KPMG-2002009: Microsoft IIS W3SVC Denial of Service

From: Peter Gründl (pgrundlat_private)
Date: Thu Apr 11 2002 - 02:30:54 PDT

Next message: Peter Gründl: "KPMG-2002010: Microsoft IIS .htr ISAPI buffer overrun"

Previous message: Peter Gründl: "KPMG-2002008: Watchguard SOHO IP Restrictions Flaw"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--------------------------------------------------------------------

            -=>Microsoft IIS W3SVC Denial of Service<=-
                      courtesy of KPMG Denmark

BUG-ID: 2002009
CVE: CAN-2002-0072
Released: 11th Apr 2002
--------------------------------------------------------------------
Problem:
========
A flaw in internal object interaction could allow a malicious user
to bring down Internet Information Server 4.0, 5.0 and 5.1.


Vulnerable:
===========
- Microsoft Internet Information Server 4.0 with FP2002
- Microsoft Internet Information Server 5.0 with FP2002
- Microsoft Internet Information Server 5.1 with FP2002

Details:
========
This vulnerability was discovered by Dave Aitel from @stake and by
Peter Gründl from KPMG. It was done independently, and both
reported the same two vulnerabilities to the same vendor at around
the same time.

Frontpage contains URL parsers for dynamic components (shtml.exe/dll)
If a malicious user issues a request for /_vti_bin/shtml.exe where
the URL for the dynamic contents is replaced with a long URL, the
submodule will filter out the URL, and return a null value to the
web service URL parser. An example string would be 35K of ascii 300.
This will cause an access violation and Inetinfo.exe will be shut
down. Due to the nature of the crash, we do not feel that it is
exploitable beyond the point of a Denial of Service.

Although servers are supposed to restart the service with "iisreset",
this only works a few times (if any), and the service is crashed
until an admin manually restarts the service or reboots the server.


Vendor URL:
===========
You can visit the vendors webpage here: http://www.microsoft.com


Vendor response:
================
The vendor was contacted on the 4th of February, 2002. On the 9th
of April we received a private hotfix, which corrected the issue.
On the 10th of April, the vendor released a public bulletin.


Corrective action:
==================
The vendor has released a patched w3svc.dll, which is included in
the security rollup package MS02-018, available here:
http://www.microsoft.com/technet/security/bulletin/ms02-018.asp


Author: Peter Gründl (pgrundlat_private)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------

Next message: Peter Gründl: "KPMG-2002010: Microsoft IIS .htr ISAPI buffer overrun"
Previous message: Peter Gründl: "KPMG-2002008: Watchguard SOHO IP Restrictions Flaw"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 11 2002 - 10:51:23 PDT