__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Cumulative Patch for Internet Information Service (IIS) [Microsoft Security Bulletin MS03-018] May 28, 2003 22:00 GMT Number N-098 ______________________________________________________________________________ PROBLEM: There are four security vulnerabilities in IIS: 1) A Cross-Site Scripting (CSS) vulnerability involving the error message that is returned to advise that a requested URL has been redirected. 2) A buffer overrun that does not correctly validate requests for certain types of web pages known as server side includes. 3) A denial of service vulnerability in the allocation of memory requests when constructing headers to be returned to a web client. 4) A denial of service vulnerability that does not correctly handle an error condition when an overly long WebDAV request is passed. PLATFORM: * Microsoft Internet Information Server 4.0 * Microsoft Internet Information Services 5.0 * Microsoft Internet Information Services 5.1 DAMAGE: Unpatched systems are vulnerable to denial of service attacks. The most serious of these vulnerabilities may allow an attacker to execute code of their choice. SOLUTION: Apply patch as described in Microsoft's security bulletin. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. The most serious vulnerability described in ASSESSMENT: the buffer overrun, an attacker would need the ability to upload a Server-side include page to a vulnerable IIS server. If the attacker then requested this page, a buffer overrun could result, which would allow the attacker to execute code of their choice on the server. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-098.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/ default.asp?url=/technet/security/bulletin/MS03-018.asp ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS03-018 *****] Microsoft Security Bulletin MS03-018 Cumulative Patch for Internet Information Service (811114) Originally posted: May 28, 2003 Summary Who should read this bulletin: Customers hosting web servers using Microsoft® Windows NT® 4.0, Windows® 2000, or Windows® XP. Impact of vulnerability: Allow an attacker to execute code of their choice Maximum Severity Rating: Important Recommendation: Customers hosting web servers using Microsoft® Windows NT® 4.0, Windows® 2000, or Windows® XP should install the patch at the earliest opportunity. Affected Software: * Microsoft Internet Information Server 4.0 * Microsoft Internet Information Services 5.0 * Microsoft Internet Information Services 5.1 Non Affected Software: * Microsoft Internet Information Services 6.0 End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms03-018.asp. Technical details Technical description: This patch is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 since Windows 2000 Service Pack 2 and IIS 5.1. A complete listing of the patches superseded by this patch is provided below, in the section titled “Additional information about this patch”. In addition to all previously released security patches, this patch also includes fixes for the following newly discovered security vulnerabilities affecting IIS 4.0, 5.0 and 5.1: * A Cross-Site Scripting (CSS) vulnerability affecting IIS 4.0, 5.0 and 5.1 involving the error message that’s returned to advise that a requested URL has been redirected. An attacker who was able to lure a user into clicking a link on his or her web site could relay a request containing script to a third-party web site running IIS, thereby causing the third-party site’s response (still including the script) to be sent to the user. The script would then render using the security settings of the third-party site rather than the attacker’s. * A buffer overrun that results because IIS 5.0 does not correctly validate requests for certain types of web pages known as server side includes. An attacker would need the ability to upload a Server-side include page to a vulnerable IIS server. If the attacker then requested this page, a buffer overrun could result, which would allow the attacker to execute code of their choice on the server with user-level permissions. * A denial of service vulnerability that results because of a flaw in the way IIS 4.0 and 5.0 allocate memory requests when constructing headers to be returned to a web client. An attacker would need the ability to upload an ASP page to a vulnerable IIS server. This ASP page, when called by the attacker, would attempt to return an extremely large header to the calling web client. Because IIS does not limit the amount of memory that can be used in this case, this could case IIS to fail as a result of running out of local memory. * A denial of service vulnerability that results because IIS 5.0 and 5.1 do not correctly handle an error condition when an overly long WebDAV request is passed to them. As a result an attacker could cause IIS to fail – however both IIS 5.0 and 5.1 will by default restart immediately after this failure. There is a dependency associated with this patch – it requires the patch from Microsoft Security Bulletin MS02-050 to be installed. If this patch is installed and MS02-050 is not present, client side certificates will be rejected. This functionality can be restored by installing the MS02-050 patch. Mitigating factors: Redirection Cross Site Scripting: * IIS 6.0 is not affected. * The vulnerability could only be exploited if the attacker could entice another user into visiting a web page and clicking a link on it, or opening an HTML mail. * The target page must be an ASP page, which uses Response.Redirect to redirect the client, to a new URL that is based on the incoming URL of current request. Server Side Include Web Pages Buffer Overrun * IIS 4.0, IIS 5.1 and IIS 6.0 are not affected. * The IIS Lockdown tool by default disables the ssinc.dll mapping, which will block this attack. * By default IIS 5.0 runs under a user account and not the system account. Therefore an attacker who successfully exploited the vulnerability would only gain user level permissions rather than administrative level permissions. * An attacker must have the ability to upload files to the IIS Server. ASP Headers Denial of Service * An attacker must have the ability to upload files to the IIS server. * IIS 5.0 will automatically restart after failing. * IIS 5.1 and IIS 6.0 are not affected. WebDAV Denial of Service * IIS 6.0 is not affected. * IIS 5.0 and 5.1 will restart automatically after this failure. * The IIS Lockdown tool disables WebDAV by default, which will block this attack. Severity Rating: Redirection Cross Site Scripting IIS 4.0 Low IIS 5.0 Low IIS 5.1 Low Server Side Include Web Pages Buffer Overrun IIS 4.0 None IIS 5.0 Moderate IIS 5.1 None ASP Headers Denial of Service IIS 4.0 Moderate IIS 5.0 Moderate IIS 5.1 None WebDAV Denial of Service IIS 4.0 None IIS 5.0 Important IIS 5.1 Important Aggregate Severity of all Vulnerabilities IIS 4.0 Moderate IIS 5.0 Important IIS 5.1 Important The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifiers: Redirection Cross Site Scripting CAN-2003-0223 Server Side Include Web Pages Buffer Overrun CAN-2003-0224 ASP Headers Denial of Service CAN-2003-0225 WebDAV Denial of Service CAN-2003-0226 Tested Versions: Microsoft tested IIS 4.0, 5.0, 5.1 and 6.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. Patch availability Download locations for this patch Download locations for this patch * IIS 4.0: All * IIS 5.0: All * IIS 5.1: 32-bit Edition 64-bit Edition Additional information about this patch Installation platforms: * The IIS 4.0 patch can be installed on systems running Windows NT 4.0 Service Pack 6a. * The IIS 5.0 patch can be installed on systems running Windows 2000 Service Pack 2 or Service Pack 3. * The IIS 5.1 patch can be installed on systems running Windows XP Professional Gold and Service Pack 1. Inclusion in future service packs: * No additional service packs are planned for Windows NT 4.0. * The IIS 5.0 fixes will be included in Windows 2000 Service Pack 4. * The IIS 5.1 fixes will be included in Windows XP Service Pack 2. Reboot needed: * IIS 4.0: A reboot can be avoid by stopping the IIS service, installing the patch with the /z switch, then restarting the service. Knowledge Base article Q327696 provides additional information on this procedure. * IIS 5.0: In most cases, the patch does not require a reboot. The installer stops the needed services, applies the patch, then restarts them. However, if the needed services cannot be stopped for any reason, it will require a reboot. If this occurs, a prompt will be displayed advising of the need to reboot. * IIS 5.1: No. (In some cases, a pop-up dialogue may say that the system needs to be rebooted in order for the patch installation process to be completed. This dialogue, if it appears, can be ignored) Patch can be uninstalled: Yes Superseded patches: This patch supersedes the ones provided in the following Microsoft Security Bulletins: * MS02-062. * MS02-028. * MS02-018. (This is a cumulative patch, and supersedes additional patches) Verifying patch installation: IIS 4.0: * To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q811114. * To verify the individual files, consult the file manifest in Knowledge Base article 811114. IIS 5.0: * To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q811114. * To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q811114\Filelist. IIS 5.1: * To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q811114. * To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q811114\Filelist. Caveats: 1. This patch requires the patch from Microsoft Security Bulletin MS02-050 to be installed. If this IIS cumulative patch is installed and MS02-050 is not present, client side certificates will be disabled. This functionality can be restored by installing the MS02-050 patch either before or after installing the IIS Cumulative patch. 2. The fixes for four vulnerabilities affecting IIS 4.0 servers are not included in the patch, because they require administrative action rather than a software change. Administrators should ensure that in addition to applying this patch, they also have taken the administrative action discussed in the following bulletins: * Microsoft Security Bulletin MS00-028 * Microsoft Security Bulletin MS00-025 * Microsoft Security Bulletin MS99-025 (which discusses the same issue as Microsoft Security Bulletin MS98-004) * Microsoft Security Bulletin MS99-013 3. The patch does not include fixes for vulnerabilities involving non-IIS products like Front Page Server Extensions and Index Server, even though these products are closely associated with IIS and typically installed on IIS servers. At this writing, the bulletins discussing these vulnerabilities are: * Microsoft Security Bulletin MS02-053 * Microsoft Security Bulletin MS02-050 * Microsoft Security Bulletin MS01-043 * Microsoft Security Bulletin MS01-025 * Microsoft Security Bulletin MS00-084 * Microsoft Security Bulletin MS00-018 * Microsoft Security Bulletin MS00-006 There is, however, one exception. The fix for the vulnerability affecting Index Server which is discussed in Microsoft Security Bulletin MS01-033 is included in this patch. We have included it because of the seriousness of the issue for IIS servers. 4. Customers using IIS 4.0 should ensure that they have followed the correct installation order before installing this or any security patch. Specifically, customers should ensure that Windows NT 4.0 Service Pack 6a has been applied (or re-applied) after installing the IIS 4.0 service. 5. Customers using Site Server should be aware that a previously documented issue involving intermittent authentication errors has been determined to affect this and a small number of other patches. Microsoft Knowledge Base article Q317815 discusses the issue and how resolve it. Localization: Localized versions of this patch are available at the locations discussed in “Patch Availability”. Obtaining other security patches: Patches for other security issues are available from the following locations: * Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". * Patches for consumer platforms are available from the WindowsUpdate web site Other information: Acknowledgments Microsoft thanks the following for reporting these issues to us and working with us to protect customers: * SPIDynamics SPI Labs for reporting the Redirection Cross Site Scripting and WebDAV Denial of Service vulnerabilities. * NSFocus for reporting the Server Side Include Web Pages Buffer Overrun vulnerability. Support: * Microsoft Knowledge Base article 811114 discusses this issue. Knowledge Base articles can be found on the Microsoft Online Support web site. * Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: * V1.0 (May 28, 2003): Bulletin Created. [***** End Microsoft Security Bulletin MS03-018 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-088: Hewlett-Packard rexec Command Security Vulnerability N089: Red Hat MySQL Vulnerabilities N-090: Red Hat mod_auth_any Vulnerabilities N-091: Sun Cobalt PHP SafeMode Vulnerability N-092: Microsoft Flaw in Windows Media Player Skins N-093: Cisco VPN 3000 Concentrator Vulnerabilities N-094: HP Potential Security Vulnerability in wall(1M) N-095: Red Hat Multiple Vulnerabilities in KDE N-096: Red Hat New Kernel Fixes Local Security Issues N-097: Red Hat Updated Tcpdump Packages