Reported May 28, 2003, by
Microsoft.
VERSIONS
AFFECTED
Microsoft Internet
Information Services (IIS) 5.1 and 5.0
Microsoft Internet
Information Server (IIS) 4.0
DESCRIPTION
Four new vulnerabilities
exist in IIS 5.1, 5.0, and 4.0, the most serious of which can result in the
execution of arbitrary code on the vulnerable system. These four new
vulnerabilities consist of the following:
A Cross-Site Scripting (CSS)
vulnerability affecting IIS 5.1, 5.0, and 4.0 involves an error message about
the redirection of a requested URL. By getting a user to click a link on a Web
site, an attacker can relay a request containing script to a third-party Web
site running IIS, thereby causing the third-party site's response (still
including the script) to be sent to the user. The script would then use the
security settings of the third-party site (rather than the attacker's site) to
render.
A buffer overrun results
from IIS 5.0's incorrect validation of requests for certain types of Web
pages, known as server side includes. An attacker would need to be able to
upload a server-side include page to a vulnerable IIS server. If the attacker
then requested this page, a buffer overrun could permit the attacker to
execute code of his or her choice on the server with user-level permissions.
A Denial of Service
(DoS) vulnerability results from a flaw in the way IIS 5.0 and 4.0 allocate
memory requests when constructing headers to be returned to a Web client. An
attacker would need to be able to upload an ASP page to a vulnerable IIS
server. This ASP page, when called by the attacker, would attempt to return an
extremely large header to the calling Web client. Because IIS doesn't limit
the amount of memory that can be used in this case, this scenario could case
IIS to fail as a result of running out of local memory.
A DoS vulnerability
results from IIS 5.1 and 5.0 incorrectly handling an error condition when an
overly long WebDAV request is passed to them. As a result, an attacker could
cause IIS to fail. However, by default, both IIS 5.1 and 5.0 restart
immediately after this failure.
VENDOR
RESPONSE
Microsoft has released Security Bulletin
MS03-018, "Cumulative Patch for Internet Information Service (811114)," to
address these vulnerabilities and recommends that affected users immediately
apply the appropriate patch mentioned in the bulletin.
CREDIT
Discovered by
SPIDynamics SPI Labs and
NSFocus.
Multiple Vulnerabilites in Microsoft IIS
0 comments
Hide comments