Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft IIS Buffer Overflow Lets Remote Users With Upload Privileges Execute Code - Remote Users Can Also Crash the Service
|
|
SecurityTracker Alert ID: 1006867
|
|
CVE Reference: CAN-2003-0223
, CAN-2003-0224
, CAN-2003-0225
, CAN-2003-0226
(Links to External Site)
|
Updated: Dec 7 2003
|
Original Entry Date: May 28 2003
|
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 4.0, 5.0, 5.1
|
Description: Several vulnerabilities were reported in Microsoft Internet Information Server (IIS). A remote user can cause denial of service
conditions. A remote user with upload privileges can execute arbitrary code on the target system. A remote user can also conduct
cross-site scripting attacks.
It is reported that IIS 5.0 does not properly validate requests for Server Side Includes (SSI) web pages. A remote user with the
ability to upload SSI pages to the target server can then call the page to trigger a buffer overflow and execute arbitrary code
on the server. The code will reportedly run with user-level permissions.
It is also reported that a remote user with the ability
to upload an ASP page to the target server can then call the page to cause denial of service conditions. This is due to the lack
of memory limitations in IIS 4.0 and 5.0 when the server constructs HTML headers to be displayed using the 'Response.AddHeader'
function. A remote user can thus create a specially crafted ASP page to cause IIS to crash due to insufficient memory.
Another
denial of service flaw is reported in IIS 5.0 and 5.1 in the processing of overly long WebDAV requests containing XML. A remote
user can create a specific XML error condition that will cause the error handling sequence to get out of order, resulting in an
IIS crash. According to the report, IIS will (by default) automatically restart after this occurs.
It is reported that IIS 4.0,
5.0, and 5.1 return a redirection error message that includes user-supplied HTML (without filtering). A remote user can create
a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's
browser. The code will originate from the site running IIS and will run in the security context of that site. As a result, the code
will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data
recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. The affected
page reportedly uses the 'Response.Redirect' function.
Microsoft reports that Internet Information Services 6.0 is not affected
by any of these flaws.
Microsoft credits SPI Dynamics for reporting the Redirection Cross Site Scripting and WebDAV Denial of
Service vulnerabilities and NSFocus for reporting the Server Side Include Web Pages Buffer Overrun vulnerability.
|
Impact: A remote user can cause IIS to crash.
A remote user with the ability to upload files to the web server can then call the files
to cause IIS to crash or to execute arbitrary code with user-level privileges.
A remote user can conduct cross-site scripting
attacks to access the target user's cookies (including authentication cookies), if any, associated with the site running IIS, access
data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution: Microsoft has released the following patches:
IIS 4.0:
http://microsoft.com/downloads/details.aspx?FamilyId=1DBC1914-98E9-4DED-ADBF-E9B374A1F79D&displaylang=en
I
IS 5.0:
http://microsoft.com/downloads/details.aspx?FamilyId=2F5D9852-4ADD-44F8-8715-AC3D7D7D94BF&displaylang=en
IIS 5.1:
32-bit Edition:
http://microsoft.com/downloads/details.aspx?FamilyId=77CFE3EF-C5C5-401C-BC12-9F08154A5007&displaylang=en
64-bit
Edition:
http://microsoft.com/downloads/details.aspx?FamilyId=86F4407E-B9BF-4490-9421-008407578D11&displaylang=en
The IIS
4.0 patch can be installed on Windows NT 4.0 SP6a. The IIS 5.0 patch can be installed on Windows 2000 SP2 or SP3. The IIS 5.1
patch can be installed on Windows XP Professional Gold or SP1.
Microsoft plans to include the IIS 5.0 fixes in Windows 2000 SP4
and the IIS 5.1 fixes in Windows XP SP2.
A reboot may or may not be needed, depending on the version number you are using and
on other factors [see the Microsoft bulletin for clarification].
This patch supersedes MS02-062, MS02-028, and MS02-018. Note
that MS02-018 is itself a cumulative patch that supersedes additional patches not listed here.
This patch reportedly requires
the patch addressed in Microsoft Security Bulletin MS02-050. If you have not installed MS02-050, IIS will reportedly reject client-side
certificates.
There is a very long list of additional caveats associated with patch MS03-018. For example, some IIS 4.0 vulnerability
fixes are not included. Also, some vulnerabilities in IIS-related products (e.g., FrontPage, Index Server) are not fixed by this
patch. Please be sure to read the Microsoft advisory:
http://www.microsoft.com/technet/security/bulletin/MS03-018.asp
Microsoft
has issued Knowledge Base article 811114 regarding this issue, available at:
http://support.microsoft.com/?id=811114
|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS03-018.asp (Links to External Site)
|
Cause: Boundary error, Exception handling error, Input validation error, State error
|
Underlying OS: Windows (NT), Windows (2000), Windows (XP)
|
Underlying OS Comments: Windows NT 4.0, 2000, XP
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 28 May 2003 15:10:58 -0400
Subject: MS03-018
|
www.microsoft.com/technet/security/bulletin/MS03-018.asp
MS03-018
Windows NT 4.0, 2000, XP
4.0, 5.0, 5.1
Cumulative Patch for Internet Information Service (811114)
Maximum Severity Rating: Important
Microsoft Internet Information Server Buffer Overflow and Memory Flaw Let Remote Users
With Upload Privileges Execute Code or Consume Excessive Memory
Several vulnerabilities were reported in Microsoft Internet Information Server (IIS). A
remote user with upload privileges can execute arbitrary code on the target system or
cause denial of service conditions. A remote user can also conduct cross-site scripting
attacks.
It is reported that IIS 5.0 does not properly validate requests for Server Side Includes
(SSI) web pages. A remote user with the ability to upload SSI pages to the target server
can then call the page to trigger a buffer overflow and execute arbitrary code on the
server. The code will reportedly run with user-level permissions.
It is also reported that a remote user with the ability to upload an ASP page to the
target server can then call the page to cause denial of service conditions. This is due
to the lack of memory limitations in IIS 4.0 and 5.0 when the server constructs HTML
headers to be displayed using the 'Response.AddHeader' function. A remote user can thus
cause IIS to crash due to insufficient memory.
Another denial of service flaw is reported in IIS 5.0 and 5.1 in the processing of overly
long WebDAV requests containing XML. A remote user can create a specific XML error
condition that will cause the error handling sequence to get out of order, resulting in an
IIS crash. According to the report, IIS will (by default) automatically restart after
this occurs.
It is reported that IIS 4.0, 5.0, and 5.1 return a redirection error message that includes
user-supplied HTML (without filtering). A remote user can create a specially crafted URL
that, when loaded by a target user, will cause arbitrary scripting code to be executed by
the target user's browser. The code will originate from the site running IIS and will run
in the security context of that site. As a result, the code will be able to access the
target user's cookies (including authentication cookies), if any, associated with the
site, access data recently submitted by the target user via web form to the site, or take
actions on the site acting as the target user. The affected page reportedly uses the
'Response.Redirect' function.
Microsoft reports that Internet Information Services 6.0 is not affected by any of these
flaws.
Microsoft credits SPI Dynamics for reporting the Redirection Cross Site Scripting and
WebDAV Denial of Service vulnerabilities and NSFocus for reporting the Server Side Include
Web Pages Buffer Overrun vulnerability.
Microsoft has released the following patches:
IIS 4.0:
http://microsoft.com/downloads/details.aspx?FamilyId=1DBC1914-98E9-4DED-ADBF-E9B374A1F79D&display
lang=en
IIS 5.0:
http://microsoft.com/downloads/details.aspx?FamilyId=2F5D9852-4ADD-44F8-8715-AC3D7D7D94BF&display
lang=en
IIS 5.1:
32-bit Edition:
http://microsoft.com/downloads/details.aspx?FamilyId=77CFE3EF-C5C5-401C-BC12-9F08154A5007&display
lang=en
64-bit Edition:
http://microsoft.com/downloads/details.aspx?FamilyId=86F4407E-B9BF-4490-9421-008407578D11&display
lang=en
The IIS 4.0 patch can be installed on Windows NT 4.0 SP6a. The IIS 5.0 patch can be
installed on Windows 2000 SP2 or SP3. The IIS 5.1 patch can be installed on Windows XP
Professional Gold or SP1.
Microsoft plans to include the IIS 5.0 fixes in Windows 2000 SP4 and the IIS 5.1 fixes in
Windows XP SP2.
A reboot may or may not be needed, depending on the version number you are using and on
other factors [see the Microsoft bulletin for clarification].
This patch supersedes MS02-062, MS02-028, and MS02-018. Note that MS02-018 is itself a
cumulative patch that supersedes additional patches not listed here.
This patch reportedly requires the patch addressed in Microsoft Security Bulletin
MS02-050. If you have not installed MS02-050, IIS will reportedly reject client-side
certificates.
There is a very long list of additional caveats associated with patch MS03-018. For
example, some IIS 4.0 vulnerability fixes are not included. Also, some vulnerabilities in
IIS-related products (e.g., FrontPage, Index Server) are not fixed by this patch. Please
be sure to read the Microsoft advisory:
http://www.microsoft.com/technet/security/bulletin/MS03-018.asp
Microsoft has issued Knowledge Base article 811114 regarding this issue, available at:
http://support.microsoft.com/?id=811114
Aggregate Severity of all Vulnerabilities
IIS 4.0 Moderate
IIS 5.0 Important
IIS 5.1 Important
CVE: CAN-2003-0223, CAN-2003-0224, CAN-2003-0225, CAN-2003-0226
|
|
Go to the Top of This SecurityTracker Archive Page
|
