Microsoft Internet Information Server (IIS)

Title: Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise (Q321599)
Date: 12 June 2002
Software: Internet Information Server
Impact: Run Code of Attacker's Choice
Max Risk: Moderate
Bulletin: MS02-028

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-028.asp.

Issue:
This patch eliminates a newly discovered vulnerability affecting Internet Information Services. Although Microsoft typically delivers cumulative patches for IIS, in this case we have delivered a patch that eliminates only this new vulnerability, while completing a cumulative patch. When the cumulative patch is customer-ready, we will update this bulletin with information on its availability. The FAQ provides information on the circumstances surrounding the vulnerability, and why we believe releasing a singleton patch immediately is in customers' best interests. To ensure that servers are fully protected against past as well as current vulnerabilities, we strongly recommend installing the previous cumulative patch (discussed in Microsoft Security Bulletin MS02-018) before installing this patch.

The vulnerability is similar to the first vulnerability discussed in Microsoft Security Bulletin MS02-018. Like that vulnerability, this one involves a buffer overrun in the Chunked Encoding data transfer mechanism in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on the system, with the result of either causing the IIS service to fail or allowing code to be run on the server. The chief difference between the vulnerabilities is that the newly discovered one lies in the ISAPI extension that implements HTR - an older, largely obsolete scripting technology - where the previous one lay in the ISAPI extension that implements ASP.

Mitigating Factors:
- Microsoft has long recommended disabling HTR functionality unless there is a business-critical reason for  retaining it. Systems on which HTR is disabled would not be at risk from this vulnerability.

- The IIS Lockdown Tool disables HTR by default in all server configurations.

- The current version of the URLScan tool provides a means of blocking chunked encoding transfer requests by default.

- On default installations of IIS 5.0, exploiting the vulnerability to run code would grant the attacker the privileges
of the IWAM_computername account, which has only the privileges commensurate with those of an interactively logged-on unprivileged user.

Risk Rating:
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Moderate

Patch Availability:
- A patch is available to fix this vulnerability. Please read the Security Bulletin at  http://www.microsoft.com/technet/security/bulletin/ms02-028.asp for information on obtaining this patch.

 


Client List
Partners
Press Releases
Client Comments
Past Projects
Information Request


Net Health Check
Net Performance Review
Vulnerability Assessment
Banking I/T Assessment
NetSentry Monitoring
Frame Relay Analysis
Custom Services
NetDocs Documentation
On-Site Training


NetLogger
NetSpector
Technical Reference






 

 


About NPI | Contact Us | Services | Tools | Site Map | Reseller Programs
Professional Ethics | Privacy
Copyright 1993-2023 Network Partners, Inc. All rights reserved