search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Microsoft Internet Information Server (IIS) contains remote buffer overflow in chunked encoding data transfer mechanism for HTR

Vulnerability Note VU#313819

Original Release Date: 2002-06-13 | Last Revised: 2004-02-23

Overview

A buffer overflow vulnerability in IIS 4.0 and 5.0 could allow an intruder to execute arbitrary code on an IIS server with the privileges of the HTR ISAPI extension.

Description

Chunked encoding is a means to transfer variable-sized units of data (called chunks) from a web client to a web server. There is a buffer overflow in the HTR code that deals with chunks.

Buffers used to store chunks are allocated on the heap, and therefore this vulnerability can be called a heap-based buffer overflow. Exploiting a heap-based buffer overflow to gain control of a system can sometimes be more difficult than exploiting other kinds of buffer overflows to gain control. However, the failure is more conducive to gaining control of the system than other typical heap-based buffer overflows. Quoting from Microsoft Security Bulletin MS02-028:


This vulnerability is an example of so-called heap overrun; because of the dynamic nature of system memory, these can be more difficult to exploit than stack overruns and may require more sophisticated skills. Data on the server can change locations from one moment to the next, impeding the attacker's ability to overwrite selected programs or data. However, in this case, the attacker wouldn't need to know where programs were located, but could instead simply overwrite large portions of system memory indiscriminately.


This vulnerability is very similar to VU#669779.

Impact

An intruder can interrupt the ordinary operation of a vulnerable IIS server or execute arbitrary code with the privileges of HTR ISAPI extension. On IIS 4.0, ASP.DLL runs as part of the operating system thus allowing an intruder to take full administrative control. On IIS 5.0, ASP.DLL runs with the privileges of the IWAM_computername account.

Solution

Apply a patch as described in Microsoft Security Bulletin MS02-028.

Until a patch can be applied, you may wish to disable the HTR ISAPI extension by using the IIS Lockdown tool, available at http://www.microsoft.com/technet/security/tools/locktool.asp. In addition, you can use the URLScan tool to block URLs that contain non-ASCII data. This may be useful in limiting the damage an intruder could do through this vulnerability. The HTR extension is not widely used, and should be disabled if not absolutely required.

Vendor Information

313819
 
Expand all

Microsoft Corporation Affected

Updated:  June 13, 2002

Status

Affected

Vendor Statement

See Microsoft Security Bulletin MS02-028.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://www.microsoft.com/technet/security/bulletin/MS02-028.asp

Acknowledgements

Thanks to Ryan Permeh of Eeye Digital Security for reporting this vulnerability.

This document was written by Shawn V Hernan based on information provided by Microsoft in Microsoft Security Bulletin MS02-028.

Other Information

CVE IDs: CVE-2002-0364
Severity Metric: 15.69
Date Public: 2002-06-12
Date First Published: 2002-06-13
Date Last Updated: 2004-02-23 22:16 UTC
Document Revision: 12

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis