Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: IIS :: n-098.txt

Microsoft Cumulative Patch for IIS (CIAC N-098)




             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

       Microsoft Cumulative Patch for Internet Information Service (IIS)
                     [Microsoft Security Bulletin MS03-018]

May 28, 2003 22:00 GMT                                            Number N-098
______________________________________________________________________________
PROBLEM:       There are four security vulnerabilities in IIS: 
	       1) A Cross-Site Scripting (CSS) vulnerability involving the 
	          error message that is returned to advise that a requested URL 
	          has been redirected. 
               2) A buffer overrun that does not correctly validate requests 
                  for certain types of web pages known as server side includes. 
               3) A denial of service vulnerability in the allocation of 
                  memory requests when constructing headers to be returned to a 
                  web client. 
	       4) A denial of service vulnerability that does not correctly 
	          handle an error condition when an overly long WebDAV request 
		  is passed. 
PLATFORM:      * Microsoft Internet Information Server 4.0 
	       * Microsoft Internet Information Services 5.0 
	       * Microsoft Internet Information Services 5.1 
DAMAGE:        Unpatched systems are vulnerable to denial of service attacks. 
               The most serious of these vulnerabilities may allow an attacker 
               to execute code of their choice. 
SOLUTION:      Apply patch as described in Microsoft's security bulletin. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. The most serious vulnerability described in 
ASSESSMENT:    the buffer overrun, an attacker would need the ability to 
               upload a Server-side include page to a vulnerable IIS server. 
               If the attacker then requested this page, a buffer overrun 
               could result, which would allow the attacker to execute code of 
               their choice on the server. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-098.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.microsoft.com/technet/treeview/
                       default.asp?url=/technet/security/bulletin/MS03-018.asp 
______________________________________________________________________________

[***** Start Microsoft Security Bulletin MS03-018 *****]

Microsoft Security Bulletin MS03-018 

Cumulative Patch for Internet Information Service (811114)
Originally posted: May 28, 2003

Summary
Who should read this bulletin: Customers hosting web servers using Microsoft® 
Windows NT® 4.0, Windows® 2000, or Windows® XP. 

Impact of vulnerability: Allow an attacker to execute code of their choice 

Maximum Severity Rating: Important 

Recommendation: Customers hosting web servers using Microsoft® Windows NT® 4.0, 
Windows® 2000, or Windows® XP should install the patch at the earliest 
opportunity. 

Affected Software: 

* Microsoft Internet Information Server 4.0 
* Microsoft Internet Information Services 5.0 
* Microsoft Internet Information Services 5.1 

Non Affected Software: 

* Microsoft Internet Information Services 6.0 

End User Bulletin: An end user version of this bulletin is available at: 
http://www.microsoft.com/security/security_bulletins/ms03-018.asp. 


 Technical details
Technical description: 


This patch is a cumulative patch that includes the functionality of all security 
patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security 
patches released to date for IIS 5.0 since Windows 2000 Service Pack 2 and IIS 5.1. 
A complete listing of the patches superseded by this patch is provided below, in 
the section titled “Additional information about this patch”. 

In addition to all previously released security patches, this patch also includes 
fixes for the following newly discovered security vulnerabilities affecting IIS 4.0, 
5.0 and 5.1: 

* A Cross-Site Scripting (CSS) vulnerability affecting IIS 4.0, 5.0 and 5.1 involving 
the error message that’s returned to advise that a requested URL has been redirected. 
An attacker who was able to lure a user into clicking a link on his or her web site 
could relay a request containing script to a third-party web site running IIS, 
thereby causing the third-party site’s response (still including the script) to be 
sent to the user. The script would then render using the security settings of the 
third-party site rather than the attacker’s. 

* A buffer overrun that results because IIS 5.0 does not correctly validate requests 
for certain types of web pages known as server side includes. An attacker would need 
the ability to upload a Server-side include page to a vulnerable IIS server. If the 
attacker then requested this page, a buffer overrun could result, which would allow 
the attacker to execute code of their choice on the server with user-level 
permissions. 

* A denial of service vulnerability that results because of a flaw in the way IIS 4.0 
and 5.0 allocate memory requests when constructing headers to be returned to a web 
client. An attacker would need the ability to upload an ASP page to a vulnerable IIS 
server. This ASP page, when called by the attacker, would attempt to return an extremely 
large header to the calling web client. Because IIS does not limit the amount of memory 
that can be used in this case, this could case IIS to fail as a result of running out 
of local memory. 

* A denial of service vulnerability that results because IIS 5.0 and 5.1 do not correctly 
handle an error condition when an overly long WebDAV request is passed to them. As a 
result an attacker could cause IIS to fail – however both IIS 5.0 and 5.1 will by 
default restart immediately after this failure. 
There is a dependency associated with this patch – it requires the patch from Microsoft 
Security Bulletin MS02-050 to be installed. If this patch is installed and MS02-050 is 
not present, client side certificates will be rejected. This functionality can be 
restored by installing the MS02-050 patch. 

Mitigating factors: 

Redirection Cross Site Scripting: 

* IIS 6.0 is not affected. 
* The vulnerability could only be exploited if the attacker could entice another user 
  into visiting a web page and clicking a link on it, or opening an HTML mail. 
* The target page must be an ASP page, which uses Response.Redirect to redirect the 
  client, to a new URL that is based on the incoming URL of current request. 

Server Side Include Web Pages Buffer Overrun 

* IIS 4.0, IIS 5.1 and IIS 6.0 are not affected. 
* The IIS Lockdown tool by default disables the ssinc.dll mapping, which will block this 
  attack. 
* By default IIS 5.0 runs under a user account and not the system account. Therefore an 
  attacker who successfully exploited the vulnerability would only gain user level 
  permissions rather than administrative level permissions. 
* An attacker must have the ability to upload files to the IIS Server. 

ASP Headers Denial of Service 

* An attacker must have the ability to upload files to the IIS server. 
* IIS 5.0 will automatically restart after failing. 
* IIS 5.1 and IIS 6.0 are not affected. 

WebDAV Denial of Service 

* IIS 6.0 is not affected. 
* IIS 5.0 and 5.1 will restart automatically after this failure. 
* The IIS Lockdown tool disables WebDAV by default, which will block this attack. 

Severity Rating:

Redirection Cross Site Scripting   
IIS 4.0 Low 
IIS 5.0 Low 
IIS 5.1 Low 

Server Side Include Web Pages Buffer Overrun   
IIS 4.0 None 
IIS 5.0 Moderate 
IIS 5.1 None 

ASP Headers Denial of Service   
IIS 4.0 Moderate 
IIS 5.0 Moderate 
IIS 5.1 None 

WebDAV Denial of Service   
IIS 4.0 None 
IIS 5.0 Important 
IIS 5.1 Important 

Aggregate Severity of all Vulnerabilities   
IIS 4.0 Moderate 
IIS 5.0 Important 
IIS 5.1 Important 

The above assessment is based on the types of systems affected by the vulnerability, 
their typical deployment patterns, and the effect that exploiting the vulnerability 
would have on them. 

Vulnerability identifiers:

Redirection Cross Site Scripting CAN-2003-0223

Server Side Include Web Pages Buffer Overrun CAN-2003-0224

ASP Headers Denial of Service CAN-2003-0225

WebDAV Denial of Service CAN-2003-0226 

Tested Versions:
Microsoft tested IIS 4.0, 5.0, 5.1 and 6.0 to assess whether they are affected by 
these vulnerabilities. Previous versions are no longer supported, and may or may not 
be affected by these vulnerabilities.

Patch availability
Download locations for this patch 

Download locations for this patch 

* IIS 4.0: 
  All 

* IIS 5.0:
  All 

* IIS 5.1: 
  32-bit Edition 

  64-bit Edition 

 Additional information about this patch

Installation platforms: 

* The IIS 4.0 patch can be installed on systems running Windows NT 4.0 Service Pack 6a. 
* The IIS 5.0 patch can be installed on systems running Windows 2000 Service Pack 2 or 
  Service Pack 3. 
* The IIS 5.1 patch can be installed on systems running Windows XP Professional Gold 
  and Service Pack 1. 

Inclusion in future service packs: 

* No additional service packs are planned for Windows NT 4.0. 
* The IIS 5.0 fixes will be included in Windows 2000 Service Pack 4. 
* The IIS 5.1 fixes will be included in Windows XP Service Pack 2. 

Reboot needed: 

* IIS 4.0: A reboot can be avoid by stopping the IIS service, installing the patch with 
  the /z switch, then restarting the service. Knowledge Base article Q327696 provides 
  additional information on this procedure. 
* IIS 5.0: In most cases, the patch does not require a reboot. The installer stops the 
  needed services, applies the patch, then restarts them. However, if the needed services 
  cannot be stopped for any reason, it will require a reboot. If this occurs, a prompt 
  will be displayed advising of the need to reboot. 
* IIS 5.1: No. (In some cases, a pop-up dialogue may say that the system needs to be 
  rebooted in order for the patch installation process to be completed. This dialogue, 
  if it appears, can be ignored) 

Patch can be uninstalled: Yes 

Superseded patches:
This patch supersedes the ones provided in the following Microsoft Security Bulletins:

* MS02-062.
* MS02-028. 
* MS02-018. (This is a cumulative patch, and supersedes additional patches) 

Verifying patch installation:

IIS 4.0: 

* To verify that the patch has been installed on the machine, confirm that the 
  following registry key has been created on the machine: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q811114. 
* To verify the individual files, consult the file manifest in Knowledge Base 
  article 811114. 

IIS 5.0: 

* To verify that the patch has been installed on the machine, confirm that the 
  following registry key has been created on the machine: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q811114. 
* To verify the individual files, use the date/time and version information provided 
  in the following registry key: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q811114\Filelist. 

IIS 5.1: 

* To verify that the patch has been installed on the machine, confirm that the 
  following registry key has been created on the machine: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q811114. 
* To verify the individual files, use the date/time and version information provided 
  in the following registry key: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q811114\Filelist. 

Caveats: 

1. This patch requires the patch from Microsoft Security Bulletin MS02-050 to be 
installed. If this IIS cumulative patch is installed and MS02-050 is not present, 
client side certificates will be disabled. This functionality can be restored by 
installing the MS02-050 patch either before or after installing the IIS Cumulative 
patch. 

2. The fixes for four vulnerabilities affecting IIS 4.0 servers are not included in 
the patch, because they require administrative action rather than a software change. 
Administrators should ensure that in addition to applying this patch, they also have 
taken the administrative action discussed in the following bulletins: 

	* Microsoft Security Bulletin MS00-028 
	* Microsoft Security Bulletin MS00-025 
	* Microsoft Security Bulletin MS99-025 (which discusses the same issue as 
           Microsoft Security Bulletin MS98-004) 
	* Microsoft Security Bulletin MS99-013 

3. The patch does not include fixes for vulnerabilities involving non-IIS products 
like Front Page Server Extensions and Index Server, even though these products are 
closely associated with IIS and typically installed on IIS servers. At this writing, 
the bulletins discussing these vulnerabilities are: 

	* Microsoft Security Bulletin MS02-053 
	* Microsoft Security Bulletin MS02-050 
	* Microsoft Security Bulletin MS01-043 
	* Microsoft Security Bulletin MS01-025 
	* Microsoft Security Bulletin MS00-084 
	* Microsoft Security Bulletin MS00-018 
	* Microsoft Security Bulletin MS00-006 

There is, however, one exception. The fix for the vulnerability affecting Index 
Server which is discussed in Microsoft Security Bulletin MS01-033 is included in 
this patch. We have included it because of the seriousness of the issue for IIS 
servers. 

4. Customers using IIS 4.0 should ensure that they have followed the correct 
installation order before installing this or any security patch. Specifically, 
customers should ensure that Windows NT 4.0 Service Pack 6a has been applied 
(or re-applied) after installing the IIS 4.0 service. 

5. Customers using Site Server should be aware that a previously documented issue 
involving intermittent authentication errors has been determined to affect this and 
a small number of other patches. Microsoft Knowledge Base article Q317815 discusses 
the issue and how resolve it. 

Localization:
Localized versions of this patch are available at the locations discussed in 
“Patch Availability”. 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

* Security patches are available from the Microsoft Download Center, and can be most 
  easily found by doing a keyword search for "security_patch". 
* Patches for consumer platforms are available from the WindowsUpdate web site 

Other information: 

Acknowledgments
Microsoft thanks the following for reporting these issues to us and working with 
us to protect customers: 

* SPIDynamics SPI Labs for reporting the Redirection Cross Site Scripting and WebDAV 
  Denial of Service vulnerabilities. 
* NSFocus for reporting the Server Side Include Web Pages Buffer Overrun vulnerability. 

Support: 

* Microsoft Knowledge Base article 811114 discusses this issue. Knowledge Base articles 
  can be found on the Microsoft Online Support web site. 
* Technical support is available from Microsoft Product Support Services. There is no 
  charge for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides additional 
information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either express 
or implied, including the warranties of merchantability and fitness for a particular 
purpose. In no event shall Microsoft Corporation or its suppliers be liable for any 
damages whatsoever including direct, indirect, incidental, consequential, loss of 
business profits or special damages, even if Microsoft Corporation or its suppliers 
have been advised of the possibility of such damages. Some states do not allow the 
exclusion or limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply. 

Revisions: 

* V1.0 (May 28, 2003): Bulletin Created. 

[***** End Microsoft Security Bulletin MS03-018 *****]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-088: Hewlett-Packard rexec Command Security Vulnerability
N089: Red Hat MySQL Vulnerabilities
N-090: Red Hat mod_auth_any Vulnerabilities
N-091: Sun Cobalt PHP SafeMode Vulnerability
N-092: Microsoft Flaw in Windows Media Player Skins 
N-093: Cisco VPN 3000 Concentrator Vulnerabilities
N-094: HP Potential Security Vulnerability in wall(1M)
N-095: Red Hat Multiple Vulnerabilities in KDE
N-096: Red Hat New Kernel Fixes Local Security Issues
N-097: Red Hat Updated Tcpdump Packages



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH