The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- Title: Superfluous Decoding Operation Could Allow Command Execution via IIS Date: May 14, 2001 Software: IIS 4.0 and 5.0 Impact: Three vulnerabilities: Code execution; denial of service, information disclosure. Bulletin: MS01-026 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-026.asp. - ---------------------------------------------------------------------- Issue: ====== This patch is a cumulative patch that includes the functionality of all security patches released to date for IIS 5.0, and all patches released for IIS 4.0 since Windows NT(r) 4.0 Service Pack 5. A complete listing of the patches superseded by this patch is provided in the web-hosted security bulletin, in the section titled "Additional information about this patch". Before applying the patch, system administrators should take note of the caveats discussed in the same section. The patch also eliminates three newly discovered vulnerabilities: - A vulnerability that could enable an attacker to run operating system commands on an affected server. When IIS receives a user request to run a script or other server-side program, it performs a decoding pass to render the request in a canonical form, then performs security checks on the decoded request. A vulnerability results because a second, superfluous decoding pass is performed after the security checks are completed. If an attacker submitted a specially constructed request, it could be possible for the request to pass the security checks, but then be mapped via the second decoding pass into one that should have been blocked -- specifically, it could enable the request to execute operating system commands or programs outside the virtual folder structure. These would be executed in the security context of the IUSR_machinename account which, by virtue of its membership in the Everyone group, would grant the attacker capabilities similar to those of a non-administrative user interactively logged on at the console. - A vulnerability that could enable denial of service attacks against the FTP service. A function that processes wildcard sequences in FTP commands doesn't always allocate sufficient memory when performing pattern matching. Under unusual circumstances, it could be possible for an attacker to levy an FTP command containing a wildcard sequence that, when expanded, would overrun the allocated memory and cause an access violation. This would cause the IIS service (which provides both the web and FTP functionality) to fail. As a result, all web or FTP sessions in progress at the time would be severed, and no new sessions could be established until the IIS service was restarted. In IIS 5.0, the service would restart automatically. In IIS 4.0, operator intervention would be required to restart the service. - A vulnerability that could make it easier for an attacker to find Guest accounts that had been inadvertently exposed via FTP. By design, if a user wishes to log onto an FTP server using a domain user account, rather than a local one, he should be required to precede it with the name of the domain. However, if an attacker preceded an account name with a particular set of characters, the FTP service would search the domain, and all trusted domains, for the user account. The account would need to be enabled, and the attacker would still need to know the correct password in order to log into the account. For all practical purposes, this would limit the attacker to attacking the Guest account, as it is the only account with both a well-known account name and a well-known default password. The patch also corrects errors in three previous patches: - The patch originally provided in Microsoft Security Bulletin MS00-060 successfully eliminated the vulnerability at issue there, but created an opportunity to cause the server to expend an inordinate amount of time processing a particular type of invalid request. - The patches originally provided in Microsoft Security Bulletins MS01-014 and MS01-016 (which superseded MS01-014) successfully eliminated the vulnerabilities at issue there, but created a potential denial of service condition via a memory leak. Mitigating Factors: ==================== IIS vulnerability: - The vulnerability does not provide a way for the attacker to learn the folder structure on the server. As a result, if the operating system were installed on a separate drive from the web root or in non-standard folders, it could prevent an attacker from locating programs of interest. - The vulnerability does not provide administrative access to the server. If the recommendations in the IIS 4.0 and IIS 5.0 security checklists have been followed, sensitive programs will have been moved to folders that can only be accessed by the Administrator, and non-administrative access to server resources will be have been severely restricted. FTP denial of service vulnerability: - The attacker would require the ability to start an FTP session in order to exploit the vulnerability. FTP user account vulnerability: - The vulnerability could only be exploited if the FTP server was a domain member. However, this is usually not appropriate for Internet-connected FTP servers. - The vulnerability could only be exploited if the Guest account on the local machine was disabled, but the Guest account on a trusted domain was enabled. By default, the Guest account is disabled in both Windows NT 4.0 and Windows 2000. Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms01-026.asp for information on obtaining this patch. Acknowledgment: =============== - NSfocus (http://www.nsfocus.com) for reporting the vulnerability affecting IIS. - Lukasz Luzar of Developers.of.PL and Aiden ORawe for reporting the FTP denial of service. - Kevin Kotas of eSecurityOnline (http://www.esecurityonline.com) for reporting the problem in the fixes that were provided in MS00-060, MS01-014 and MS01-016. - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOwBy7o0ZSRQxA/UrAQFWzgf/XECFuQbOf2GHFmI/VD+Kn1HXlg72AIw3 h5bhIc4dNxx2W5Y3CRB8HqAKS8SUHl6smA3n4iBPXX5cuyQ20kuL0bFVUkCf6IeG O87e3yzChk9RXvy9bW7cq/6wBsL5diQebmgX66MG4AhxOBZW2HaNQ6o43zzBxfYi YHEpVgJUZ1Z5t/rUb0wVwZWzEr/4et+c3s5hDPDSG4U3KTJnqj2X0YlPz/yKFtQQ J9lARr6Z61h04xCnUv8rEUss9T3r4cQvjkycxwYR973iAMZCUoYPs46u8iyl+Joy T2eSkiadFumH7N9qghnxaDWgZb1YbyJBF+djwbdsz65+hn0BthOsKA== =w0fq -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to [EMAIL PROTECTED] The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.