@stake, Inc. www.atstake.com Security Advisory Advisory Name: .htr heap overflow in IIS 4.0 and 5.0 Release Date: 04/10/2002 Application: Microsoft Internet Information Server 4.0/5.0 Platform: Microsoft Windows NT 4.0, Windows 2000 Severity: A remote user can execute arbitrary machine code on the vulnerable server. Author: Dave Aitel (daitel@atstake.com) Vendor Status: Vendor has bulletin and patch, see below CVE Candidate: CAN-2002-0071 Reference: www.atstake.com/research/advisories/2002/a041002-1.txt Overview: Microsoft's Internet Information Server (IIS) is a web server that is part of the Windows NT 4.0 and Windows 2000 server operating system. In the default IIS installation, .htr functionality is enabled. .htr files are used only for for web-based password resets. There exists a heap overflow in the server component that is used to handle requests to .htr files. As with most heap overflows, this heap overflow can be used to execute arbitrary machine code. In the default installation, this results in remote execution in the IUSR_machine security context. This vulnerability has been verified on IIS 4.0 and 5.0 with SP2 and the latest security patches as of April 1, 2002. Description: IIS supports many different file types, such as .htr, that require server side processing. When IIS recieves a request for a file with the .htr extension, the request is handled by a ISAPI extension, ISM.DLL. When a file request is recieved by IIS it checks the script mappings to check if the extension on the file in the request matches an extension in the script mappings. If it does it passes the request on to an ISAPI extension for further processing. .htr files do not actually need to be present on the system for the request to be handled by ISM.DLL. Script mappings are configured with the IIS administrative interface. .htr files are mapped to the ISM.DLL by default so a default IIS 4.0 or 5.0 installation is vulnerable. A recommended security practices is to unmap all script mappings that are not being used. This is documented in Microsoft's IIS Security Checklist: IIS 4.0 http://www.microsoft.com/technet/security/tools/chklist/iischk.asp IIS 5.0 http://www.microsoft.com/technet/security/tools/chklist/iis5chk.asp This follows the security best practice of attack surface reduction. In general this is accomplished by disabling all functionality that is not required to accomplish the specific tasks for which a product is being used. Once the request is passed on to the ISM.DLL ISAPI filter, a specific request causes a heap overflow to occur during processing. This heap overflow, as with most heap overflows, is exploitable to run arbitrary code on the machine in the user context that ISM.DLL is running. By default this user context is IWAM_computername. The IUSR_computername user context does not allow administrative access so the machine cannot be completely compromised by this vulnerability alone. Remote attackers can execute arbitrary code which does allow for the creation of a network worm or the execution of a remote control program. The risk to machines that have not been patched or reconfigured is very high. Vendor Response: The vendor has issued a bulletin on this issue: http://www.microsoft.com/technet/security/bulletin/MS02-018.asp The vendor has issued patches for this issue: Microsoft IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37931 Microsoft IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37824 Recommendations: Apply the vendor patches. You can check to see if you are potentially vulnerable by searching for ISM.DLL. Be aware that IIS is installed as part of other Microsoft products. Run the IIS administrative program and check script mappings. Disable .htr functionality by unmapping the .htr extention except for the rare case that you are using the web-based password reset feature of IIS. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. .htr IIS Server vulnerability: CAN-2002-0071 Reporter Disclosure Policy: This advisory is being issued in accordance with the Responsible Vulnerability Disclosure Process available at: http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosu re-00.txt For more advisories: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2002 @stake, Inc. All rights reserved.