Reported October 30, 2002, by Microsoft.
· Microsoft Internet Information Services (IIS) 5.1
· Microsoft Internet Information Services (IIS) 5.0
· Microsoft Internet Information Server (IIS) 4.0
Four new vulnerabilities exist in IIS--the most serious problem lets an attacker escalate privileges, and another problem results in a Denial of Service (DoS) condition on the vulnerable server. These four new vulnerabilities are
· A privilege elevation vulnerability affecting the way the server launches Internet Server APIs (ISAPIs) when an IIS 5.1, 5.0, or 4.0 server is configured to run the ISAPIs out of process. By design, the hosting process (dllhost.exe) should run only in the security context of the IWAM_computername account; however, under certain circumstances, an attacker can make the hosting process acquire LocalSystem privileges and enable an ISAPI to acquire the privileges also.
· A DoS vulnerability resulting from a problem in the way IIS 5.1 and 5.0 allocate memory for WWW Distributed Authoring and Versioning (WebDAV) requests. By sending several malformed WebDAV requests, an attacker can cause the server to fail.
· A vulnerability associated with the operation of the script source access permission in IIS 5.0. This permission operates in addition to the normal read/write permissions for a virtual directory and regulates whether a user can upload scripts, .asp files, and executable file types to a write-enabled virtual directory. A typographical error in the table that defines the file types subject to this permission has the effect of omitting .com files from the list of files subject to the permission. As a result, an attacker needs only write access to upload such a file.
· A pair of cross-site scripting vulnerabilities affecting IIS 5.1, 5.0, and 4.0 and involving administrative Web pages. Each of these vulnerabilities has the same scope and effect: An attacker who was able to lure a user into clicking a link on the attacker’s Web site could relay a request containing script to a third-party web site running IIS, causing the request to send the third-party site’s response (including the script) to the user. The script then renders in the browser using the third-party site's security settings rather than the attacker’s security settings.
The vendor, Microsoft, has released Security Bulletin MS02-062 (Cumulative Patch for Internet Information Service) to address these vulnerabilities and recommends that affected users apply the appropriate patch mentioned in the bulletin. This patch is cumulative and addresses all previously discovered vulnerabilities.
Discovered by Li0n, Mark Litchfield, Tomoki Sanaki, Arai Yuu, and Luciano Martins.