Multiple Vulnerabilities in Microsoft IIS 4.0, 5.0 and 5.1

ReportedOctober 30, 2002, by Microsoft.

DESCRIPTION

Fournew vulnerabilities exist in IIS--the most serious problem lets an attackerescalate privileges, and another problem results in a Denial of Service (DoS)condition on the vulnerable server. These four new vulnerabilities are 

·        A privilege elevation vulnerability affecting the way theserver launches Internet Server APIs (ISAPIs) when an IIS 5.1, 5.0, or 4.0server is configured to run the ISAPIs out of process. By design, the hostingprocess (dllhost.exe) should run only in the security context of theIWAM_computername account; however, under certain circumstances, an attacker canmake the hosting process acquire LocalSystem privileges and enable an ISAPI toacquire the privileges also.

·        A DoS vulnerability resulting from a problem in the way IIS5.1 and 5.0 allocate memory for WWW Distributed Authoring and Versioning (WebDAV)requests. By sending several malformed WebDAV requests, an attacker can causethe server to fail.

·        A vulnerability associated with the operation of the scriptsource access permission in IIS 5.0. This permission operates in addition to thenormal read/write permissions for a virtual directory and regulates whether auser can upload scripts, .asp files, and executable file types to awrite-enabled virtual directory. A typographical error in the table that definesthe file types subject to this permission has the effect of omitting .com filesfrom the list of files subject to the permission. As a result, an attacker needsonly write access to upload such a file.

·        A pair of cross-site scripting vulnerabilities affectingIIS 5.1, 5.0, and 4.0 and involving administrative Web pages. Each of thesevulnerabilities has the same scope and effect: An attacker who was able to lurea user into clicking a link on the attacker’s Web site could relay a requestcontaining script to a third-party web site running IIS, causing the request tosend the third-party site’s response (including the script) to the user. Thescript then renders in the browser using the third-party site's securitysettings rather than the attacker’s security settings.  

VENDOR RESPONSE

The vendor, Microsoft,has released Security Bulletin MS02-062(Cumulative Patch forInternet Information Service) to address these vulnerabilities and recommendsthat affected users apply the appropriate patch mentioned in the bulletin. Thispatch is cumulative and addresses all previously discovered vulnerabilities.

CREDIT         

Discoveredby Li0n, Mark Litchfield, Tomoki Sanaki, Arai Yuu, and Luciano Martins.