watch out for this guys:
http://www.eeye.com/database/advisories/ad06081999/ad06081999-exploit.html
and this is Microsoft's answer:
> The following is a Security Bulletin from the Microsoft Product Security
> Notification Service.
>
> Please do not reply to this message, as it was sent from an unattended
> mailbox.
> ********************************
>
> Microsoft Security Bulletin (MS99-019)
> --------------------------------------
>
> Workaround Available for "Malformed HTR Request" Vulnerability
>
> Originally Posted: June 15, 1999
>
> Summary
> =======
> Microsoft has released a patch that eliminates a vulnerability in
Microsoft
> (r) Internet Information Server 4.0. The vulnerability could allow denial
> of service attacks against an IIS server or, under certain conditions,
> could allow arbitrary code to be run on the server.
>
> Microsoft has issued this bulletin to advise customers of steps they can
> take to protect themselves against this vulnerability. A patch to
eliminate
> this vulnerability is being developed, and an update to this bulletin
will
> be released to advise customers when it is available.
>
> Issue
> =====
> IIS supports several file types that require server-side processing. When
a
> web site visitor requests a file of one of these types, an appropriate
> filter DLL processes it. A vulnerability exists in ISM.DLL, the filter
DLL
> that processes .HTR files. HTR files enable remote administration of user
> passwords.
>
> The vulnerability involves an unchecked buffer in ISM.DLL. This poses two
> threats to safe operation. The first is a denial of service threat. A
> malformed request for an .HTR file could overflow the buffer, causing IIS
> to crash. The server would not need to be rebooted, but IIS would need to
> be restarted. The second threat would be more difficult to exploit. A
> carefully-constructed file request could cause arbitrary code to execute
on
> the server via a classic buffer overrun technique. Neither scenario could
> occur accidentally. This vulnerability does not involve the functionality
> of the password administration features of .HTR files.
>
> While there are no reports of customers being adversely affected by this
> vulnerability, Microsoft is proactively releasing this bulletin to allow
> customers to take appropriate action to protect themselves against it.
>
> Affected Software Versions
> ==========================
> - Microsoft Internet Information Server 4.0
>
> What Microsoft is Doing
> =======================
> Microsoft has provided a workaround that fixes the problem identified. The
> workaround is discussed below in What Customers Should Do.
>
> Microsoft also has sent this security bulletin to customers
> subscribing to the Microsoft Product Security Notification Service.
> See http://www.microsoft.com/security/services/bulletin.asp for more
> information about this free customer service.
>
> What Customers Should Do
> ========================
> Microsoft highly recommends that customers disable the script mapping for
> .HTR files as follows:
> - From the desktop, start the Internet Service Manager
> by clicking Start | Programs | Windows NT 4.0 Option
> Pack | Microsoft Internet Information Server | Internet
> Service Manager
> - Double-click "Internet Information Server"
> - Right-click on the computer name and select Properties
> - In the Master Properties drop-down box, select "WWW Service",
> then click the "Edit" button .
> - Click the "Home Directory" tab, then click the "Configuration"
> button .
> - Highlight the line in the extension mappings that contains ".HTR",
> then click the "Remove" button.
> - Respond "yes" to "Remove selected script mapping?" say yes,
> click OK 3 times, close ISM
>
> A patch will be available shortly to eliminate the vulnerability
altogether.
>
> Customers should monitor http://www.microsoft.com/security for an
> announcement when the patches are available.
>
> Microsoft recommends that customers review the IIS Security Checklist at
> http://www.microsoft.com/security/products/iis/CheckList.asp
>
> More Information
> ================
> Please see the following references for more information related to this
> issue.
> - Microsoft Security Bulletin MS99-019,
> Workaround Available for "Malformed HTR Request" Vulnerability
> (The Web-posted version of this bulletin),
> http://www.microsoft.com/security/bulletins/ms99-019.asp.
> - IIS Security Checklist,
> http://www.microsoft.com/security/products/iis/CheckList.asp
>
> Obtaining Support on this Issue
> ===============================
> If you require technical assistance with this issue, please contact
> Microsoft Technical Support. For information on contacting Microsoft
> Technical Support, please see
> http://support.microsoft.com/support/contact/default.asp.
>
> Revisions
> =========
> - June 15, 1999: Bulletin Created.
>
>
>
> For additional security-related information about Microsoft products,
> please visit http://www.microsoft.com/security
>
>
> ------------------------------------------------------------------
>
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS
IS"
> WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
> EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND
FITNESS
> FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
> SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
> INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
> EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
> POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
> LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
> FOREGOING LIMITATION MAY NOT APPLY.
>
> (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
>
> *******************************************************************
> You have received this e-mail bulletin as a result of your registration
> to the Microsoft Product Security Notification Service. You may
> unsubscribe from this e-mail notification service at any time by sending
> an e-mail to [EMAIL PROTECTED]
> The subject line and message body are not used in processing the request,
> and can be anything you like.
>
> For more information on the Microsoft Security Notification Service
> please visit http://www.microsoft.com/security/bulletin.htm. For
> security-related information about Microsoft products, please visit the
> Microsoft Security Advisor web site at http://www.microsoft.com/security.
>
regards,
Francisco Lopez
SysAdmin & Networks Engineer
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
