TUCoPS :: Web :: IIS :: al200107.txt

AusCERT Alert 2001.07 Microsoft IIS 5.0 Remote Administrator Compromise Vulnerability 

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                       AL-2001.07  --  AUSCERT ALERT
      Microsoft IIS 5.0 Remote Administrator Compromise Vulnerability
                                2 May 2001

===========================================================================

PROBLEM:  

	Microsoft has released an advisory on a vulnerability in IIS 5.0.
	This vulnerability may allow a remote attacker to execute arbitrary
	commands on the web server. This may lead to an Administrator
	compromise.


PLATFORM: 

	The following platforms running IIS 5.0, with the Internet Printing
	ASAPI enabled are vulnerable:

		Windows 2000 Server
		Windows 2000 Advanced Server
		Windows 2000 Datacenter Server

	Microsoft notes that the Internet Printing ASAPI is enabled by
	default on these platforms. Web servers using IIS 4.0, or that
	have had the IIS Lockdown Tool applied are not vulnerable.


IMPACT:   

	An attacker may gain Administrator control of the system using
	this vulnerability. Once the attacker has control, their ability
	to gain control of other machines on that network is dependent on
	that network's configuration. There is no logging enabled of IIS
	buffer overflows, so an attack may be performed unnoticed.

	An exploit for this vulnerability is currently publicly available.


SOLUTION: 

	Microsoft has released a patch for this vulnerability, and strongly
	recommends that it be applied immediately to all vulnerable IIS
	web servers. Information on obtaining this patch can be found at:

	http://www.microsoft.com/technet/security/bulletin/ms01-023.asp

	According to Microsoft, Service Pack 2 for Windows 2000 will
	contain this patch when it is released.

	As a workaround, disabling the Internet Printing ASAPI will protect
	against this form of attack. Information on doing this can be
	found at:

	http://www.microsoft.com/technet/security/iis5chk.asp


REFERENCES:

	More information on this vulnerability can be found in:

	AUSCERT ESB-2001.178
	ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.178

	Microsoft TechNet
	http://www.microsoft.com/technet/security/bulletin/MS01-023.asp

	eEYE Digital Security
	http://www.eeye.com/html/Research/Advisories/AD20010501.html

- ---------------------------------------------------------------------------
For more information contact Microsoft.
- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						       
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOvfVHih9+71yA2DNAQGHyQP/T3mtWTjhOjccWvbjMzO2XI/leLwVmpwi
gtdgTCPHJ3M2zVejvLe9zHZZuW4aAk+Ey+nJ2XO5MYac6GAJCyW8la+XzmBXAcD1
8Wi2dCcjM/5LxpL983iwUNzMqK1l/YK45otx8+At3Pg+IimjXDNMex/st25rbN1v
NO9KJOErBUc=
=7Adh
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH