Vulnerability Note VU#395588
Microsoft Internet Information Services vulnerable to remote code execution via specially crafted ASP file
Microsoft Internet Information Services (IIS) contains a buffer overflow vulnerability. This may allow a remote, authenticated attacker to execute arbitrary code on a vulnerable system.
IIS is a web server that comes with Microsoft Windows.
ASP (Active Server Pages) is a technology for creating dynamic web sites. IIS includes the ability to serve ASP content.
IIS contains a buffer overflow in the handling of specially crafted ASP pages.
A remote, authenticated attacker may be able to run arbitrary code on a vulnerable system. This code would run with the privileges of IWAM_<machinename> on a system with IIS 5.0 and 5.1, and it would run with NetworkService privileges on a system with IIS 6.0.
Apply an update
This vulnerability is addressed by the updates provided by MS06-034.
If you are a vendor and your product is affected, let
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||-||11 Jul 2006|
Thanks to Microsoft for reporting this vulnerability, who in turn credit Brett Moore of Security-Assessment.com.
This document was written by Will Dormann.
11 Jul 2006
Date First Published:
11 Jul 2006
Date Last Updated:
19 Jul 2006
If you have feedback, comments, or additional information about this vulnerability, please send us email.