Vulnerability Note VU#454091

Microsoft Internet Information Server (IIS) vulnerable to buffer overflow via inaccurate checking of delimiters in HTTP header fields

Original Release date: 10 Apr 2002 | Last revised: 10 Apr 2002

Overview

A buffer overflow in IIS could allow an intruder to execute arbitrary code the the privileges of the ASP ISAPI extension.

Description

Like all web servers, IIS parses HTTP headers and decomposes them into the constituent parts. As part of this processing, IIS checks for delimiters that are supposed to mark boundaries within the headers. By constructing a carefully chosen HTTP request, and intruder to cause IIS to incorrectly parse an HTTP header, and place the incorrect results into a buffer that is too small. For more information, see Microsoft Security Bulletin MS02-018.

Impact

An intruder can interrupt the ordinary operation of a vulnerable IIS server or execute arbitrary code with the privileges of ASP ISAPI extension, ASP.DLL. On IIS 4.0, ASP.DLL runs as part of the operating system thus allowing an intruder to take full administrative control. On IIS 5.0 and 5.1, ASP.DLL runs with the privileges of the IWAM_computername account.

Solution

Apply a patch as described in Microsoft Security Bulletin MS02-018.

Until a patch can be applied, you may wish to disable the ASP ISAPI extension by using the IIS Lockdown tool, available at http://www.microsoft.com/technet/security/tools/locktool.asp. Additionally, the URLScan tool can help reduce the impact of this vulnerability.

Systems Affected (Learn More)

No information available. If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Our thanks to Microsoft Corporation, upon whose advisory this document is based.

This document was written by Shawn V. Hernan.

Other Information

  • CVE IDs: CAN-2002-0150
  • Date Public: 10 Apr 2002
  • Date First Published: 10 Apr 2002
  • Date Last Updated: 10 Apr 2002
  • Severity Metric: 51.30
  • Document Revision: 5

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.