Vulnerability Note VU#395588

Microsoft Internet Information Services vulnerable to remote code execution via specially crafted ASP file

Original Release date: 11 Jul 2006 | Last revised: 19 Jul 2006

Overview

Microsoft Internet Information Services (IIS) contains a buffer overflow vulnerability. This may allow a remote, authenticated attacker to execute arbitrary code on a vulnerable system.

Description

IIS

IIS is a web server that comes with Microsoft Windows.

ASP

ASP (Active Server Pages) is a technology for creating dynamic web sites. IIS includes the ability to serve ASP content.

The problem

IIS contains a buffer overflow in the handling of specially crafted ASP pages.

Impact

A remote, authenticated attacker may be able to run arbitrary code on a vulnerable system. This code would run with the privileges of IWAM_<machinename> on a system with IIS 5.0 and 5.1, and it would run with NetworkService privileges on a system with IIS 6.0.

Solution

Apply an update
This vulnerability is addressed by the updates provided by MS06-034.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-11 Jul 2006
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Microsoft for reporting this vulnerability, who in turn credit Brett Moore of Security-Assessment.com.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2006-0026
  • Date Public: 11 Jul 2006
  • Date First Published: 11 Jul 2006
  • Date Last Updated: 19 Jul 2006
  • Severity Metric: 19.42
  • Document Revision: 5

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.