Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: IIS :: n-011.txt

MS Cumulative Patch IIS (CIAC N-011)




             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

               Cumulative Patch for Internet Information Service
                     [Microsoft Security Bulletin MS02-062]

November 1, 2002 14:00 GMT                                        Number N-011
______________________________________________________________________________
PROBLEM:       This patch is a cumulative patch that includes the 
               functionality of all security patches released for IIS 4.0 
               since Windows NT 4.0 Service Pack 6a, and all security patches 
               released to date for IIS 5.0 and 5.1. 
SOFTWARE:      Microsoft Internet Information Server 4.0 
               Microsoft Internet Information Services 5.0 
               Microsoft Internet Information Services 5.1 
DAMAGE:        The most serious vulnerability of the four affected by this 
               patch is that it could enable applications on a server to gain 
               system-level privileges. 
SOLUTION:      Apply patch 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. To exploit any of these vulnerabilities
ASSESSMENT:    the attacker would need the ability to load and execute
               applications, or entice a user to visit a malicious web site 
               or open an HTML e-mail. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-011.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.microsoft.com/technet/treeview/default.asp?
                        url=/technet/security/bulletin/MS02-062.asp 
 PATCHES:                                                                     
                     http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43566 
                     http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43296 
                     http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43578 
                     http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43602 
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS02-062 *****]


Microsoft Security Bulletin MS02-062  

Cumulative Patch for Internet Information Service (Q327696)
Originally posted: October 30, 2002


Summary

Who should read this bulletin: Customers hosting web servers using Microsoft® Windows 
NT® 4.0, Windows® 2000, or Windows XP. 

Impact of vulnerability: Four vulnerabilities, the most serious of which could enable 
applications on a server to gain system-level privileges. 

Maximum Severity Rating: Moderate 

Recommendation: Customers using IIS 4.0, 5.0 or 5.1 should consider applying the patch 

Affected Software: 

  Microsoft Internet Information Server 4.0 
  Microsoft Internet Information Services 5.0 
  Microsoft Internet Information Services 5.1 


Technical details

Technical description: 

This patch is a cumulative patch that includes the functionality of all security 
patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security 
patches released to date for IIS 5.0 and 5.1. A complete listing of the patches 
superseded by this patch is provided below, in the section titled “Additional 
information about this patch”. Before applying the patch, system administrators should 
take note of the caveats discussed in the same section. 

In addition to including previously released security patches, this patch also 
includes fixes for the following newly discovered security vulnerabilities affecting 
IIS 4.0, 5.0 and/or 5.1: 

A privilege elevation vulnerability affecting the way ISAPIs are launched when an IIS 
4.0, 5.0 or 5.1 server is configured to run them out of process. By design, the 
hosting process (dllhost.exe) should run only in the security context of the 
IWAM_computername account; however, it can actually be made to acquire LocalSystem 
privileges under certain circumstances, thereby enabling an ISAPI to do likewise.
 
A denial of service vulnerability that results because of a flaw in the way IIS 5.0 
and 5.1 allocate memory for WebDAV requests. If a WebDAV request were malformed in a 
particular way, IIS would allocate an extremely large amount of memory on the server. 
By sending several such requests, an attacker could cause the server to fail. 

A vulnerability involving the operation of the script source access permission in IIS 
5.0. This permission operates in addition to the normal read/write permissions for a 
virtual directory, and regulates whether scripts, .ASP files and executable file types 
can be uploaded to a write-enabled virtual directory. A typographical error in the 
table that defines the file types subject to this permission has the effect of 
omitting .COM files from the list of files subject to the permission. As a result, a 
user would need only write access to upload such a file. 

A pair of Cross-Site Scripting (CSS) vulnerabilities affecting IIS 4.0, 5.0 and 5.1, 
and involving administrative web page. Each of these vulnerabilities have the same 
scope and effect: an attacker who was able to lure a user into clicking a link on his 
web site could relay a request containing script to a third-party web site running 
IIS, thereby causing the third-party site’s response (still including the script) to 
be sent to the user. The script would then render using the security settings of the 
third-party site rather than the attacker’s. 

In addition, the patch causes 5.0 and 5.1 to change how frequently the socket backlog 
list – which, when all connections on a server are allocated, holds the list of 
pending connection requests – is purged. The patch changes IIS to purge the list more 
frequently in order to make it more resilient to flooding attacks. The backlog 
monitoring feature is not present in IIS 4.0. 


Mitigating factors:

Out of Process Privilege Elevation: 

This vulnerability could only be exploited by an attacker who already had the ability 
to load and execute applications on an affected web server. Normal security practices 
recommend that untrusted users not be allowed to load applications onto a server, and 
that even trusted users’ applications be scrutinized before allowing them to be 
loaded. 


WebDAV Denial of Service: 

The vulnerability does not affect IIS 4.0, as WebDAV is not supported in this version 
of IIS. 

The vulnerability could only be exploited if the server allowed WebDAV requests to be 
levied on it. The IIS Lockdown Tool, if deployed in its default configuration, 
disables such requests. 


Script Source Access Vulnerability: 

The vulnerability could only be exploited if the administrator had granted all users 
write and execute permissions to one or more virtual directories on the server. 
Default configurations of IIS would be at no risk from this vulnerability. 

The vulnerability does not affect IIS 4.0, as WebDAV is not supported in this version 
of IIS. 

The vulnerability could only be exploited if the server allowed WebDAV requests to be 
levied on it. The IIS Lockdown Tool, if deployed in its default configuration, 
disables such requests. 


Cross-site Scripting in IIS Administrative Pages: 

The vulnerabilities could only be exploited if the attacker could entice another user 
into visiting a web page and clicking a link on it, or opening an HTML mail. 

By default, the pages containing the vulnerability are restricted to local IP address. 
As a result, the vulnerability could only be exploited if the client itself were 
running IIS. 


Severity Rating:

Out of Process Privilege Elevation:  
                Internet Servers     Intranet Servers      Client Systems 
IIS 4.0            Moderate            Moderate               None 
IIS 5.0            Moderate            Moderate               None 
IIS 5.1            Moderate            Moderate               None 

WebDAV Denial of Service:  
                Internet Servers     Intranet Servers      Client Systems 
IIS 4.0            None                None                   None 
IIS 5.0            Moderate            Moderate               None 
IIS 5.1            Moderate            Moderate               None 

Script Source Access Vulnerability: 
                Internet Servers     Intranet Servers      Client Systems  
IIS 4.0            None                None                   None 
IIS 5.0            Low                 Low                    None 
IIS 5.1            None                None                   None 

Cross-site Scripting in IIS Administrative Pages:  
                Internet Servers     Intranet Servers      Client Systems 
IIS 4.0            None                None                   Low 
IIS 5.0            None                None                   Low 
IIS 5.1            None                None                   Low 

The above assessment is based on the types of systems affected by the vulnerability, 
their typical deployment patterns, and the effect that exploiting the vulnerability 
would have on them. 


Vulnerability identifier: 

  Out of Process Privilege Elevation: CAN-2002-0869 

  WebDAV Denial of Service: CAN-2002-1182 

  Script Source Access Vulnerability: CAN-2002-1180 

  Cross-site Scripting in IIS Administrative Pages: CAN-2002-1181 


Tested Versions:
Microsoft tested IIS 4.0, 5.0 and 5.1 to assess whether they are affected by these 
vulnerabilities. Previous versions are no longer supported, and may or may not be 
affected by these vulnerabilities.



Patch availability

Download locations for this patch 

IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43566
 
IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43296 

IIS 5.1:
32-bit: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43578
64-bit: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43602 


Additional information about this patch

Installation platforms: 

The IIS 4.0 patch can be installed on systems running Windows NT 4.0 Service Pack 6a. 

The IIS 5.0 patch can be installed on systems running Windows 2000 Service Pack 2 or 
Service Pack 3. 

The IIS 5.1 patch can be installed on systems running Windows XP Professional Gold and 
Service Pack 1. 


Inclusion in future service packs: 

No additional service packs are planned for Windows NT 4.0. 

The IIS 5.0 fixes will be included in Windows 2000 Service Pack 4. 

The IIS 5.1 fixes will be included in Windows XP Service Pack 2. 


Reboot needed: 

IIS 4.0: A reboot can be avoid by stopping the IIS service, installing the patch with 
the /z switch, then restarting the service. Knowledge Base article Q327696 provides 
additional information on this procedure. 

IIS 5.0: In most cases, the patch does not require a reboot. The installer stops the 
needed services, applies the patch, then restarts them. However, if the needed 
services cannot be stopped for any reason, it will require a reboot. If this occurs, a 
prompt will be displayed advising of the need to reboot. 

IIS 5.1: No. (In some cases, a pop-up dialogue may say that the system needs to be 
rebooted in order for the patch installation process to be completed. This dialogue, 
if it appears, can be ignored) 

Patch can be uninstalled: Yes 


Superseded patches:
This patch supersedes the ones provided in the following Microsoft Security Bulletins:


   MS02-028. 

   MS02-018. (This is a cumulative patch, and supersedes additional patches) 


Verifying patch installation:

IIS 4.0: 
To verify that the patch has been installed on the machine, confirm that the following 
registry key has been created on the machine: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q327696. 

To verify the individual files, consult the file manifest in Knowledge Base article 
Q327696. 

IIS 5.0: 
To verify that the patch has been installed on the machine, confirm that the following 
registry key has been created on the machine: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q327696. 

To verify the individual files, use the date/time and version information provided in 
the following registry key: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q327696\Filelist. 

IIS 5.1: 
To verify that the patch has been installed on the machine, confirm that the following 
registry key has been created on the machine: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\Q327696. 

To verify the individual files, use the date/time and version information provided in 
the following registry key: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\Q327696\Filelist. 


Caveats: 

The fixes for four vulnerabilities affecting IIS 4.0 servers are not included in the 
patch, because they require administrative action rather than a software change. 
Administrators should ensure that in addition to applying this patch, they also have 
taken the administrative action discussed in the following bulletins: 

  Microsoft Security Bulletin MS00-028 
  Microsoft Security Bulletin MS00-025 
  Microsoft Security Bulletin MS99-025 (which discusses the same issue as Microsoft 
    Security Bulletin MS98-004) 
  Microsoft Security Bulletin MS99-013 

The patch does not include fixes for vulnerabilities involving non-IIS products like 
Front Page Server Extensions and Index Server, even though these products are closely 
associated with IIS and typically installed on IIS servers. At this writing, the 
bulletins discussing these vulnerabilities are: 

  Microsoft Security Bulletin MS01-043 
  Microsoft Security Bulletin MS01-025 
  Microsoft Security Bulletin MS00-084 
  Microsoft Security Bulletin MS00-018 
  Microsoft Security Bulletin MS00-006 

There is, however, one exception. The fix for the vulnerability affecting Index Server 
which is discussed in Microsoft Security Bulletin MS01-033 is included in this patch. 
We have included it because of the seriousness of the issue for IIS servers.
 
Customers using IIS 4.0 should ensure that they have followed the correct installation 
order before installing this or any security patch. Specifically, customers should 
ensure that Windows NT 4.0 Service Pack 6a has been applied (or re-applied) after 
installing the IIS 4.0 service. 

Customers using Site Server should be aware that a previously documented issue 
involving intermittent authentication errors has been determined to affect this and a 
small number of other patches. Microsoft Knowledge Base article Q317815 discusses the 
issue and how resolve it. 


Localization:
Localized versions of this patch are available at the locations discussed in “Patch 
Availability”. 


Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

Security patches are available from the Microsoft Download Center, and can be most 
easily found by doing a keyword search for "security_patch". 

Patches for consumer platforms are available from the WindowsUpdate web site 


Other information: 

Acknowledgments
Microsoft thanks  the following people for reporting this issue to us and working with 
us to protect customers: 

Li0n of A3 Security Consulting Co., Ltd. ( http://www.a3sc.co.kr) for reporting the 
Out of process privilege elevation vulnerability. 

Mark Litchfield of Next Generation Security Software Ltd. (http://www.nextgenss.com) 
for reporting the WebDAV denial of service vulnerability. 

Luciano Martins of Deloitte & Touche Argentina (http://www.deloitte.com.ar) for 
recommending the change in the socket backlog list purge rate. 


Support: 

Microsoft Knowledge Base article Q327696 discusses this issue and will be available 
approximately 24 hours after the release of this bulletin. Knowledge Base articles can 
be found on the Microsoft Online Support web site. 

Technical support is available from Microsoft Product Support Services. There is no 
charge for support calls associated with security patches.
 

Security Resources: The Microsoft TechNet Security Web Site provides additional 
information about security in Microsoft products. 


Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" without 
warranty of any kind. Microsoft disclaims all warranties, either express or implied, 
including the warranties of merchantability and fitness for a particular purpose. In 
no event shall Microsoft Corporation or its suppliers be liable for any damages 
whatsoever including direct, indirect, incidental, consequential, loss of business 
profits or special damages, even if Microsoft Corporation or its suppliers have been 
advised of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply. 

Revisions: 


V1.0 (October 23, 2002): Bulletin Created. 



[***** End Microsoft Security Bulletin MS02-062 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft  for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-002: Microsoft HTML Help ActiveX Control Vulnerabilities
N-003: Microsoft Cumulative Patch for SQL Server
N-004: SGI rpcbind User-level Vulnerabilities
N-005: Apache 1.3.27 HTTP Server Release
N-006: HP pam_authz in LDAP-UX Integration Vulnerabilities
N-007: Microsoft Outlook Express Unchecked Buffer in S/MIME Vulnerability
N-008: Microsoft Elevation of Privilege in SQL Server Web Tasks
N-009: MIT krb5  Buffer Overflow in kadmind4
CIACTech03-001: Spamming using the Windows Messenger Service
N-010: Web-Based Enterprise Management on Solaris 8 Installs Insecure Files 





TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH