-----Original Message-----
From: UNIRAS (UK Govt CERT)
Sent: 02 July 2002 09:40
To: Undisclosed Recipients
Subject: UNIRAS Briefing - 197/02 - Microsoft - Heap Overrun in HTR
Chunked Encoding Could Enable Web Server Compromise (Revision to UNIRAS
Briefing 184/02)
Importance: High
-----BEGIN PGP SIGNED MESSAGE-----
- ------------------------------------------------------------------------------
----
UNIRAS (UK Govt CERT) Briefing Notice - 197/02 dated 02.07.02 Time: 09:38
UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ------------------------------------------------------------------------------
----
UNIRAS material is also available from its website at www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
- ------------------------------------------------------------------------------
----
Title
=====
Microsoft Security Bulletin - MS02-028 (Revision to UNIRAS Briefing 184/02):
Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise
Detail
======
- -----BEGIN PGP SIGNED MESSAGE-----
- - -
- - ----------------------------------------------------------------------
Title: Heap Overrun in HTR Chunked Encoding Could Enable Web
Server Compromise (Q321599)
Released: 12 June 2002
Revised: 01 July 2002 (version 2.0)
Software: Internet Information Server
Impact: Run Code of Attacker's Choice
Max Risk: Critical
Bulletin: MS02-028
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-028.asp.
- - -
- - ----------------------------------------------------------------------
Reason for Revision:
====================
On June 12, 2002, Microsoft released the original version of this
bulletin. On July 1, 2002, the bulletin was updated to revise the
severity rating. Specifically, Microsoft has increased the severity
rating of this issue to "critical ." The revision is in response to a
significant change in the threat environment due to an increased
focus on chunked encoding vulnerabilities in general, and the
discovery of hostile code attempting to exploit similar
vulnerabilities on other platforms. Customers who have already
disabled HTR or applied this patch need not take any action.
Customers who have not disabled HTR should do so as soon as
possible. Alternately, customers who cannot disable HTR should
apply the patch immediately.
Issue:
======
This patch eliminates a newly discovered vulnerability affecting
Internet Information Services. Although Microsoft typically delivers
cumulative patches for IIS, in this case we have delivered a patch
that eliminates only this new vulnerability, while completing a
cumulative patch. When the cumulative patch is customer-ready, we
will update this bulletin with information on its availability. The
FAQ provides information on the circumstances surrounding the
vulnerability, and why we believe releasing a singleton patch
immediately is in customers' best interests. To ensure that servers
are fully protected against past as well as current vulnerabilities,
we strongly recommend installing the previous cumulative patch
(discussed in Microsoft Security Bulletin MS02-018) before
installing this patch.
The vulnerability is similar to the first vulnerability discussed
in Microsoft Security Bulletin MS02-018. Like that vulnerability,
this one involves a buffer overrun in the Chunked Encoding data
transfer mechanism in IIS 4.0 and 5.0, and could likewise be used
to overrun heap memory on the system, with the result of either
causing the IIS service to fail or allowing code to be run on the
server. The chief difference between the vulnerabilities is that
the newly discovered one lies in the ISAPI extension that
implements HTR - an older, largely obsolete scripting technology -
where the previous one lay in the ISAPI extension that implements
ASP.
Mitigating Factors:
====================
- Microsoft has long recommended disabling HTR functionality
unless there is a business-critical reason for retaining it.
Systems on which HTR is disabled would not be at risk from this
vulnerability.
- The IIS Lockdown Tool disables HTR by default in all server
configurations.
- The current version of the URLScan tool provides a means of
blocking chunked encoding transfer requests by default.
- On default installations of IIS 5.0, exploiting the
vulnerability to run code would grant the attacker the privileges
of the IWAM_computername account, which has only the privileges
commensurate with those of an interactively logged-on
unprivileged user.
Risk Rating:
============
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-028.asp
for information on obtaining this patch.
Acknowledgment:
===============
- eEye Digital Security (http://www.eeye.com/)
- - -
- - ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPSDcFI0ZSRQxA/UrAQFOGQgApiLeKU6152INPuPhROJLkJf5hR/YSB49
6Y21xuegR5M2JscjPnxi+rjYBKuOofjQM+0HRm/urZ4MCxEv6p3os1rCw0YmyqIt
v0U59t1dLUUNycO7doIPWjCVgILQGBsoQzZkIQ3799WJewzU8UBlfHiyZ5lInq0I
6O7b3VFU5jLKHPeE7XQfdjm1QXlYkA8klqEWmVMQu7HYGxD20MNn0huLPEprs1aL
UVfcNdry2PJ1Cuh3m0uYYP/6hlySNktmnBwj9OPRAHWolHlLSNoQdAII5VbwWHdW
cM/EJ2Etib0vVmgszl+3DbHL+d9ZV3cacJ0K7YrBgnd5GBSZ2DWmSg==
=DnVB
- -----END PGP SIGNATURE-----
*******************************************************************
Reprinted with permission of Microsoft Corporation.
- ------------------------------------------------------------------------------
----
For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:
[EMAIL PROTECTED]
Tel: 020 7821 1330 Ext 4511
Fax: 020 7821 1686
- ------------------------------------------------------------------------------
----
UNIRAS wishes to acknowledge the contributions of Microsoft for the information
contained in this Briefing.
- ------------------------------------------------------------------------------
----
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- ------------------------------------------------------------------------------
----
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQCVAwUBPSFmq4pao72zK539AQGQEgQAj3fGuWHtcLPhaOIBOy5HsHOGmvgwLP26
yf/tXM41C/UljNTA9FPdzeOFMSym0WopVN8vKHiUCnrlY/j9c3HkokRdUz9/PilU
SiZ4jZlbdEY4ofNe1V6Zl0iMrWxqbGUhz0Zwsgq1Uv6YgNh4eblfPoiKMsSbDxxk
wT9kQl0yR6Y=
=aYXO
-----END PGP SIGNATURE-----
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
