exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 02-04-10.1

Atstake Security Advisory 02-04-10.1
Posted Apr 11, 2002
Authored by Atstake, Dave Aitel | Site atstake.com

Atstake Security Advisory A041002 - IIS for Windows NT 4.0 and 2000 contains a heap overflow in .htr files which results in remote code execution in the IUSR_machine security context. This vulnerability has been verified on IIS 4.0 and 5.0 with SP2 and the latest security patches as of April 1, 2002.

tags | remote, overflow, code execution
systems | windows
SHA-256 | d3c9eff0c4dcc24c4baf63a87290f4596e2768d47502b4211ec6c148b401ddca

Atstake Security Advisory 02-04-10.1

Change Mirror Download
         
@stake, Inc.
www.atstake.com
Security Advisory


Advisory Name: .htr heap overflow in IIS 4.0 and 5.0
Release Date: 04/10/2002
Application: Microsoft Internet Information Server 4.0/5.0
Platform: Microsoft Windows NT 4.0, Windows 2000
Severity: A remote user can execute arbitrary machine code
on the vulnerable server.
Author: Dave Aitel (daitel@atstake.com)
Vendor Status: Vendor has bulletin and patch, see below
CVE Candidate: CAN-2002-0071
Reference: www.atstake.com/research/advisories/2002/a041002-1.txt


Overview:

Microsoft's Internet Information Server (IIS) is a web server that
is part of the Windows NT 4.0 and Windows 2000 server operating
system.

In the default IIS installation, .htr functionality is enabled. .htr
files are used only for for web-based password resets. There exists
a heap overflow in the server component that is used to handle
requests to .htr files.

As with most heap overflows, this heap overflow can be used to execute
arbitrary machine code. In the default installation, this results in
remote execution in the IUSR_machine security context.

This vulnerability has been verified on IIS 4.0 and 5.0 with SP2 and
the latest security patches as of April 1, 2002.


Description:

IIS supports many different file types, such as .htr, that require
server side processing. When IIS recieves a request for a file with the
.htr extension, the request is handled by a ISAPI extension, ISM.DLL.

When a file request is recieved by IIS it checks the script mappings to
check if the extension on the file in the request matches an extension
in the script mappings. If it does it passes the request on to an
ISAPI extension for further processing. .htr files do not actually need
to be present on the system for the request to be handled by ISM.DLL.

Script mappings are configured with the IIS administrative interface.
.htr files are mapped to the ISM.DLL by default so a default IIS 4.0 or
5.0 installation is vulnerable. A recommended security practices is
to unmap all script mappings that are not being used. This is
documented in Microsoft's IIS Security Checklist:

IIS 4.0
http://www.microsoft.com/technet/security/tools/chklist/iischk.asp

IIS 5.0
http://www.microsoft.com/technet/security/tools/chklist/iis5chk.asp

This follows the security best practice of attack surface reduction.
In general this is accomplished by disabling all functionality that is
not required to accomplish the specific tasks for which a product is
being used.

Once the request is passed on to the ISM.DLL ISAPI filter, a specific
request causes a heap overflow to occur during processing. This
heap overflow, as with most heap overflows, is exploitable to run
arbitrary code on the machine in the user context that ISM.DLL is
running. By default this user context is IWAM_computername.

The IUSR_computername user context does not allow administrative
access so the machine cannot be completely compromised by this
vulnerability alone. Remote attackers can execute arbitrary code which
does allow for the creation of a network worm or the execution of a
remote control program. The risk to machines that have not been
patched or reconfigured is very high.


Vendor Response:

The vendor has issued a bulletin on this issue:

http://www.microsoft.com/technet/security/bulletin/MS02-018.asp

The vendor has issued patches for this issue:

Microsoft IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37931

Microsoft IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37824



Recommendations:

Apply the vendor patches.

You can check to see if you are potentially vulnerable by searching for
ISM.DLL. Be aware that IIS is installed as part of other Microsoft
products. Run the IIS administrative program and check script mappings.
Disable .htr functionality by unmapping the .htr extention except for
the
rare case that you are using the web-based password reset feature of
IIS.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

.htr IIS Server vulnerability: CAN-2002-0071


Reporter Disclosure Policy:

This advisory is being issued in accordance with the Responsible
Vulnerability Disclosure Process available at:

http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosu
re-00.txt


For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2002 @stake, Inc. All rights reserved.

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close