previously released security patches, this
    patch also includes fixes for the following newly discovered security
    vulnerabilities affecting IIS 4.0, 5.0 and/or 5.1:

    A buffer overrun vulnerability involving the operation of the chunked
    encoding transfer mechanism via Active Server Pages in IIS 4.0
    and 5.0. An attacker who exploited this vulnerability could overrun
    heap memory on the system, with the result of either causing the
    IIS service to fail or allowing code to be run on the server.

    A Microsoft-discovered vulnerability that is related to the preceding
    one, but which lies elsewhere within the ASP data transfer
    mechanism. It could be exploited in a similar manner as the
    preceding vulnerability, and would have the same scope. However,
    it affects IIS 4.0, 5.0, and 5.1.

    A buffer overrun involving how IIS 4.0, 5.0 and 5.1 process HTTP
    header information in certain cases. IIS performs a safety check
    prior to parsing the fields in HTTP headers, to ensure that expected
    delimiter fields are present and in reasonable places. However, it is
    possible to spoof the check, and convince IIS that the delimiters
    are present even when they are not. This flaw could enable an
    attacker to create an URL whose HTTP header field values would
    overrun a buffer used to process them.

    A Microsoft-discovered buffer overrun vulnerability in IIS 4.0, 5.0 and
    5.1 that results from an error in safety check that is performed
    during server-side includes. In some cases, a user request for a
    web page is properly processed by including the file into an ASP
    script and processing it. Prior to processing the include request,
    IIS performs an operation on the user-specified file name, designed
    to ensure that the file name is valid and sized appropriately to fit in
    a static buffer. However, in some cases it could be possible to
    provide a bogus, extremely long file name in a way that would pass
    the safety check, thereby resulting in a buffer overrun.

    A buffer overrun affecting the HTR ISAPI extension in IIS 4.0 and
    5.0. By sending a series of specially malformed HTR requests, it
    could be possible to either cause the IIS service to fail or, under a
    very difficult operational scenario, to cause code to run on the
    server.

    A denial of service vulnerability involving the way IIS 4.0, 5.0, and
    5.1 handle an error condition from ISAPI filters. At least one ISAPI
    filter (which ships as part of FrontPage Server Extensions and
    ASP.NET), and possibly others, generate an error when a request
    is received containing an URL that exceeds the maximum length
    set by the filter. In processing this error, the filter replaces the URL
    with a null value. A flaw results because IIS attempts to process
    the URL in the course of sending the error message back to the
    requester, resulting in an access violation that causes the IIS
    service to fail.

    A denial of service vulnerability involving the way the FTP service in
    IIS 4.0, 5.0 and 5.1 handles a request for the status of the current
    FTP session. If an attacker were able to establish an FTP session
    with an affected server, and levied a status request that created a
    particular error condition, a flaw in the FTP code would prevent it
    from correctly reporting the error. Other code within the FTP service
    would then attempt to use uninitialized data, with an access
    violation as the result. This would result in the disruption of not only
    FTP services, but also of web services.

    A trio of Cross-Site Scripting (CSS) vulnerabilities affecting IIS 4.0,
    5.0 and 5.1: one involving the results page that’s returned when
    searching the IIS Help Files, one involving HTTP error pages; and
    one involving the error message that’s returned to advise that a
    requested URL has been redirected. All of these vulnerabilities have
    the same scope and effect: an attacker who was able to lure a user
    into clicking a link on his web site could relay a request containing
    script to a third-party web site running IIS, thereby causing the third-
    party site’s response (still including the script) to be sent to the
    user. The script would then render using the security settings of
    the third-party site rather than the attacker’s.

           Mitigating factors:
           Buffer overrun in Chunked Encoding transfer:

    On default installations of IIS 5.0 and 5.1, exploiting the
    vulnerability to run code would grant the attacker the privileges of
    the IWAM_computername account, which has only the privileges
    commensurate with those of an interactively logged-on unprivileged
    user.

    The vulnerability requires that Active Server Pages (ASP) be
    enabled on the system in order to be exploited. Version 1.0 of the
    IIS Lockdown Tool removes ASP by default, and the current version
    (version 2.1) removes it by default if Static Web Server has been
    selected.

    The URLScan tool can be configured to prevent chunked encoding
    requests. If this has been done, the vulnerability could not be
    exploited.

           Microsoft-discovered variant of Chunked Encoding buffer
    overrun:

    This vulnerability is subject to exactly the same mitigating factors
    as the buffer overrun in the Chunked Encoding transfer, with one
    exception. The URLScan tool could not be used to protect against
    the vulnerability.

           Buffer Overrun in HTTP header handling:

    On default installations of IIS 5.0 and 5.1, exploiting the
    vulnerability to run code would grant the attacker the privileges of
    the IWAM_computername account, which has only the privileges
    commensurate with those of an interactively logged-on unprivileged
    user. The vulnerability requires that Active Server Pages (ASP) be
    enabled on the system in order to be exploited. Version 1.0 of the
    IIS Lockdown Tool removes ASP by default, and the current version
    (version 2.1) removes it by default if Static Web Server has been
    selected. The URLScan tool’s default ruleset would likely limit the
    attacker to using this vulnerability for denial of service attacks only.

           Buffer Overrun in ASP Server-Side Include Function:

    On default installations of IIS 5.0 and 5.1, exploiting the
    vulnerability to run code would grant the attacker the privileges of
    the IWAM_computername account, which has only the privileges
    commensurate with those of an interactively logged-on user. The
    vulnerability requires that Active Server Pages (ASP) be enabled on
    the system in order to be exploited. Version 1.0 of the IIS
    Lockdown Tool removes ASP by default, and the current version
    (version 2.1) removes it by default if Static Web Server has been
    selected. The URLScan tool’s default ruleset would likely limit the
    attacker to using this vulnerability for denial of service attacks only.

           Buffer overrun in HTR ISAPI extension:

    Microsoft has long recommended disabling the HTR ISAPI
    extension. Systems on which this has been done would be at no
    risk from the vulnerability. (All versions of the IIS Lockdown Tool
    disable HTR support by default). The URLScan tool, if using its
    default ruleset, would prevent this vulnerability from being exploited
    to run code on the server even if HTR support was enabled. The
    vulnerability could only be used to run code on the server if the
    attacker knew the locations of certain information in memory. In
    practice, the most likely such situation would occur if the web
    server had never served any web content since being rebooted. In
    all other cases, it would only be possible to use the vulnerability for
    denial of service attacks. On default installations of IIS 5.0 and 5.1,
    exploiting the vulnerability to run code would grant the attacker the
    privileges of the IWAM_computername account, which has only the
    privileges commensurate with those of an interactively logged-on
    user. If the vulnerability were used in a denial of service attack,
    normal operation could be restored on an IIS 4.0 server by
    restarting the IIS service; on IIS 5.0 and higher, the service would
    automatically restart itself.

           Access violation in URL error handling:

    An IIS 4.0 server could be put back into normal operation by
    restarting the service. An IIS 5.0 or 5.1 server would automatically
    restart the service. The vulnerability could only be used for denial of
    service attacks. There is no capability to use the vulnerability to
    gain privileges on the system. The sole ISAPI filter known to
    generate the error that results in the access violation ships only as
    part of FrontPage Server Extensions and ASP.NET. ASP.NET is
    not installed by default, and FPSE can be uninstalled if desired.

           Denial of service via FTP Status request:

    The IIS Lockdown Tool disables FTP support by default. An IIS 4.0
    server could be put back into normal operation by restarting the
    service. An IIS 5.0 or 5.1 server would automatically restart the
    service. The vulnerability could only be used for denial of service
    attacks. There is no capability to use the vulnerability to gain
    privileges on the system.

    Cross-site Scripting in IIS Help File search facility, HTTP Error
    Page, and Redirect Response message:

    The vulnerabilities could only be exploited if the attacker could
    entice another user into visiting a web page and clicking a link on
    it, or opening an HTML mail. The Redirect Response vulnerability
    could only be exploited if the user was running a browser other
    than Internet Explorer. IE does not actually render the text in the
    Redirect Response, but instead recognizes it by its response
    header and processes the redirect without displaying any text.

    The above assessment is based on the types of systems affected
    by the vulnerability, their typical deployment patterns, and the
    effect that exploiting the vulnerability would have on them.

           Vulnerability identifiers:

                Buffer overrun in Chunked Encoding mechanism: CAN-
    2002-0079
                Microsoft-discovered variant of Chunked Encoding buffer
    overrun:
                CAN-2002-0147
                Buffer Overrun in HTTP Header handling: CAN-2002-0150
                Buffer Overrun in ASP Server-Side Include Function: CAN-
    2002-0149
                Buffer overrun in HTR ISAPI extension: CAN-2002-0071
                Access violation in URL error handling: CAN-2002-0072
                Denial of service via FTP status request: CAN-2002-0073
                Cross-site Scripting in IIS Help File search facility: CAN-
    2002-0074
                Cross-site Scripting in HTTP Error Page: CAN-2002-0148
                Cross-site Scripting in Redirect Response message: CAN-
    2002-0075

           Revisions:

                V1.0 (April 10, 2002): Bulletin Created.

    _____________________________________________________________________
    ** TO UNSUBSCRIBE DO NOT REPLY TO THIS MESSAGE!

    ** SEND ALL COMMANDS TO: LISTSERVLISTSERV.NTSECURITY.NET
    ** TO UNSUBSCRIBE, send the command "unsubscribe win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "set win2ksecadvice DIGEST"