Multiple Vulnerabilites in Microsoft IIS

Reported May 28, 2003, by Microsoft.

 

 

VERSIONS AFFECTED

 

  • Microsoft Internet Information Services (IIS) 5.1 and 5.0

  • Microsoft Internet Information Server (IIS) 4.0

 

DESCRIPTION

 

Four new vulnerabilities exist in IIS 5.1, 5.0, and 4.0, the most serious of which can result in the execution of arbitrary code on the vulnerable system. These four new vulnerabilities consist of the following:

  • A Cross-Site Scripting (CSS) vulnerability affecting IIS 5.1, 5.0, and 4.0 involves an error message about the redirection of a requested URL. By getting a user to click a link on a Web site, an attacker can relay a request containing script to a third-party Web site running IIS, thereby causing the third-party site's response (still including the script) to be sent to the user. The script would then use the security settings of the third-party site (rather than the attacker's site) to render.

  • A buffer overrun results from IIS 5.0's incorrect validation of requests for certain types of Web pages, known as server side includes. An attacker would need to be able to upload a server-side include page to a vulnerable IIS server. If the attacker then requested this page, a buffer overrun could permit the attacker to execute code of his or her choice on the server with user-level permissions.

  • A Denial of Service (DoS) vulnerability results from a flaw in the way IIS 5.0 and 4.0 allocate memory requests when constructing headers to be returned to a Web client. An attacker would need to be able to upload an ASP page to a vulnerable IIS server. This ASP page, when called by the attacker, would attempt to return an extremely large header to the calling Web client. Because IIS doesn't limit the amount of memory that can be used in this case, this scenario could case IIS to fail as a result of running out of local memory.

  • A DoS vulnerability results from IIS 5.1 and 5.0 incorrectly handling an error condition when an overly long WebDAV request is passed to them. As a result, an attacker could cause IIS to fail. However, by default, both IIS 5.1 and 5.0 restart immediately after this failure.

 

 

VENDOR RESPONSE

 

Microsoft has released Security Bulletin MS03-018, "Cumulative Patch for Internet Information Service (811114)," to address these vulnerabilities and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin.

 

 CREDIT          

Discovered by SPIDynamics SPI Labs and NSFocus.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish