IIS Vulnerabilities

CVE 1999-0874

Impact

An attacker could send a specially constructed request which crashes the server, executes arbitrary code with the privileges of the web server, or reveals the source code of ASP pages.

Note: The stoplight on this page indicates the highest severity level for this category of vulnerabilities. Please refer to the dot beside the link to this tutorial on the previous page to find out the true severity level.

Background

Microsoft IIS web servers accept requests for a number of different types of files. The most common methods of requesting a file are GET and POST. In addition to the request itself, the web browser sends the IIS server additional information called headers which are not seen by the user. Information in the header can include browser type, content type, content length, and other information.

Three of the file types for which IIS accepts requests are .HTR files (for remote administration of passwords), .IDC files (Internet Database Connectors), and .STM files (server side include files). Whenever any file of one of these types is requested by a client, a corresponding DLL file is executed on the server, regardless of whether or not the requested file actually exists on the server.

The Problem


Buffer Overflow in IIS 4.0

CVE 1999-0874

In Microsoft IIS version 4.0, the DLL files which are executed when .HTR, .IDC, or .STM files are requested have a buffer overflow condition which could allow an attacker to crash the server or execute arbitrary commands on the web server.

SAINT was unable to confirm this vulnerability. The server is not vulnerable to this attack if any of the following conditions exist:

If none of the above conditions exist, then the server is probably vulnerable.


Specialized Header Vulnerability

One of the headers that can appear in an http request is Translate: f. This header is supposed to allow FrontPage2000, or any WebDAV compatible client, to retrieve the source code of scriptable pages for editing. Due to a bug, any client can retrieve the source code in this manner.

If good security practices are in use, the source code will not include any sensitive information, making this vulnerability minor. However, many scriptable pages on web servers include passwords or other sensitive information in the source, which could be used by an attacker to launch a more destructive attack.

Resolutions

For the buffer overflow in IIS 4.0, install Service Pack 6. If you do not wish to install the service pack, then install the ext-fix hotfix or apply the workaround for this vulnerability. See Microsoft Knowledge Base article Q234905 for information on the hotfix and the workaround.

For the specialized header vulnerability, install the patch.

Where can I read more about this?

More information on the buffer overflow vulnerability is available from Microsoft Security Bulletin 99-019 and from Microsoft Knowledge Base article Q234905.

More information on the specialized header vulnerability is available from Bugtraq and Microsoft Security Bulletin 00-058.