[THIN] Re: FW: CERT Advisory CA-2003-09 Buffer Overflow in Microsoft IIS 5.0

  • From: "Alexander Danilychev" <teknica@xxxxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Mon, 17 Mar 2003 18:04:27 -0800

Thanks!

>From: "Jim Kenzig http://thethin.net"; <jimkenz@xxxxxxxxxxxxxx>
>Reply-To: thin@xxxxxxxxxxxxx
>To: <windows2000@xxxxxxxxxxxxx>, <thin@xxxxxxxxxxxxx>
>Subject: [THIN] FW: CERT Advisory CA-2003-09 Buffer Overflow in Microsoft 
>IIS 5.0
>Date: Mon, 17 Mar 2003 19:05:52 -0500
>
>
>If you are running IIS 5 patch now or suffer later.
>JK
>
>-----Original Message-----
>From: CERT Advisory [mailto:cert-advisory@xxxxxxxx]
>Sent: Monday, March 17, 2003 2:07 PM
>To: cert-advisory@xxxxxxxx
>Subject: CERT Advisory CA-2003-09 Buffer Overflow in Microsoft IIS 5.0
>
>
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>CERT Advisory CA-2003-09 Buffer Overflow in Microsoft IIS 5.0
>
>    Original issue date: March 17, 2003
>    Last revised: --
>    Source: CERT/CC
>
>    A complete revision history is at the end of this file.
>
>Systems Affected
>
>      * Systems running Microsoft Windows 2000 with IIS 5.0 enabled
>
>Overview
>
>    A buffer overflow vulnerability exists in Microsoft IIS 5.0 running on
>    Microsoft Windows 2000. IIS 5.0 is installed and running by default on
>    Microsoft  Windows 2000 systems. This vulnerability may allow a remote
>    attacker to run arbitrary code on the victim machine.
>
>    An  exploit  is  publicly  available  for  this  vulnerability,  which
>    increases the urgency that system administrators apply a patch.
>
>I. Description
>
>    IIS  5.0 includes support for WebDAV, which allows users to manipulate
>    files   stored   on   a   web  server  (RFC2518).  A  buffer  overflow
>    vulnerability  exists  in ntdll.dll (a portion of code utilized by the
>    IIS  WebDAV  component).  By sending a specially crafted request to an
>    IIS  5.0  server, an attacker may be able to execute arbitrary code in
>    the  Local  System  security  context, essentially giving the attacker
>    compete control of the system.
>
>    Microsoft   has   issued   the   following   bulletin  regarding  this
>    vulnerability:
>
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec
>urity/bulletin/ms03-007.asp
>
>    This  vulnerability  has been assigned the identifier CAN-2003-0109 by
>    the Common Vulnerabilities and Exposures (CVE) group:
>
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0109
>
>II. Impact
>
>    Any  attacker  who can reach a vulnerable web server can gain complete
>    control  of  the system and execute arbitrary code in the Local System
>    security  context.  Note  that  this may be significantly more serious
>    than a simple "web defacement."
>
>III. Solution
>
>Apply a patch from your vendor
>
>    A patch is available from Microsoft at
>
>http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E
>-C69D32AC929B&displaylang=en
>
>Disable vulnerable service
>
>    Until  a  patch  can  be  applied,  you  may  wish  to disable IIS. To
>    determine if IIS is running, Microsoft recommends the following:
>
>Go  to  Start  |  Settings  |  Control  Panel | Administrative Tools |
>Services.
>
>    If the World Wide Web Publishing service is listed then IIS
>    is installed
>
>    To  disable  IIS,  run  the  IIS lockdown tool. This tool is available
>    here:
>
>http://www.microsoft.com/downloads/release.asp?ReleaseID=43955
>
>    If  you  cannot  disable  IIS, consider using the IIS lockdown tool to
>    disable  WebDAV (removing WebDAV can be specified when running the IIS
>    lockdown tool). Alternatively, you can disable WebDAV by following the
>    instructions located in Microsoft's Knowledgebase Article 241520, "How
>    to Disable WebDAV for IIS 5.0":
>
>http://support.microsoft.com/default.aspx?scid=kb;en-us;241520
>
>Restrict buffer size
>
>    If  you  cannot  use  either  IIS  lockdown  tool or URLScan, consider
>    restricting the size of the buffer IIS utilizes to process requests by
>    using  Microsoft's URL Buffer Size Registry Tool. This tool can be run
>    against  a  local  or  remote Windows 2000 system running Windows 2000
>    Service Pack 2 or Service Pack 3. The tool, instructions on how to use
>    it,  and  instructions on how to manually make changes to the registry
>    are available here:
>
>URL Buffer Size Registry Tool - 
>http://go.microsoft.com/fwlink/?LinkId=14875
>
>Microsoft Knowledge Base Article 816930 -
>http://support.microsoft.com/default.aspx?scid=kb;en-us;816930
>
>Microsoft Knowledge Base Article 260694 -
>http://support.microsoft.com/default.aspx?scid=kb;en-us;260694
>
>    You  may  also wish to use URLScan, which will block web requests that
>    attempt  to  exploit  this vulnerability. Information about URLScan is
>    available at:
>
>http://support.microsoft.com/default.aspx?scid=kb;[LN];326444
>
>Appendix A. Vendor Information
>
>    This  appendix  contains information provided by vendors. When vendors
>    report  new  information,  this section is updated and the changes are
>    noted  in  the  revision  history. If a vendor is not listed below, we
>    have not received their comments.
>
>Microsoft Corporation
>
>      Please see Microsoft Security Bulletin MS03-007.
>      _________________________________________________________________
>
>    Author: Ian A. Finlay
>    ______________________________________________________________________
>
>    This document is available from:
>    http://www.cert.org/advisories/CA-2003-09.html
>    ______________________________________________________________________
>
>CERT/CC Contact Information
>
>    Email: cert@xxxxxxxx
>           Phone: +1 412-268-7090 (24-hour hotline)
>           Fax: +1 412-268-6989
>           Postal address:
>           CERT Coordination Center
>           Software Engineering Institute
>           Carnegie Mellon University
>           Pittsburgh PA 15213-3890
>           U.S.A.
>
>    CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
>    EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
>    during other hours, on U.S. holidays, and on weekends.
>
>Using encryption
>
>    We  strongly  urge you to encrypt sensitive information sent by email.
>    Our public PGP key is available from
>    http://www.cert.org/CERT_PGP.key
>
>    If  you  prefer  to  use  DES,  please  call the CERT hotline for more
>    information.
>
>Getting security information
>
>    CERT  publications  and  other security information are available from
>    our web site
>    http://www.cert.org/
>
>    To  subscribe  to  the CERT mailing list for advisories and bulletins,
>    send  email  to majordomo@xxxxxxxxx Please include in the body of your
>    message
>
>    subscribe cert-advisory
>
>    *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
>    Patent and Trademark Office.
>    ______________________________________________________________________
>
>    NO WARRANTY
>    Any  material furnished by Carnegie Mellon University and the Software
>    Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
>    Mellon University makes no warranties of any kind, either expressed or
>    implied  as  to  any matter including, but not limited to, warranty of
>    fitness  for  a  particular purpose or merchantability, exclusivity or
>    results  obtained from use of the material. Carnegie Mellon University
>    does  not  make  any warranty of any kind with respect to freedom from
>    patent, trademark, or copyright infringement.
>      _________________________________________________________________
>
>    Conditions for use, disclaimers, and sponsorship information
>
>    Copyright 2003 Carnegie Mellon University.
>
>    Revision History
>
>    March 17, 2003: Initial release
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 6.5.8
>
>iQCVAwUBPnYbJmjtSoHZUTs5AQHBwQQArrGYXidIN08M901XtEjXEEr7+gKuAsz5
>qp8jjoG0DpQUvIa2Xmpdz2juTFTYMY0/pjX6el4BoTqGvQ2i6cJ2SWJgt1QFxXZD
>TvADr9BwRqCT6+CYyAO6Q7MVEfXrJ326wBSbiibjPqw2X/hKxybMVX0LGRDyVMJO
>9GIFPUipfQw=
>=E602
>-----END PGP SIGNATURE-----
>
>*********************************************************
>This Week's Sponsor - RTO Software / TScale
>TScale increases terminal server capacity.
>Get 30-40% more users per server to save $$$ and time.
>Add users now! - not more servers. If you're using Citrix,
>you must learn about TScale!  Free 30-day eval:
>http://www.rtosoft.com/Enter.asp?ID=79
>**********************************************************
>
>For Archives, to Unsubscribe, Subscribe or
>set Digest or Vacation mode use the below link:
>http://thethin.net/citrixlist.cfm


_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*.  
http://join.msn.com/?page=features/featuredemail

*********************************************************
This Week's Sponsor - RTO Software / TScale
TScale increases terminal server capacity. 
Get 30-40% more users per server to save $$$ and time. 
Add users now! - not more servers. If you're using Citrix, 
you must learn about TScale!  Free 30-day eval:
http://www.rtosoft.com/Enter.asp?ID=79
**********************************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts: