____________________________________________________________ \ / Scott Fosseen - Systems Engineer - Arrowhead AEA 5 \ www.aea5.k12.ia.us/aeaphone.nsf/Web/FosseenScott /____________________________________________________________ ----- Original Message ----- From: "X-Force" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 10, 2002 7:11 PM Subject: ISSalert: ISS Alert: Multiple Remote Vulnerabilities in Microsoft IIS
> > TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! > -------------------------------------------------------------------------- - > > -----BEGIN PGP SIGNED MESSAGE----- > > Internet Security Systems Security Alert > April 10, 2002 > > Multiple Remote Vulnerabilities in Microsoft IIS > > Synopsis: > > ISS X-Force has learned that Microsoft Internet Information Server (IIS) > is affected by ten new remote vulnerabilities. These vulnerabilities > vary in severity from mild to critical. A remote attacker may exploit > one or more of these vulnerabilities to cause a target Web server to > crash, execute arbitrary commands on the server, or gain complete > control of a target IIS server. > > Affected Versions: > > Microsoft Internet Information Server 4.0 > Microsoft Internet Information Server 5.0 > Microsoft Internet Information Server 5.1 > > Note: IIS 6.0 Beta build 3605 and earlier are also affected. > > Description: > > Microsoft released a Security Bulletin on April 10, 2002 detailing new > cumulative patches for IIS 4.0, 5.0, and 5.1. These patches contain all > previous security patches for each version as well as patches for ten > new vulnerabilities. > > Heap Buffer overflow in ASP chunked encoding routines > (CAN-2002-0079) > > ASP (Active Server Pages) is enabled on all IIS installations by > default. ASP is used to dynamically generate HTML pages on the server > and deliver them to a client. IIS improperly handles specially-crafted > chunked encoding queries to ASP pages. Chunked encoding is used in > situations when a client supplies the server with a variable amount of > information. If the client supplies data using chunked encoding, the > server dynamically allocates memory according to the size of each > incoming chunk. IIS improperly adds the sizes of these allocated chunks, > which may overwrite memory. Successful exploitation of this > vulnerability may crash a vulnerable server, allowing remote attackers > to execute arbitrary commands on the server with IWAM_computername > privileges. This account is equivalent to an unprivileged normal user. > This vulnerability affects IIS versions 4.0 and 5.0. > > Buffer overflow within the ASP data transfer mechanism > (CAN-2002-0147) > > This vulnerability is similar to the previous vulnerability and affects > IIS versions 4.0, 5.0, and 5.1. > > Buffer overflow in IIS HTTP header delimiter parsing > (CAN-2002-0150) > > It may be possible for remote attackers to create a special request to > bypass IIS delimiter parsing. IIS 4.0, 5.0, and 5.1 may incorrectly > parse this request and overflow a buffer, which may lead to a denial of > service attack or the ability to execute arbitrary code on the target > server with IWAM_computername privileges. > > Buffer overflow in IIS ASP Server-Side Include routines > (CAN-2002-0149) > > ASP scripts sometimes process external files in order to function > correctly. If an attacker sends a specific query to an overly long > filename, this name may be processed within the ASP script as a server- > side include (SSI). A buffer overflow may be triggered if the length of > the filename is longer than the static buffer within the SSI routine. > This vulnerability affects IIS 4.0, 5.0, and 5.1. Successful > exploitation of this vulnerability may crash the server or allow an > attacker to execute arbitrary code on the target server with > IWAM_computername privileges. > > > Buffer overflow in the HTR ISAPI extension > (CAN-2002-0071) > > HTR was the predecessor to ASP and is considered a legacy technology. > HTR remains in use today to handle password management in IIS. It may be > possible for an attacker to send a malformed HTR request to a vulnerable > IIS 4.0 or 5.0 server to cause a denial of service attack. An attacker > may also use this vulnerability to run arbitrary commands with > IWAM_computername privileges. HTR files need not be present on the > server for attackers to exploit this vulnerability. > > Denial of service caused by improper handling of error conditions in > ISAPI filters > (CAN-2002-0072) > > If vulnerable ISAPI filters within IIS 4.0, 5.0, and 5.1 receive a URL > of an illegal length, IIS will improperly rewrite the URL with a null > value and attempt to send the error back to the client that requested > the URL. Before the request is sent, IIS attempts to operate on the null > value, which causes a fault that crashes the server. > > Denial of service in the IIS 4.0, 5.0 and 5.1 FTP (File Transfer > Protocol) service > (CAN-2002-0073) > > IIS improperly handles specially-crafted status requests on current FTP > sessions. When an attacker sends this type of request to an IIS server, > it may lead to improper access of uninitialized memory, which may result > in a denial of service to FTP and Web services. > > Cross-Site Scripting (CSS) vulnerabilities present in IIS 4.0, 5.0 and > 5.1 > (CAN-2002-0074) > (CAN-2002-0148) > (CAN-2002-0075) > > CSS vulnerabilities rely on the ability of an attacker to lure users to > their rogue Web servers. When a user visits a specific page on a rogue > Web server, the request for the URL is relayed to a third-party site > using active scripting. If this third-party site is trusted by the user, > the attacker's Web site is trusted just like the third-party site, > inheriting that the same level of privilege. IIS contains CSS > vulnerabilities when searching IIS help files, viewing HTTP error pages, > and notifying a user when a request has been redirected. > > Recommendations: > > X-Force recommends that all affected IIS customers apply the following > Microsoft supplied patches immediately: > > Microsoft IIS 4.0: > http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37931 > Microsoft IIS 5.0: > http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37824 > Microsoft IIS 5.1: > http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37857 > > RealSecure Network Sensor may trigger several signatures in response to > the IIS attacks described in this advisory. RealSecure Network Sensor > administrators > should closely examine the following events if they are detected by > RealSecure. The list below details the signatures and their > corresponding vulnerabilities. > > HTTP_NCSA_BufferOverflow > (CAN-2002-0147) > > HTTP_NCSA_BufferOverflow > HTTP_Netscape_Method_Overflow > (CAN-2002-0149) > > HTTP_NCSA_BufferOverflow > (CAN-2002-0071) > > HTTP_Netscape_Method_Overflow > (CAN-2002-0072) > > FTP_Glob_Expansion > (CAN-2002-0073) > > BlackICE products currently detect potential exploitation of three of > the vulnerabilities > described in this advisory. BlackICE users and administrators should > closely examine the > following events if they are detected by BlackICE: > > FTP Command line overflow > (CAN-2002-0073) > > HTTP URL overflow > (CAN-2002-0149) > > IIS malformed .HTR request > (CAN-2002-0071) > > Additional detection support will be added in a future update for > BlackICE products. > > Internet Scanner X-Press Update 6.8 includes a check, IisMs02018Patch, > to detect the installation of the patch for the vulnerabilities > described in this advisory. XPU 6.8 is available from the ISS Download > Center at: http://www.iss.net/download. For questions about downloading > and installing this XPU, email [EMAIL PROTECTED] > > Detection support for these attacks will be included in future X-Press > Updates for RealSecure Network Sensor and RealSecure Server Sensor. > These XPUs will be available from the ISS Download Center, and this > alert will be updated when these updates become available. > > ______ > > About Internet Security Systems (ISS) > Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a > pioneer and world leader in software and services that protect critical > online resources from an ever-changing spectrum of threats and misuse. > Internet Security Systems is headquartered in Atlanta, GA, with > additional operations throughout the Americas, Asia, Australia, Europe > and the Middle East. > > Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved > worldwide. > > Permission is hereby granted for the electronic redistribution of this > document. It is not to be edited or altered in any way without the > express written consent of the Internet Security Systems X-Force. If you > wish to reprint the whole or any part of this document in any other > medium excluding electronic media, please email [EMAIL PROTECTED] for > permission. > > Disclaimer: The information within this paper may change without notice. > Use of this information constitutes acceptance for use in an AS IS > condition. There are NO warranties, implied or otherwise, with regard to > this information or its use. Any use of this information is at the > user's risk. In no event shall the author/distributor (Internet Security > Systems X-Force) be held liable for any damages whatsoever arising out > of or in connection with the use or spread of this information. > > X-Force PGP Key available on MIT's PGP key server and PGP.com's key > server, > as well as at http://www.iss.net/security_center/sensitive.php > > Please send suggestions, updates, and comments to: X-Force > [EMAIL PROTECTED] of Internet Security Systems, Inc. > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBPLTUcjRfJiV99eG9AQHAXAP/bZAmOetnSGZ2EdIaX8UzWgj6wrdiMAp6 > 6m36F8ABJEXR3K9pRbX7P3qYs8fUkwHQtGi6WXhW4N/5Q7K8XBRqosT6gxa0Uu32 > HeENRPb3oNJoQkZoCqjBiIn09qgMeFF9dMWeowneJu30Cz0+4SWl60dpbU+tPLmd > PAhqVshkH14= > =qtZH > -----END PGP SIGNATURE----- > > --------------------------------------------------------- Archived messages from this list can be found at: http://www.mail-archive.com/tech-cord@aea5.k12.ia.us/ ---------------------------------------------------------
