From: Anna Maurer (annam@uclink.berkeley.edu)
Date: Wed Apr 10 2002 - 10:33:46 PDT
My apologies to anyone who gets this more than once, but this patch for IIS
4.0, 5.0, 5.1, includes protection from some seriously nasty
problems. Please bring this to the attention of anyone who maintains IIS
servers.
Anna
>Title: Cumulative Patch for Internet Information Services
> (Q319733)
>Date: 10 April 2002
>Software: Microsoft Internet Information Server 4.0,
> Microsoft Internet Information Services 5.0,
> Microsoft Internet Information Services 5.1
>Impact: Ten new vulnerabilities, the most serious of which
> could enable code of an attacker's choice to be run
> on a server.
>Max Risk: High
>Bulletin: MS02-018
>
>Microsoft encourages customers to review the Security Bulletin at:
>http://www.microsoft.com/technet/security/bulletin/MS02-018.asp.
>- - - - -
>- - - -
>- - -
>- -
>- ----------------------------------------------------------------------
>
>Issue:
>======
>This patch is a cumulative patch that includes the functionality of
>all security patches released for IIS 4.0 since Windows NT 4.0
>Service Pack 6a, and all security patches released to date for IIS
>5.0 and 5.1. A complete listing of the patches superseded by this
>patch is provided below, in the section titled "Additional
>information about this patch". Before applying the patch, system
>administrators should take note of the caveats discussed in the
>same section.
>
>In addition to including previously released security patches,
>this patch also includes fixes for the following newly
>discovered security vulnerabilities affecting IIS 4.0, 5.0 and/or
>5.1:
>
> - A buffer overrun vulnerability involving the operation of
> the chunked encoding transfer mechanism via Active Server
> Pages in IIS 4.0 and 5.0. An attacker who exploited this
> vulnerability could overrun heap memory on the system, with
> the result of either causing the IIS service to fail or
> allowing code to be run on the server.
> - A Microsoft-discovered vulnerability that is related to the
> preceding one, but which lies elsewhere within the ASP data
> transfer mechanism. It could be exploited in a similar manner
> as the preceding vulnerability, and would havethe same scope.
> However, it affects IIS 4.0, 5.0, and 5.1.
> - A buffer overrun involving how IIS 4.0, 5.0 and 5.1 process
> HTTP header information in certain cases. IIS performs a
> safety check prior to parsing the fields in HTTP headers, to
> ensure that expected delimiter fields are present and in
> reasonable places. However, it is possible to spoof the check,
> and convince IIS that the delimiters are present even when they
> are not. This flaw could enable an attacker to create an URL
> whose HTTP header field values would overrun a buffer used to
> process them.
> - A Microsoft-discovered buffer overrun vulnerability in IIS 4.0,
> 5.0 and 5.1 that results from an error in safety check that
> is performed during server-side includes. In some cases, a user
> request for a web page is properly processed by including the
> file into an ASP script and processing it. Prior to processing
> the include request, IIS performs an operation on the user-
> specified file name, designed to ensure that the file name is
> valid and sized appropriately to fit in a static buffer. However,
> in some cases it could be possible to provide a bogus, extremely
> long file name in a way that would pass the safety check, thereby
> resulting in a buffer overrun.
> - A buffer overrun affecting the HTR ISAPI extension in IIS 4.0
> and 5.0. By sending a series of specially malformed HTR
> requests, it could be possible to either cause the IIS service to
> fail or, under a very difficult operational scenario, to cause
> code to run on the server.
> - A denial of service vulnerability involving the way IIS 4.0,
> 5.0, and 5.1 handle an error condition from ISAPI filters.
> At least one ISAPI filter (which ships as part of FrontPage
> Server Extensions and ASP.NET), and possibly others, generate
> an error when a request is received containing an URL that
> exceeds the maximum length set by the filter. In processing
> this error, the filter replaces the URL with a null value. A
> flaw results because IIS attempts to process the URL in the course
> of sending the error message back to the requester, resulting in
> an access violation that causes the IIS service to fail.
> - A denial of service vulnerability involving the way the FTP
> service in IIS 4.0, 5.0 and 5.1 handles a request for the status
> of the current FTP session. If an attacker were able to establish
> an FTP session with an affected server,and levied a status
> request that created a particular error condition, a flaw in the
> FTP code would prevent it from correctly reporting the error.
> Other code within the FTP service would then attempt to use
> uninitialized data, with an access violation as the result. This
> would result in the disruption of not only FTP services, but also
> of web services.
> - A trio of Cross-Site Scripting (CSS) vulnerabilities affecting
> IIS 4.0, 5.0 and 5.1: one involving the results page that's
> returned when searching the IIS Help Files, one involving HTTP
> error pages; and one involving the error message that's returned
> to advise that a requested URL has been redirected. All of these
> vulnerabilities have the same scope and effect: an attacker who
> was able to lure a user into clicking a link on his web site
> could relay a request containing script to a third-party web
> site running IIS, thereby causing the third-party site's response
> (still including the script) to be sent to the user. The script
> would then render using the security settings of the third-party
> site rather than the attacker's.
>
>
>Mitigating Factors:
>====================
>Buffer overrun in Chunked Encoding transfer:
> - On default installations of IIS 5.0 and 5.1, exploiting the
> vulnerability to run code would grant the attacker the privileges
> of the IWAM_computername account, which has only the privileges
> commensurate with those of an interactively logged-on
> unprivileged user.
> - The vulnerability requires that Active Server Pages (ASP) be
> enabled on the system in order to be exploited. Version 1.0 of
> the IIS Lockdown Tool removes ASP by default, and the current
> version (version 2.1) removes it by default if Static Web Server
> has been selected.
> - The URLScan tool can be configured to prevent chunked encoding
> requests. If this has been done, the vulnerability could not be
> exploited.
>
>Microsoft-discovered variant of Chunked Encoding buffer overrun:
> - This vulnerability is subject to exactly the same mitigating
> factors as the buffer overrun in the Chunked Encoding transfer,
> with one exception. The URLScan tool could not be used to protect
> against the vulnerability.
>
>Buffer Overrun in HTTP header handling:
> - On default installations of IIS 5.0 and 5.1, exploiting the
> vulnerability to run code would grant the attacker the
> privileges of the IWAM_computername account, which has only
> the privileges commensurate with those of an interactively
> logged-on unprivileged user.
> - The vulnerability requires that Active Server Pages (ASP) be
> enabled on the systemin order to be exploited. Version 1.0
> of the IIS Lockdown Tool removes ASP by default, and the
> current version (version 2.1) removes it by default if
> Static Web Server has been selected.
> - The URLScan tool's default ruleset would likely limit the
> attacker to using this vulnerability for denial of service
> attacks only.
>
>Buffer Overrun in ASP Server-Side Include Function:
> - On default installations of IIS 5.0 and 5.1, exploiting the
> vulnerability to run code would grant the attacker the privileges
> of the IWAM_computername account, which has only the privileges
> commensurate with those of an interactively logged-on user.
> - The vulnerability requires that Active Server Pages (ASP) be
> enabled on the system in order to be exploited. Version 1.0
> of the IIS Lockdown Tool removes ASP by default, and the current
> version (version 2.1) removes it by default if Static Web Server
> has been selected.
> - The URLScan tool's default ruleset would likely limit the
> attacker to using this vulnerability for denial of service
> attacks only.
>
>Buffer overrun in HTR ISAPI extension:
> - Microsoft has long recommended disabling the HTR ISAPI extension.
> Systems on which this has been done would be at no risk from the
> vulnerability. (All versions of the IIS Lockdown Tool disable HTR
> support by default).
> - The URLScan tool, if using its default ruleset, would prevent
> this vulnerability from being exploited to run code on the server
> even if HTR support was enabled.
> - The vulnerability could only be used to run code on the server if
> the attacker knew the locations of certain information in memory.
> In practice, the most likely such situation would occur if the
> web server had never served any web content since being rebooted.
> In all other cases, it would only be possible to use the
> vulnerability for denial of service attacks.
> - On default installations of IIS 5.0 and 5.1, exploiting the
> vulnerability to run code would grant the attacker the privileges
> of the IWAM_computername account, which has only the privileges
> commensurate with those of an interactively logged-on user.
> - If the vulnerability were used in a denial of service attack,
> normal operation could be restored on an IIS 4.0 server by
> restarting the IIS service; on IIS 5.0 and higher, the service
> would automatically restart itself.
>
>Access violation in URL error handling:
> - An IIS 4.0 server could be put back into normal operation by
> restarting the service. An IIS 5.0 or 5.1 server would
> automatically restart the service.
> - The vulnerability could only be used for denial of service
> attacks. There is no capability to use the vulnerability to gain
> privileges on the system.
> - The sole ISAPI filter known to generate the error that results in
> the access violation ships only as part of FrontPage Server
> Extensions and ASP.NET. ASP.NET is not installed by default, and
> FPSE can be uninstalled if desired.
>
>Denial of service via FTP Status request:
> - The IIS Lockdown Tool disables FTP support by default.
> - An IIS 4.0 server could be put back into normal operation by
> restarting the service. An IIS 5.0 or 5.1 server would
> automatically restart the service.
> - The vulnerability could only be used for denial of service
> attacks. There is no capability to use the vulnerability to gain
> privileges on the system.
>
>Cross-site Scripting in IIS Help File search facility, HTTP Error
>Page, and Redirect Response message:
> - The vulnerabilities could only be exploited if the attacker could
> entice another user into visiting a web page and clicking a link
> on it, or opening an HTML mail.
> - The Redirect Response vulnerability could only be exploited if
> the user was running a browser other than Internet Explorer. IE
> does not actually render the text in the Redirect Response, but
> instead recognizes it by its response header and processes the
> redirect without displaying any text.
>
>
>Risk Rating:
>============
> - Internet systems: Critical
> - Intranet systems: Critical
> - Client systems: Critical
>
>Patch Availability:
>===================
> - A patch is available to fix this vulnerability. Please read the
> Security Bulletin at
> http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
> for information on obtaining this patch.
>
>Acknowledgment:
>===============
> - eEye Digital Security (http://www.eeye.com) for reporting the
> buffer overrun in the ASP chunked encoding implementation.
> - Entrust Technologies (http://www.entrust.com) for reporting the
> buffer overrun affecting the HTTP header handling.
> - Chris Wysopal of @Stake (http://www.atstake.com) and Peter
> Grundl of KPMG for reporting the buffer overrun in the HTR
> ISAPI extension and the access violation in URL error handling.
> - Joe Smith (jsm1th@hotmail.com) and zenomorph
> (admin@cgisecurity.com) of http:// www.cgisecurity.com for
> reporting the cross-site scripting vulnerability in the IIS
> Help File search facility.
> - Keigo Yamazaki of the LAC SNS Team
> (http://www.lac.co.jp/security/) for reporting the
> cross-site scripting vulnerability affecting redirect
> response messages.
> - Thor Larholm of Jubii A/S for reporting the cross-site scripting
> vulnerability affecting HTTP error pages.
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 7.1
>
>iQEVAwUBPLRXuI0ZSRQxA/UrAQG3dQf9GE27PI6eKNBbz4NCEF0nj6GaU3HgS6yW
>jUVBNpZx25hGhUGsFHoiYnmck+UH0SoU0hZwM2v4WdklJGwZv9a4GwGdC8c2fBtU
>hCPrw32T17+kz3vXFcOyWjAIPMc/qxbeGtcHyRREVsOXkrvSiD3MseHb7BZr3dLZ
>qXm/k4s2iJ+e4mWVbfwVjrFx0GhZN0tNqPDDfqET61c/Ic/I2pJKKbeuvWB/l2YL
>EvSCKCaAgkgn9dtKjSbzu3quVSwFWr5c5mTGwT9OcIRZUpPPoBob/FVHvDkWAa1B
>dnpHrBtN716FoieZpS6qQy4Xigk9Pe7M6EzcNsOHPmaW6iy9o4yOVg==
>=+jo3
>-----END PGP SIGNATURE-----
>
>
>*******************************************************************
>
>You have received this e-mail bulletin as a result of your subscription to
>the Microsoft Product Security Notification Service. For more
>information on this service, please visit
>http://www.microsoft.com/technet/security/notify.asp.
>
>To verify the digital signature on this bulletin, please download our PGP
>key at http://www.microsoft.com/technet/security/notify.asp.
>
>To cancel your subscription, click on the following link
>mailto:1_29011_594050BC-1983-D211-BF73-00805FE2A3B6_US@Newsletters.Microsoft.com?subject=UNSUBSCRIBE
>to create an unsubscribe e-mail.
>
>To stop all e-mail newsletters from microsoft.com, click on the following
>link
>mailto:2_29011_594050BC-1983-D211-BF73-00805FE2A3B6_US@Newsletters.Microsoft.com?subject=STOPMAIL
>to create an unsubscribe e-mail. You can manage all your Microsoft.com
>communication preferences from http://www.microsoft.com/misc/unsubscribe.htm
>
>For security-related information about Microsoft products, please visit
>the Microsoft Security Advisor web site at http://www.microsoft.com/security.
**************************
Anna Maurer
Web Developer
UC Berkeley
Athletics and Rec Sports
2301 Bancroft Way #4420
Berkeley, CA 94720-4420
-----------------------------------------------------------------------
The following was automatically added to this message by the list server:
Webnet information is available at <URL:http://webnet.berkeley.edu/>.
This archive was generated by hypermail 2b29 : Wed Apr 10 2002 - 10:35:29 PDT