SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#113716

Microsoft Windows Media Services contains buffer overflow in "nsiislog.dll"

Overview

Microsoft Windows Media Services provides streaming audio and video capabilities. A vulnerability in a component of this software could allow a remote attacker to compromise the server running it.

I. Description

According to Microsoft Security Bulletin MS03-022:

    Microsoft Windows Media Services is a feature of Microsoft Windows 2000 Server, Advanced Server, and Datacenter Server and is also available in a downloadable version for Windows NT 4.0 Server. Windows Media Services contains support for a method of delivering media content to clients across a network known as multicast streaming. In multicast streaming, the server has no connection to or knowledge of the clients that may be receiving the stream of media content coming from the server. To facilitate logging of client information for the server, Windows 2000 includes a capability specifically designed to enable logging for multicast transmissions.

    This logging capability is implemented as an Internet Services Application Programming Interface (ISAPI) extension nsiislog.dll. When Windows Media Services are added through add/remove programs to Windows 2000, nsiislog.dll is installed in the Internet Information Services (IIS) Scripts directory on the server. Once Windows Media Services is installed, nsiislog.dll is automatically loaded and used by IIS.


A buffer overflow flaw exists in the way that nsiislog.dll processes incoming client requests. This flaw results in a vulnerability because an attacker could send the server a maliciously crafted HTTP request that could execute code on the vulnerable server or could cause IIS to fail.

This vulnerability is not believed to immediately affect servers running Windows Media Services as a stand-alone service outside the context of IIS. Since the nsiislog.dll file is not available as an ISAPI extension in this environment, an attacker would not be able to supply data to it in a way that exploits the buffer overflow error. The CERT/CC still encourages sites employing this configuration to apply the remediation steps described below in order to mitigate other potential exploitation vectors.

II. Impact

A remote attacker may be able to execute arbitrary code in the context of the account under which IIS was running. This access could be leveraged by the attacker to take any action on the system.

III. Solution

Microsoft has released patches for this issue. Users are encouraged to review Microsoft Security Bulletin MS03-022 for more information.

Workarounds

If nsiislog.dll is being used as an ISAPI extension to IIS and its functionality is not required, sites are encouraged to unmap the extension.

Systems Affected

VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable15-Jul-2003

References


http://www.microsoft.com/technet/security/bulletin/MS03-022.asp
http://www.microsoft.com/security/security_bulletins/ms03-022.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;822343
http://www.secunia.com/advisories/9115/
http://securitytracker.com/alerts/2003/Jun/1007059.html

Credit

This issue was discovered, researched, and reported to Microsoft by Brett Moore of Security-Assessment.com.

This document was written by Chad R Dougherty.

Other Information

Date Public:2003-06-25
Date First Published:2003-07-31
Date Last Updated:2003-07-31
CERT Advisory: 
CVE-ID(s):CAN-2003-0349
NVD-ID(s):CAN-2003-0349
US-CERT Technical Alerts: 
Metric:19.24
Document Revision:13

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader