Read it carefully: -----Original Message----- From: Russ [mailto:Russ.Cooper@xxxxxxxx] Sent: quinta-feira, 16 de agosto de 2001 11:40 To: NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx Subject: Re: Microsoft Security Bulletin MS01-044 -----BEGIN PGP SIGNED MESSAGE----- Microsoft have released a new Security Bulletin, MS01-044, which is a cumulative IIS security patch (with versions of the patch for IIS 4.0 and IIS 5.0, which includes Personal Web Server and Outlook Web Access servers). It includes all IIS hotfixes since NT 4.0 SP5 or W2K Gold Release (original) and can be applied to any system with those minimums. I understand that you've probably just finished ensuring that all of your IIS servers have had MS01-033 (the IDQ.DLL patch) applied. Maybe you even went so far as to apply MS01-026 (the last IIS cumulative patch). I'm loath to ask you to now go back to all of these machines and apply yet another patch, however...there are several circumstances that may apply to your systems that might make it necessary for you to get this new Security Bulletin patch applied quickly; a) You're a web hosting environment. b) You permit authoring on your IIS systems. c) You have a web site on an IIS 4.0 box that does URL redirects only. Otherwise, you can probably schedule this to be applied in your next maintenance window. Five new vulnerabilities are addressed in this Security Bulletin, two privilege escalation issues and three Denial of Service issues. In particular, if you're running IIS 4.0 still make sure you read the information under #1 below; 1. IIS 4.0 runs all processes executed by IIS as "in-process" applications. This means they can attain the privilege of the W3SVC service. By default W3SVC runs as LocalSystem. IIS 5.0 allows processes to be defined as in-process or out-of-process. However, several unspecified applications will always be trusted by IIS 5.0 and run in-process. Like the vulnerability identified as MS00-052, IIS was determining whether an application was one of these trusted applications by relative path. So implanting a correctly named application in a directory which was seen by IIS (or invoking it directly, say by placing it in the \scripts directory), IIS 5.0 would trust it and grant it in-process privileges. It could then gain the privilege of the parent process (IIS), granting it escalated privileges regardless of privileges specified within IIS configuration. Pretty serious problem. MS has not released the names of the trusted applications (which, I think, it should so those applications can be searched for and appropriate action taken). Affects IIS 5.0 only because only IIS 5.0 can allow out-of-process applications to be spawned by IIS. IIS 4.0 *must not* allow untrusted apps to run since any of them can gain escalated privileges (since they all run in-process). 2. There exists a Buffer Overrun on IIS 4.0 and IIS 5.0 related to server side includes. If a properly formatted SSI file is placed on a web server, and IIS is asked to deliver it, its possible to gain LocalSystem privilege and run arbitrary commands on the server. Affects IIS 4.0 and IIS 5.0 3. When Code Red (any existing known variant) is received by an IIS 4.0 box that has not applied MS01-033, the W3SVC service fails. Once MS01-033 is applied, this should not occur, the service should continue to operate despite Code Red attacks. However, if the IIS 4.0 box has configured a web site to perform URL redirection only (as an IP addressed web site), if Code Red attacks that IP address it will cause the W3SVC service to fail, regardless of MS01-033 being present or not. There was speculation that this was due to a fault in MS01-033. MS state that is not the case, and so have offered this fix for this new vulnerability. Affects IIS 4.0 only. 4. Yet another WebDAV problem. This one doesn't handle a long malformed request well, leading to a DoS. To disable WebDAV see; http://support.microsoft.com/support/kb/articles/Q241/5/20.ASP Previous WebDAV security issue documented in; http://www.microsoft.com/technet/security/bulletin/MS01-016.asp Affects 5.0 only (WebDAV is not available in IIS 4.0) 5. Invalid MIME Content-Type field value can cause IIS 5.0 to stop processing requests. If your IIS 5.0 system appears to hang, check the following; - - Open the Internet Services Manager - - Right-click on the virtual directory containing the content - - Select HTTP Headers, then click on File Types - - Search for an entry in the list whose MIME type is empty, and delete it. Affects 5.0 only Full Details of the patch can be found at; http://www.microsoft.com/technet/security/bulletin/MS01-044.asp Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 iQCVAwUBO3vbVxBh2Kw/l7p5AQHouwP+MLq384J55j9RUXrfKYUGHr7D3fNE5WGu bvwyeySVaprf/JJHWrgioTjdBNdfXdfMmtbZw1LmshksiagJ9VOf4PsMFpMLHvGF hPjjeGxmhhWFNW1EEqcjNp/f3MxKaEjCKGgx4De8ifoG4oie3M7KcKUNvPtlQffF Nr8eDx8iiVI= =Enkz -----END PGP SIGNATURE-----