__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Center
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Microsoft Cumulative Patch for IIS Vulnerabilities
[Microsoft Security Bulletin MS02-018]
April 10, 2002 17:00 GMT Number M-066
______________________________________________________________________________
PROBLEM: Ten vulnerabilities have been identified in IIS, the most
serious of which could enable code of an attacker’s choice to
be run on a server.
PLATFORM: Web servers using Microsoft Windows NT 4.0, Windows 2000, or
Windows XP running one of the following:
Microsoft Internet Information Server 4.0
Microsoft Internet Information Services 5.0
Microsoft Internet Information Services 5.1
DAMAGE: Some of vulnerabilities identified in this bulletin will allow
attackers to run code on the server.
SOLUTION: Apply patch supplied by the vendor.
______________________________________________________________________________
VULNERABILITY The risk is HIGH. Microsoft's IIS is an active target for
ASSESSMENT: hackers. CIAC recommends that all sites running IIS take
immediate action.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-066.shtml
ORIGINAL BULLETIN:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-018.asp
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS02-018 *****]
Microsoft Security Bulletin MS02-018
Cumulative Patch for Internet Information Services (Q319733)
Originally posted: April 10, 2002
Summary
Who should read this bulletin: Customers hosting web servers using
Microsoft® Windows NT® 4.0, Windows® 2000, or Windows XP.
Impact of vulnerability: Ten new vulnerabilities, the most serious of
which could enable code of an attacker’s choice to be run on a server.
Recommendation: Customers using any of the affected products should
install the patch immediately.
Maximum Severity Rating: Critical
Affected Software:
Microsoft Internet Information Server 4.0
Microsoft Internet Information Services 5.0
Microsoft Internet Information Services 5.1
Note: Beta versions of .NET Server after Build 3605 contains fixes for
all of the vulnerabilities affecting IIS 6.0. As discussed in the FAQ,
Microsoft is working directly with the small number of customers who
are using the .NET Server beta version in production environments to
provide immediate remediation for them.
Technical description:
This patch is a cumulative patch that includes the functionality of all
security patches released for IIS 4.0 since Windows NT 4.0 Service Pack
6a, and all security patches released to date for IIS 5.0 and 5.1. A
complete listing of the patches superseded by this patch is provided
below, in the section titled "Additional information about this patch".
Before applying the patch, system administrators should take note of
the caveats discussed in the same section.
In addition to including previously released security patches, this
patch also includes fixes for the following newly discovered security
vulnerabilities affecting IIS 4.0, 5.0 and/or 5.1:
A buffer overrun vulnerability involving the operation of the chunked
encoding transfer mechanism via Active Server Pages in IIS 4.0 and 5.0.
An attacker who exploited this vulnerability could overrun heap memory
on the system, with the result of either causing the IIS service to
fail or allowing code to be run on the server.
A Microsoft-discovered vulnerability that is related to the preceding
one, but which lies elsewhere within the ASP data transfer mechanism.
It could be exploited in a similar manner as the preceding vulnerability,
and would have the same scope. However, it affects IIS 4.0, 5.0, and 5.1.
A buffer overrun involving how IIS 4.0, 5.0 and 5.1 process HTTP header
information in certain cases. IIS performs a safety check prior to parsing
the fields in HTTP headers, to ensure that expected delimiter fields are
present and in reasonable places. However, it is possible to spoof the
check, and convince IIS that the delimiters are present even when they
are not. This flaw could enable an attacker to create an URL whose HTTP
header field values would overrun a buffer used to process them.
A Microsoft-discovered buffer overrun vulnerability in IIS 4.0, 5.0 and
5.1 that results from an error in safety check that is performed during
server-side includes. In some cases, a user request for a web page is
properly processed by including the file into an ASP script and
processing it. Prior to processing the include request, IIS performs an
operation on the user-specified file name, designed to ensure that the
file name is valid and sized appropriately to fit in a static buffer.
However, in some cases it could be possible to provide a bogus,
extremely long file name in a way that would pass the safety check,
thereby resulting in a buffer overrun.
A buffer overrun affecting the HTR ISAPI extension in IIS 4.0 and 5.0.
By sending a series of specially malformed HTR requests, it could be
possible to either cause the IIS service to fail or, under a very
difficult operational scenario, to cause code to run on the server.
A denial of service vulnerability involving the way IIS 4.0, 5.0, and
5.1 handle an error condition from ISAPI filters. At least one ISAPI
filter (which ships as part of FrontPage Server Extensions and ASP.NET),
and possibly others, generate an error when a request is received
containing an URL that exceeds the maximum length set by the filter.
In processing this error, the filter replaces the URL with a null value.
A flaw results because IIS attempts to process the URL in the course of
sending the error message back to the requester, resulting in an access
violation that causes the IIS service to fail.
A denial of service vulnerability involving the way the FTP service in
IIS 4.0, 5.0 and 5.1 handles a request for the status of the current
FTP session. If an attacker were able to establish an FTP session with
an affected server, and levied a status request that created a particular
error condition, a flaw in the FTP code would prevent it from correctly
reporting the error. Other code within the FTP service would then
attempt to use uninitialized data, with an access violation as the result.
This would result in the disruption of not only FTP services, but also
of web services.
A trio of Cross-Site Scripting (CSS) vulnerabilities affecting IIS 4.0,
5.0 and 5.1: one involving the results page that’s returned when searching
the IIS Help Files, one involving HTTP error pages; and one involving the
error message that’s returned to advise that a requested URL has been
redirected. All of these vulnerabilities have the same scope and effect:
an attacker who was able to lure a user into clicking a link on his
web site could relay a request containing script to a third-party web
site running IIS, thereby causing the third-party site’s response
(still including the script) to be sent to the user. The script would
then render using the security settings of the third-party site rather
than the attacker’s.
Mitigating factors:
Buffer overrun in Chunked Encoding transfer:
On default installations of IIS 5.0 and 5.1, exploiting the vulnerability
to run code would grant the attacker the privileges of the IWAM_computername
account, which has only the privileges commensurate with those of an
interactively logged-on unprivileged user.
The vulnerability requires that Active Server Pages (ASP) be enabled on
the system in order to be exploited. Version 1.0 of the IIS Lockdown Tool
removes ASP by default, and the current version (version 2.1) removes it
by default if Static Web Server has been selected.
The URLScan tool can be configured to prevent chunked encoding requests.
If this has been done, the vulnerability could not be exploited.
Microsoft-discovered variant of Chunked Encoding buffer overrun:
This vulnerability is subject to exactly the same mitigating factors as
the buffer overrun in the Chunked Encoding transfer, with one exception.
The URLScan tool could not be used to protect against the vulnerability.
Buffer Overrun in HTTP header handling:
On default installations of IIS 5.0 and 5.1, exploiting the vulnerability
to run code would grant the attacker the privileges of the IWAM_computername
account, which has only the privileges commensurate with those of an
interactively logged-on unprivileged user.
The vulnerability requires that Active Server Pages (ASP) be enabled on
the system in order to be exploited. Version 1.0 of the IIS Lockdown Tool
removes ASP by default, and the current version (version 2.1) removes it
by default if Static Web Server has been selected.
The URLScan tool’s default ruleset would likely limit the attacker to
using this vulnerability for denial of service attacks only.
Buffer Overrun in ASP Server-Side Include Function:
On default installations of IIS 5.0 and 5.1, exploiting the vulnerability
to run code would grant the attacker the privileges of the IWAM_computername
account, which has only the privileges commensurate with those of an
interactively logged-on user.
The vulnerability requires that Active Server Pages (ASP) be enabled on
the system in order to be exploited. Version 1.0 of the IIS Lockdown Tool
removes ASP by default, and the current version (version 2.1) removes it
by default if Static Web Server has been selected.
The URLScan tool’s default ruleset would likely limit the attacker to
using this vulnerability for denial of service attacks only.
Buffer overrun in HTR ISAPI extension:
Microsoft has long recommended disabling the HTR ISAPI extension. Systems
on which this has been done would be at no risk from the vulnerability.
(All versions of the IIS Lockdown Tool disable HTR support by default).
The URLScan tool, if using its default ruleset, would prevent this
vulnerability from being exploited to run code on the server even if
HTR support was enabled.
The vulnerability could only be used to run code on the server if the
attacker knew the locations of certain information in memory. In practice,
the most likely such situation would occur if the web server had never
served any web content since being rebooted. In all other cases, it would
only be possible to use the vulnerability for denial of service attacks.
On default installations of IIS 5.0 and 5.1, exploiting the vulnerability
to run code would grant the attacker the privileges of the IWAM_computername
account, which has only the privileges commensurate with those of an
interactively logged-on user.
If the vulnerability were used in a denial of service attack, normal
operation could be restored on an IIS 4.0 server by restarting the IIS
service; on IIS 5.0 and higher, the service would automatically restart
itself.
Access violation in URL error handling:
An IIS 4.0 server could be put back into normal operation by restarting
the service. An IIS 5.0 or 5.1 server would automatically restart the
service.
The vulnerability could only be used for denial of service attacks. There
is no capability to use the vulnerability to gain privileges on the system.
The sole ISAPI filter known to generate the error that results in the access
violation ships only as part of FrontPage Server Extensions and ASP.NET.
ASP.NET is not installed by default, and FPSE can be uninstalled if desired.
Denial of service via FTP Status request:
The IIS Lockdown Tool disables FTP support by default.
An IIS 4.0 server could be put back into normal operation by restarting
the service. An IIS 5.0 or 5.1 server would automatically restart the
service.
The vulnerability could only be used for denial of service attacks. There
is no capability to use the vulnerability to gain privileges on the system.
Cross-site Scripting in IIS Help File search facility, HTTP Error Page,
and Redirect Response message:
The vulnerabilities could only be exploited if the attacker could entice
another user into visiting a web page and clicking a link on it, or
opening an HTML mail.
The Redirect Response vulnerability could only be exploited if the user
was running a browser other than Internet Explorer. IE does not actually
render the text in the Redirect Response, but instead recognizes it by
its response header and processes the redirect without displaying any text.
Severity Rating:
Buffer overrun in ASP Chunked Encoding data transfer mechanism:
Internet Servers Intranet Servers Client Systems
IIS 4.0 Critical Critical None
IIS 5.0 Critical Critical None
IIS 5.1 None None None
Microsoft-discovered variant of ASP Chunked Encoding buffer overrun:
Internet Servers Intranet Servers Client Systems
IIS 4.0 Critical Critical None
IIS 5.0 Critical Critical None
IIS 5.1 Critical Critical None
Buffer Overrun in HTTP Header Handling:
Internet Servers Intranet Servers Client Systems
IIS 4.0 Critical Critical None
IIS 5.0 Critical Critical None
IIS 5.1 Critical Critical None
Buffer Overrun in ASP Server-Side Include Function:
Internet Servers Intranet Servers Client Systems
IIS 4.0 Critical Critical None
IIS 5.0 Critical Critical None
IIS 5.1 Critical Critical None
Buffer overrun in HTR ISAPI extension:
Internet Servers Intranet Servers Client Systems
IIS 4.0 Moderate Moderate None
IIS 5.0 Moderate Moderate None
IIS 5.1 None None None
Access violation in URL error handling:
Internet Servers Intranet Servers Client Systems
IIS 4.0 Moderate Moderate None
IIS 5.0 Moderate Moderate None
IIS 5.1 Moderate Moderate None
Denial of service via FTP status request:
Internet Servers Intranet Servers Client Systems
IIS 4.0 Moderate Moderate None
IIS 5.0 Moderate Moderate None
IIS 5.1 Moderate Moderate None
Cross-site Scripting in IIS Help File search facility:
Internet Servers Intranet Servers Client Systems
IIS 4.0 None None Moderate
IIS 5.0 None None Moderate
IIS 5.1 None None Moderate
Cross-site Scripting in HTTP Error Page:
Internet Servers Intranet Servers Client Systems
IIS 4.0 None None Moderate
IIS 5.0 None None Moderate
IIS 5.1 None None Moderate
Cross-site Scripting in Redirect Response message:
Internet Servers Intranet Servers Client Systems
IIS 4.0 None None Low
IIS 5.0 None None Low
IIS 5.1 None None Low
The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.
Vulnerability identifiers:
Buffer overrun in Chunked Encoding mechanism: CAN-2002-0079
Microsoft-discovered variant of Chunked Encoding buffer overrun:
CAN-2002-0147
Buffer Overrun in HTTP Header handling: CAN-2002-0150
Buffer Overrun in ASP Server-Side Include Function: CAN-2002-0149
Buffer overrun in HTR ISAPI extension: CAN-2002-0071
Access violation in URL error handling: CAN-2002-0072
Denial of service via FTP status request: CAN-2002-0073
Cross-site Scripting in IIS Help File search facility: CAN-2002-0074
Cross-site Scripting in HTTP Error Page: CAN-2002-0148
Cross-site Scripting in Redirect Response message: CAN-2002-0075
Tested Versions:
The following table indicates which of the currently supported versions
of IIS are affected by the vulnerabilities. Versions prior to IIS 4.0
are no longer supported and may or may not be affected by these
vulnerabilities. IIS 6.0 is a beta product and is therefore not intended
for use in production systems. A small number of customers are deploying
IIS 6.0 servers in product environments as part of a joint program with
Microsoft, and patches will be delivered directly to them.
IIS 4.0 IIS 5.0 IIS 5.1
Buffer overrun in Chunked Encoding mechanism Yes Yes No
Microsoft-discovered variant of Chunked Encoding
buffer overrun Yes Yes Yes
Buffer Overrun in HTTP Header handling Yes Yes Yes
Buffer Overrun in ASP Server-Side Include
Function Yes Yes Yes
Buffer overrun in HTR ISAPI extension Yes Yes No
Access violation in URL error handling Yes Yes Yes
Denial of service via FTP status request Yes Yes Yes
Cross-site Scripting in IIS Help File search No Yes Yes
Cross-site Scripting in HTTP Error Page Yes Yes Yes
Cross-site Scripting in Redirect Response
message Yes Yes Yes
Patch availability
Download locations for this patch
Microsoft IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37931
Microsoft IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37824
Microsoft IIS 5.1:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37857
Additional information about this patch
Installation platforms:
The IIS 4.0 patch can be installed on systems running Windows NT 4.0
Service Pack 6a.
The IIS 5.0 patch can be installed on systems running Windows 2000
Service Pack 1 or Service Pack 2.
The IIS 5.1 patch can be installed on systems running Windows XP
Professional Gold.
Inclusion in future service packs:
No additional service packs are planned for Windows NT 4.0.
The IIS 5.0 fixes will be included in Windows 2000 Service Pack 3.
The IIS 5.1 fixes will be included in Windows XP Service Pack 1.
Reboot needed:
IIS 4.0: Yes
IIS 5.0: No
IIS 5.1: No. (In some cases, a pop-up dialogue may say that the system
needs to be rebooted in order for the patch installation process to be
completed. This dialogue, if it appears, can be ignored)
Superseded patches:
IIS 4.0 and 5.0: This patch supersedes the one provided in Microsoft
Security Bulletin MS01-044. (This is the previous cumulative patch for
IIS 4.0 and 5.0, and supersedes additional patches)
IIS 5.1: None
Verifying patch installation:
IIS 4.0:
To verify that the patch has been installed on the machine, confirm that
the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q319733.
To verify the individual files, consult the file manifest in Knowledge Base
article Q319733.
IIS 5.0:
To verify that the patch has been installed on the machine, confirm that
the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q319733.
To verify the individual files, use the date/time and version information
provided in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q319733\Filelist.
IIS 5.1:
To verify that the patch has been installed on the machine, confirm that
the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q319733.
To verify the individual files, use the date/time and version information
provided in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q319733\Filelist.
Caveats:
The fixes for four vulnerabilities affecting IIS 4.0 servers are not
included in the patch, because they require administrative action rather
than a software change. Administrators should ensure that in addition to
applying this patch, they also have taken the administrative action
discussed in the following bulletins:
Microsoft Security Bulletin MS00-028
Microsoft Security Bulletin MS00-025
Microsoft Security Bulletin MS99-025
(which discusses the same issue as Microsoft Security Bulletin MS98-004)
Microsoft Security Bulletin MS99-013
The patch does not include fixes for vulnerabilities involving non-IIS
products like Front Page Server Extensions and Index Server, even though
these products are closely associated with IIS and typically installed on
IIS servers. At this writing, the bulletins discussing these
vulnerabilities are:
Microsoft Security Bulletin MS01-043
Microsoft Security Bulletin MS01-025
Microsoft Security Bulletin MS00-084
Microsoft Security Bulletin MS00-018
Microsoft Security Bulletin MS00-006
There is, however, one exception. The fix for the vulnerability affecting
Index Server which is discussed in Microsoft Security Bulletin MS01-033 is
included in this patch. We have included it because of the seriousness of
the issue for IIS servers. Customers using IIS 4.0 should ensure that they
have followed the correct installation order before installing this or any
security patch. Specifically, customers should ensure that Windows NT 4.0
Service Pack 6a has been applied (or re-applied) after installing the
IIS 4.0 service.
Localization:
Localized versions of this patch are available at the locations discussed
in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following
locations:
Security patches are available from the Microsoft Download Center, and can
be most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web
site.
All patches available via WindowsUpdate also are available in a
redistributable form from the WindowsUpdate Corporate site.
Other information:
Acknowledgments
Microsoft thanks the following people for reporting this issue to us and
working with us to protect customers:
eEye Digital Security (http://www.eeye.com) for reporting the buffer
overrun in the ASP chunked encoding implementation.
Entrust Technologies (http://www.entrust.com) for reporting the buffer
overrun affecting the HTTP header handling.
Chris Wysopal of @Stake (http://www.atstake.com) and Peter Grundl of KPMG
for reporting the buffer overrun in the HTR ISAPI extension and the access
violation in URL error handling.
Joe Smith (jsm1th@hotmail.com) and zenomorph ( admin@cgisecurity.com) of
http:// www.cgisecurity.com) for reporting the cross-site scripting
vulnerability in the IIS Help File search facility.
Keigo Yamazaki of the LAC SNS Team (http://www.lac.co.jp/security/) for
reporting the cross-site scripting vulnerability affecting redirect
response messages. Thor Larholm of Jubii A/S for reporting the cross-site
scripting vulnerability affecting HTTP error pages.
Support:
Microsoft Knowledge Base article Q319733 discusses this issue and will be
available approximately 24 hours after the release of this bulletin.
Knowledge Base articles can be found on the Microsoft Online Support web
site.
Technical support is available from Microsoft Product Support Services.
There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is"
without warranty of any kind. Microsoft disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages,
even if Microsoft Corporation or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
V1.0 (April 10, 2002): Bulletin Created.
[***** End Microsoft Security Bulletin MS02-018 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Microsoft Corporation for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
M-057: Red Hat "at" Vulnerability
M-058: Apache Vulnerabilities on IRIX
M-059: Red Hat "groff" Vulnerability
M-060: JRE Bytecode Verifier Vulnerability
M-061: HP VVOS Web proxy Vulnerability
M-062: Double Free Bug in zlib Compression Library
M-063: Microsoft Internet Explorer Vulnerabilities
CIACTech02-002: Microsoft Browser Helper Objects (BHO) Could Hide Malicious Code
M-064: Cisco web interface vulnerabilities in ACS for Windows
M-065: Red Hat Race Conditions in "logwatch"
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
