Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2002.601 -- Microsoft Security Bulletin MS02-062 Cumulative Patch for Internet Information Service (Q327696) 01 November 2002 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Internet Information Service (IIS) 4.0 Internet Information Service (IIS) 5.0 Internet Information Service (IIS) 5.1 Vendor: Microsoft Operating System: Windows Impact: Increased Privileges Denial of Service Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- - - ---------------------------------------------------------------------- Title: Cumulative Patch for Internet Information Service (Q327696) Date: 30 October 2002 Software: Internet Information Service Impact: Four vulnerabilities, the most serious of which could enable applications on a server to gain system-level privileges. Max Risk: Moderate Bulletin: MS02-062 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-062.asp. - - ---------------------------------------------------------------------- Issue: ====== This patch is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 and 5.1. A complete listing of the patches superseded by this patch is provided below, in the section titled "Additional information about this patch". Before applying the patch, system administrators should take note of the caveats discussed in the same section. In addition to including previously released security patches, this patch also includes fixes for the following newly discovered security vulnerabilities affecting IIS 4.0, 5.0 and/or 5.1: - A privilege elevation vulnerability affecting the way ISAPIs are launched when an IIS 4.0, 5.0 or 5.1 server is configured to run them out of process. By design, the hosting process (dllhost.exe) should run only in the security context of the IWAM_computername account; however, it can actually be made to acquire LocalSystem privileges under certain circumstances, thereby enabling an ISAPI to do likewise. - A denial of service vulnerability that results because of a flaw in the way IIS 5.0 and 5.1 allocate memory for WebDAV requests. If a WebDAV request were malformed in a particular way, IIS would allocate an extremely large amount of memory on the server. By sending several such requests, an attacker could cause the server to fail. - A vulnerability involving the operation of the script source access permission in IIS 5.0. This permission operates in addition to the normal read/write permissions for a virtual directory, and regulates whether scripts, .ASP files and executable file types can be uploaded to a write-enabled virtual directory. A typographical error in the table that defines the file types subject to this permission has the effect of omitting .COM files from the list of files subject to the permission. As a result, a user would need only write access to upload such a file. - A pair of Cross-Site Scripting (CSS) vulnerabilities affecting IIS 4.0, 5.0 and 5.1, and involving administrative web page. Each of these vulnerabilities have the same scope and effect: an attacker who was able to lure a user into clicking a link on his web site could relay a request containing script to a third-party web site running IIS, thereby causing the third-party site's response (still including the script) to be sent to the user. The script would then render using the security settings of the third-party site rather than the attacker's. In addition, the patch causes 5.0 and 5.1 to change how frequently the socket backlog list - which, when all connections on a server are allocated, holds the list of pending connection requests - is purged. The patch changes IIS to purge the list more frequently in order to make it more resilient to flooding attacks. The backlog monitoring feature is not present in IIS 4.0. Mitigating Factors: ==================== Out of Process Privilege Elevation: - This vulnerability could only be exploited by an attacker who already had the ability to load and execute applications on an affected web server. Normal security practices recommend that untrusted users not be allowed to load applications onto a server, and that even trusted users' applications be scrutinized before allowing them to be loaded. WebDAV Denial of Service: - The vulnerability does not affect IIS 4.0, as WebDAV is not supported in this version of IIS. - The vulnerability could only be exploited if the server allowed WebDAV requests to be levied on it. The IIS Lockdown Tool (http://www.microsoft.com/technet/security/tools/tools/locktool.asp), if deployed in its default configuration, disables such requests. Script Source Access Vulnerability: - The vulnerability could only be exploited if the administrator had granted all users write and execute permissions to one or more virtual directories on the server. Default configurations of IIS would be at no risk from this vulnerability. - The vulnerability does not affect IIS 4.0, as WebDAV is not supported in this version of IIS. - The vulnerability could only be exploited if the server allowed WebDAV requests to be levied on it. The IIS Lockdown Tool, if deployed in its default configuration, disables such requests. Cross-site Scripting in IIS Administrative Pages: - The vulnerabilities could only be exploited if the attacker could entice another user into visiting a web page and clicking a link on it, or opening an HTML mail. - By default, the pages containing the vulnerability are restricted to local IP address. As a result, the vulnerability could only be exploited if the client itself were running IIS. Aggregate Risk Rating: ============ - Internet systems: Moderate - Intranet systems: Moderate - Client systems: Low Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-062.asp for information on obtaining this patch. Acknowledgment: =============== - Li0n of A3 Security Consulting Co., Ltd. (http://www.a3sc.co.kr) for reporting the Out of process privilege elevation vulnerability. - Mark Litchfield of Next Generation Security Software Ltd. (http://www.nextgenss.com) for reporting the WebDAV denial of service vulnerability. - Luciano Martins of Deloitte & Touche Argentina (http://www.deloitte.com.ar) for recommending the change in the socket backlog list purge rate. - - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. - -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPcA8dY0ZSRQxA/UrAQEvXggAjQWxW2TenrmT2UjlUQEfdWjVn1lBgqxI iR1eoLWfx2LiJjhRU0LvQ0cGcwe/4EbSfv6AjpMue7PUch7W4O01mnLgjzgRhr/p E4CYsGMpHq32oy1k6O1EElejmjpC5hC+7VTud1WOzLuxdnnKa8LcXpTcNtuLY5X8 f+0ClRuWIzC9gT4SOjdA0yUb0fRZwTEZRIQFRNbNmBDA0LfqpLOKagRGSbzSI4M1 h+n2KZv87BJdGvfAHWfn/a/s/r4bZr9gjXQzwFKp76jKUfmEw8otnC0XY5BFfzlL Iu36V0Jo/oCe2FdVmsmh3qYdrdIS4Q/c/07kI8+KSLih6gpRYMisng== =41ML - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBPcJmOih9+71yA2DNAQGiWgP9GUbkdSp6mX+78CpzpeLx1osZ0Om63An4 TYVBEuSWcwa5DcXpZ+9Y7GbEF5MulDOiLv/gH/5T7L7si+VklpavtEumv4Pdq34l SCbMoiikCIbNh1EvOqV8KE9aPlscuDyqsFBFuFAdDTnU3jZ89UAZmc4/vsOTdRr7 mCwIL6tkVB0= =bThd -----END PGP SIGNATURE-----