. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                       Microsoft Cumulative Patch for IIS

August 16, 2001 21:00 GMT                                         Number L-132
______________________________________________________________________________
PROBLEM:       Microsoft has released a cumulative patch to fix five 
               vulnerabilities resulting in either denial of service or 
               elevation of privileges. This patch includes the functionality  
               of all security patches to date for IIS 5.0, and for IIS 4.0 
               since Windows NT(r) 4.0 service Pack 5. 
PLATFORM:      IIS 4.0 and 5.0 
DAMAGE:        Unpatched systems are vulnerable to denial of service attacks 
               or the possibility of privileges being elevated. 
SOLUTION:      Before applying the patch, system administrators should check 
               the caveats discussed in this advisory. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. This patch also eliminates the side effect 
ASSESSMENT:    of the previous IIS cumulative patch by restoring proper  
               functioning of UPN-style logons via FTP and W3SVC. 
______________________________________________________________________________

[******  Start Microsoft Security Bulletin MS01-044  ******]


-----------------------------------------------------------------------
Title:      15 August 2001 Cumulative Patch for IIS
Date:       15 August 2001
Software:   IIS 4.0 and 5.0
Impact:     Five vulnerabilities resulting in either denial of
            service or privilege elevation
Bulletin:   MS01-044


Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.
-----------------------------------------------------------------------


Issue:
======
This patch is a cumulative patch that includes the functionality of
all security patches released to date for IIS 5.0, and all patches
released for IIS 4.0 since Windows NT(r) 4.0 Service Pack 5. A
complete listing of the patches superseded by this patch is provided
below, in the section titled "Additional information about this
patch". Before applying the patch, system administrators should take
note of the caveats discussed in the same section.


In addition to including all previously released security patches,
this patch also includes fixes for five newly discovered security
vulnerabilities affecting IIS 4.0 and 5.0:
 - A denial of service vulnerability that could enable an attacker
   to cause the IIS 4.0 service to fail, if URL redirection has
   been enabled. The "Code Red" worm generates traffic that can in
   some cases exploit this vulnerability, with the result that an
   IIS 4.0 machine that wasn't susceptible to infection via the
   worm could nevertheless have its service disrupted by the worm.
 - A denial of service vulnerability that could enable an attacker
   to temporarily disrupt service on an IIS 5.0 web server. WebDAV
   doesn't correctly handle particular type of very long, invalid
   request. Such a request would cause the IIS 5.0 service to fail;
   by default, it would automatically restart.
 - A denial of service vulnerability involving the way IIS 5.0
   interprets content containing a particular type of invalid MIME
   header. If an attacker placed content containing such a defect
   onto a server and then requested it, the IIS 5.0 service would
   be unable to serve any content until a spurious entry was removed
   from the File Type table for the site.
 - A buffer overrun vulnerability involving the code that performs
   server-side include (SSI) directives. An attacker who had the
   ability to place content onto a server could include a malformed
   SSI directive that, when the content was processed, would result
   in code of the attacker's choice running in Local System context.
 - A privilege elevation vulnerability that results because of a flaw
   in a table that IIS 5.0 consults when determining whether a
   process should in-process or out-of-process. IIS 5.0 contains a 
   table that lists the system files that should always run in-process. 
   However, the list provides the files using relative as well as 
   Absolute addressing, with the result that any file whose name matched 
   that of a file on the list would run in-process.


In addition, this patch eliminates a side effect of the previous IIS
cumulative patch (discussed in the Caveats section of Microsoft
Security Bulletin MS01-026) by restoring proper functioning of
UPN-style logons via FTP and W3SVC.


Mitigating Factors:
====================
URL Redirection denial of service:
 - This vulnerability only affects IIS 4.0. IIS 5.0 is not
   affected.
 - The vulnerability only occurs if URL redirection is enabled.
 - The vulnerability does not provide any capability to compromise
   data on the server or gain administrative control over it.


WebDAV request denial of service:
 - The vulnerability only affects IIS 5.0. IIS 4.0 is not affected.
 - The effect of an attack via this vulnerability would be temporary.
   The server would automatically resume normal service as soon as
   the malformed requests stopped arriving.
 - The vulnerability does not provide an attacker with any capability
   to carry out WebDAV requests.
 - The vulnerability does not provide any capability to compromise
   data on the server or gain administrative control over it.


MIME header denial of service:
 - The vulnerability only affects IIS 5.0. IIS 4.0 is not affected.
 - In order to exploit this vulnerability, the attacker would need
   to have the ability to install content on the server. However,
   by default, unprivileged users do not have this capability, and
   best practices strongly recommend against granting it to untrusted
   users.


SSI privilege elevation vulnerability:
 - In order to exploit this vulnerability, the attacker would need
   to have the ability to install content on the server. However,
   by default, unprivileged users do not have this capability, and
   best practices strongly recommend against granting it to untrusted
   users.


System file listing privilege elevation vulnerability:
 - The vulnerability only affects IIS 5.0. IIS 4.0 is not affected.
 - In order to exploit this vulnerability, the attacker would need
   to have the ability to install content on the server. However,
   by default, unprivileged users do not have this capability, and
   best practices strongly recommend against granting it to untrusted
   users.


Patch Availability:
===================
 - A patch is available to fix these vulnerabilities. Please read the
   Security Bulletin
   http://www.microsoft.com/technet/security/bulletin/ms01-044.asp
   for information on obtaining this patch.


Acknowledgment:
===============
 - John Waters of Deloitte and Touche for reporting the MIME type
   denial of service vulnerability.
 - The NSFocus Security Team (http://www.nsfocus.com) for reporting
   the SSI privilege elevation vulnerability.
 - Oded Horovitz of Entercept(tm) Security Technologies
  (http://www.entercept.com) for reporting the system file listing
   privilege elevation vulnerability.


----------------------------------------------------------------------


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.



[******  End Microsoft Security Bulletin MS01-044  ******]

______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft for the 
information contained in this bulletin.
______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-122: FreeBSD tcpdump Remote Buffer OVerflow Vulnerability
L-123: AIX libi18n Library Vulnerability
L-124: Remote Buffer Overflow in telnetd
L-125: SGI netprint Dynamic Shared Objects (DSO) Exploit
L-126: Microsoft Remote Procedure Call (RPC) Server Vulnerability
L-127: Sun BIND Vulnerabilities
L-128: MIT Kerberos 5 telnetd Buffer Overflows
L-129: Sun in.ftpd Filename Expansion Vulnerability
L-130: Multiple DoS Vulnerabilities in Cisco Broadband Operating Sy
L-131: IBM AIX telnetd Buffer Overflow