Vulnerable Web Server
Impact
IIS:
Due to an unchecked buffer in an IIS 5.0 DLL, a maliciously crafted HTTP .print
request containing approx 420 bytes in the 'Host:' field will allow the
execution of arbitrary code. It is most commonly found on Windows 2000.
On April 10, Microsoft announced 10 vulnerabilities in IIS 4.0, 5.0, and 5.1. These vulnerabilities, many based on ASP, can lead to a compromise of the system.
Microsoft placed a password backdoor in their IIS 4 and IIS 5 products.
Knowledge of the password can provide the user to certain Web administrater
operations.
Netscape:
Most versions of Netscape Enterprise Server Netscape prior to version 4.1
may be vulnerable to a buffer overflow attack. This includes both Netscape
and iPlanet servers.
WebSite Pro:
Many versions of O'Reilly's WebSitePro Server (httpd_32.exe)
may be vulnerable to a buffer overflow attack. Version 2.4.x have
been confirmed to be vulnerable. Prior versions may also be vulnerable.
BEA Weblogic:
Several buffer overflows in plugins provided by several BEA Weblogic servers
allow a remote attacker to execute arbitrary code on the system running the
proxying web server
Apache:
A condition exists in many apache servers up to and including version 1.3.13
that may enable the malicious user to read arbitrary files.
Background
IIS:
Windows 2000/IIS 5.0 Internet printing ISAPI extension contains msw3prt.dll
which handles user requests. An unchecked buffer in msw3prt.dll, will allow
the execution of arbitrary code. Typically a web server would stop responding
in a buffer overflow condition; however, once Windows 2000 detects an
unresponsive web server it automatically performs a restart. Therefore,
the administrator will be unaware of this attack. The '10 April'
vulnerabilities involve a series of buffer overflow attacks against
advanced server page extensions. Exploits against these vulnerabilities
can lead to a system compromise.
Microsoft installed a password backdoor in IIS 4.0 and IIS 5.0 servers where
they could access and control Web servers.
Netscape:
ISS XForce has reported potential vulnerabilities in all Netscape servers
prior to migrating to the iPlanet configuration. In addition, vulnerabilities
in iPlanet 4.0 have been identified.
BEA Weblogic:
These web servers can be configured to redirect requests for servlets and
JSP files to a Weblogic server running on the same or on a different host.
The net result of this is remote execution of arbitrary code as the user
running the proxying server (generally root on UNIX systems, SYSTEM on MS NT).
Apache:
If a RewriteRule directive is expressed whose result maps to a filename
containing regular expression references, the result may provide an attacker
with the ability to view arbitrary files on the host.
Resolution
IIS:
Microsoft has released a patch which rectifies the issue on the ISS 5.0 buffer
overflow at
ReleaseId 29321
On 10 April 2002, Microsoft released 10 advisories on various vulnerabilities
with IIS 4.0, 5.0, and 5.1. Refer to
Microsoft Technet Bulletin MS02-018.
On 27 April 2002, SecurityFocus released an
additional advisory
on HTR ISAPI and recommended that the htr extension be disabled.
Reference:
www.securityfocus.com/bid/2674
As of 15 May 2001, Microsoft has not issued an advisory on the password
backdoor. However, various CERTs have stated that Microsoft recommends
deleting the dvwssr.dll file in any of the FrontPage directories.
Netscape:
WebSite Pro:
BEA Weblogic:
Apache: