__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Cumulative Patch for Internet Information Service
[Microsoft Security Bulletin MS02-062]
November 1, 2002 14:00 GMT Number N-011
______________________________________________________________________________
PROBLEM: This patch is a cumulative patch that includes the
functionality of all security patches released for IIS 4.0
since Windows NT 4.0 Service Pack 6a, and all security patches
released to date for IIS 5.0 and 5.1.
SOFTWARE: Microsoft Internet Information Server 4.0
Microsoft Internet Information Services 5.0
Microsoft Internet Information Services 5.1
DAMAGE: The most serious vulnerability of the four affected by this
patch is that it could enable applications on a server to gain
system-level privileges.
SOLUTION: Apply patch
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. To exploit any of these vulnerabilities
ASSESSMENT: the attacker would need the ability to load and execute
applications, or entice a user to visit a malicious web site
or open an HTML e-mail.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-011.shtml
ORIGINAL BULLETIN:
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/bulletin/MS02-062.asp
PATCHES:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43566
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43296
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43578
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43602
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS02-062 *****]
Microsoft Security Bulletin MS02-062
Cumulative Patch for Internet Information Service (Q327696)
Originally posted: October 30, 2002
Summary
Who should read this bulletin: Customers hosting web servers using Microsoft® Windows
NT® 4.0, Windows® 2000, or Windows XP.
Impact of vulnerability: Four vulnerabilities, the most serious of which could enable
applications on a server to gain system-level privileges.
Maximum Severity Rating: Moderate
Recommendation: Customers using IIS 4.0, 5.0 or 5.1 should consider applying the patch
Affected Software:
Microsoft Internet Information Server 4.0
Microsoft Internet Information Services 5.0
Microsoft Internet Information Services 5.1
Technical details
Technical description:
This patch is a cumulative patch that includes the functionality of all security
patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security
patches released to date for IIS 5.0 and 5.1. A complete listing of the patches
superseded by this patch is provided below, in the section titled “Additional
information about this patch”. Before applying the patch, system administrators should
take note of the caveats discussed in the same section.
In addition to including previously released security patches, this patch also
includes fixes for the following newly discovered security vulnerabilities affecting
IIS 4.0, 5.0 and/or 5.1:
A privilege elevation vulnerability affecting the way ISAPIs are launched when an IIS
4.0, 5.0 or 5.1 server is configured to run them out of process. By design, the
hosting process (dllhost.exe) should run only in the security context of the
IWAM_computername account; however, it can actually be made to acquire LocalSystem
privileges under certain circumstances, thereby enabling an ISAPI to do likewise.
A denial of service vulnerability that results because of a flaw in the way IIS 5.0
and 5.1 allocate memory for WebDAV requests. If a WebDAV request were malformed in a
particular way, IIS would allocate an extremely large amount of memory on the server.
By sending several such requests, an attacker could cause the server to fail.
A vulnerability involving the operation of the script source access permission in IIS
5.0. This permission operates in addition to the normal read/write permissions for a
virtual directory, and regulates whether scripts, .ASP files and executable file types
can be uploaded to a write-enabled virtual directory. A typographical error in the
table that defines the file types subject to this permission has the effect of
omitting .COM files from the list of files subject to the permission. As a result, a
user would need only write access to upload such a file.
A pair of Cross-Site Scripting (CSS) vulnerabilities affecting IIS 4.0, 5.0 and 5.1,
and involving administrative web page. Each of these vulnerabilities have the same
scope and effect: an attacker who was able to lure a user into clicking a link on his
web site could relay a request containing script to a third-party web site running
IIS, thereby causing the third-party site’s response (still including the script) to
be sent to the user. The script would then render using the security settings of the
third-party site rather than the attacker’s.
In addition, the patch causes 5.0 and 5.1 to change how frequently the socket backlog
list – which, when all connections on a server are allocated, holds the list of
pending connection requests – is purged. The patch changes IIS to purge the list more
frequently in order to make it more resilient to flooding attacks. The backlog
monitoring feature is not present in IIS 4.0.
Mitigating factors:
Out of Process Privilege Elevation:
This vulnerability could only be exploited by an attacker who already had the ability
to load and execute applications on an affected web server. Normal security practices
recommend that untrusted users not be allowed to load applications onto a server, and
that even trusted users’ applications be scrutinized before allowing them to be
loaded.
WebDAV Denial of Service:
The vulnerability does not affect IIS 4.0, as WebDAV is not supported in this version
of IIS.
The vulnerability could only be exploited if the server allowed WebDAV requests to be
levied on it. The IIS Lockdown Tool, if deployed in its default configuration,
disables such requests.
Script Source Access Vulnerability:
The vulnerability could only be exploited if the administrator had granted all users
write and execute permissions to one or more virtual directories on the server.
Default configurations of IIS would be at no risk from this vulnerability.
The vulnerability does not affect IIS 4.0, as WebDAV is not supported in this version
of IIS.
The vulnerability could only be exploited if the server allowed WebDAV requests to be
levied on it. The IIS Lockdown Tool, if deployed in its default configuration,
disables such requests.
Cross-site Scripting in IIS Administrative Pages:
The vulnerabilities could only be exploited if the attacker could entice another user
into visiting a web page and clicking a link on it, or opening an HTML mail.
By default, the pages containing the vulnerability are restricted to local IP address.
As a result, the vulnerability could only be exploited if the client itself were
running IIS.
Severity Rating:
Out of Process Privilege Elevation:
Internet Servers Intranet Servers Client Systems
IIS 4.0 Moderate Moderate None
IIS 5.0 Moderate Moderate None
IIS 5.1 Moderate Moderate None
WebDAV Denial of Service:
Internet Servers Intranet Servers Client Systems
IIS 4.0 None None None
IIS 5.0 Moderate Moderate None
IIS 5.1 Moderate Moderate None
Script Source Access Vulnerability:
Internet Servers Intranet Servers Client Systems
IIS 4.0 None None None
IIS 5.0 Low Low None
IIS 5.1 None None None
Cross-site Scripting in IIS Administrative Pages:
Internet Servers Intranet Servers Client Systems
IIS 4.0 None None Low
IIS 5.0 None None Low
IIS 5.1 None None Low
The above assessment is based on the types of systems affected by the vulnerability,
their typical deployment patterns, and the effect that exploiting the vulnerability
would have on them.
Vulnerability identifier:
Out of Process Privilege Elevation: CAN-2002-0869
WebDAV Denial of Service: CAN-2002-1182
Script Source Access Vulnerability: CAN-2002-1180
Cross-site Scripting in IIS Administrative Pages: CAN-2002-1181
Tested Versions:
Microsoft tested IIS 4.0, 5.0 and 5.1 to assess whether they are affected by these
vulnerabilities. Previous versions are no longer supported, and may or may not be
affected by these vulnerabilities.
Patch availability
Download locations for this patch
IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43566
IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43296
IIS 5.1:
32-bit: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43578
64-bit: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43602
Additional information about this patch
Installation platforms:
The IIS 4.0 patch can be installed on systems running Windows NT 4.0 Service Pack 6a.
The IIS 5.0 patch can be installed on systems running Windows 2000 Service Pack 2 or
Service Pack 3.
The IIS 5.1 patch can be installed on systems running Windows XP Professional Gold and
Service Pack 1.
Inclusion in future service packs:
No additional service packs are planned for Windows NT 4.0.
The IIS 5.0 fixes will be included in Windows 2000 Service Pack 4.
The IIS 5.1 fixes will be included in Windows XP Service Pack 2.
Reboot needed:
IIS 4.0: A reboot can be avoid by stopping the IIS service, installing the patch with
the /z switch, then restarting the service. Knowledge Base article Q327696 provides
additional information on this procedure.
IIS 5.0: In most cases, the patch does not require a reboot. The installer stops the
needed services, applies the patch, then restarts them. However, if the needed
services cannot be stopped for any reason, it will require a reboot. If this occurs, a
prompt will be displayed advising of the need to reboot.
IIS 5.1: No. (In some cases, a pop-up dialogue may say that the system needs to be
rebooted in order for the patch installation process to be completed. This dialogue,
if it appears, can be ignored)
Patch can be uninstalled: Yes
Superseded patches:
This patch supersedes the ones provided in the following Microsoft Security Bulletins:
MS02-028.
MS02-018. (This is a cumulative patch, and supersedes additional patches)
Verifying patch installation:
IIS 4.0:
To verify that the patch has been installed on the machine, confirm that the following
registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q327696.
To verify the individual files, consult the file manifest in Knowledge Base article
Q327696.
IIS 5.0:
To verify that the patch has been installed on the machine, confirm that the following
registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q327696.
To verify the individual files, use the date/time and version information provided in
the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q327696\Filelist.
IIS 5.1:
To verify that the patch has been installed on the machine, confirm that the following
registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\Q327696.
To verify the individual files, use the date/time and version information provided in
the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\Q327696\Filelist.
Caveats:
The fixes for four vulnerabilities affecting IIS 4.0 servers are not included in the
patch, because they require administrative action rather than a software change.
Administrators should ensure that in addition to applying this patch, they also have
taken the administrative action discussed in the following bulletins:
Microsoft Security Bulletin MS00-028
Microsoft Security Bulletin MS00-025
Microsoft Security Bulletin MS99-025 (which discusses the same issue as Microsoft
Security Bulletin MS98-004)
Microsoft Security Bulletin MS99-013
The patch does not include fixes for vulnerabilities involving non-IIS products like
Front Page Server Extensions and Index Server, even though these products are closely
associated with IIS and typically installed on IIS servers. At this writing, the
bulletins discussing these vulnerabilities are:
Microsoft Security Bulletin MS01-043
Microsoft Security Bulletin MS01-025
Microsoft Security Bulletin MS00-084
Microsoft Security Bulletin MS00-018
Microsoft Security Bulletin MS00-006
There is, however, one exception. The fix for the vulnerability affecting Index Server
which is discussed in Microsoft Security Bulletin MS01-033 is included in this patch.
We have included it because of the seriousness of the issue for IIS servers.
Customers using IIS 4.0 should ensure that they have followed the correct installation
order before installing this or any security patch. Specifically, customers should
ensure that Windows NT 4.0 Service Pack 6a has been applied (or re-applied) after
installing the IIS 4.0 service.
Customers using Site Server should be aware that a previously documented issue
involving intermittent authentication errors has been determined to affect this and a
small number of other patches. Microsoft Knowledge Base article Q317815 discusses the
issue and how resolve it.
Localization:
Localized versions of this patch are available at the locations discussed in “Patch
Availability”.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
Security patches are available from the Microsoft Download Center, and can be most
easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks the following people for reporting this issue to us and working with
us to protect customers:
Li0n of A3 Security Consulting Co., Ltd. ( http://www.a3sc.co.kr) for reporting the
Out of process privilege elevation vulnerability.
Mark Litchfield of Next Generation Security Software Ltd. (http://www.nextgenss.com)
for reporting the WebDAV denial of service vulnerability.
Luciano Martins of Deloitte & Touche Argentina (http://www.deloitte.com.ar) for
recommending the change in the socket backlog list purge rate.
Support:
Microsoft Knowledge Base article Q327696 discusses this issue and will be available
approximately 24 hours after the release of this bulletin. Knowledge Base articles can
be found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services. There is no
charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without
warranty of any kind. Microsoft disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular purpose. In
no event shall Microsoft Corporation or its suppliers be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business
profits or special damages, even if Microsoft Corporation or its suppliers have been
advised of the possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply.
Revisions:
V1.0 (October 23, 2002): Bulletin Created.
[***** End Microsoft Security Bulletin MS02-062 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Microsoft for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
N-002: Microsoft HTML Help ActiveX Control Vulnerabilities
N-003: Microsoft Cumulative Patch for SQL Server
N-004: SGI rpcbind User-level Vulnerabilities
N-005: Apache 1.3.27 HTTP Server Release
N-006: HP pam_authz in LDAP-UX Integration Vulnerabilities
N-007: Microsoft Outlook Express Unchecked Buffer in S/MIME Vulnerability
N-008: Microsoft Elevation of Privilege in SQL Server Web Tasks
N-009: MIT krb5 Buffer Overflow in kadmind4
CIACTech03-001: Spamming using the Windows Messenger Service
N-010: Web-Based Enterprise Management on Solaris 8 Installs Insecure Files
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
