IIS Denial of Service and Code Exposure

DESCRIPTION

Internet Information Server contains two security vulnerabilities in the ISAPI extension (ISM.DLL) that provides web-based password administration via .htr scripts files.

One vulnerability is a denial of service issue that can occur when a user provides a password change request that was missing an expected delimiter. This effectively crashes the ISAPI extension as well as degrades the overall performance of the IIS server.

In addition, the extension could allow fragments of certain files to be read by providing a malformed request that would cause the .htr processing to be applied to those files.

According to the discoverers, by building a URL with a desired file name which has 230 or more spaces appended before the .htr suffix, IIS will map the request to the ISM.DLL return the contents of the file. The attack can only be launched once though, unless the web service is stopped and restarted. If a .htr request has already been made to the machine then this attack will fail. It will only work when ISM.DLL is loaded into memory for the first time.

VENDOR RESPONSE

Microsoft has issued a patch for the problem.

Internet Information Server 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20905 - Internet Information Server 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20903

CREDITS
Discovered and reported by Cerberus Information Security