Reported August 16, 2001, by Microsoft.

VERSIONS AFFECTED

  • Microsoft Internet Information Services 5.0

  • Microsoft Internet Information Server 4.0

 

DESCRIPTION
The following multiple vulnerabilities exist in Internet Information (IIS):

 

  • A Denial of Service (DoS) vulnerability exists in IIS 4.0 that an attacker can exploit to cause the IIS service to fail if URL redirection has been enabled.

  • A Denial of Service (DoS) vulnerability exists in IIS 5.0 that an attacker can use to temporarily disrupt service on the Web server. WWW Distributed Authoring and Versioning (WebDAV) doesn't correctly handle a particular type of long, invalid request, which causes the IIS service to fail.

  • A Denial of Service (DoS) vulnerability exists involving the way IIS 5.0 interprets content that contains a particular type of invalid MIME header. If an attacker places content containing such a defect on a server and then requests the content, the IIS 5.0 service is unable to serve any content until the user removes this false entry from the File Type table for the site.

  • A buffer overrun vulnerability exists involving the code that performs server-side include (SSI) directives. An attacker who has the ability to place content on a server can include a malformed SSI directive that results in an attacker running code in Local System context when the server processes the content.

  • A privilege elevation vulnerability exists that results from a flaw in a table that IIS 5.0 refers to when determining whether the system shoud use in-process or out-of-process. IIS 5.0 contains a table that lists the system files, which should always run in-process. However, this list provides the files using relative as well as absolute addressing, which causes any file whose name matches that of a file on the list to run in-process.

 

VENDOR RESPONSE

The vendor, Microsoft, has released security bulletin MS01-044 to address these vulnerabilities and recommends that users apply the following patches relevant to their system:

 

Internet Information Services 5.0

 

Internet Information Server 4.0

 

The patches contain a cumulative rollup of all previously available patches for IIS 5.0 and all available patches for IIS 4.0 since the release of Service Pack 5 (SP5).

 

CREDIT
Discovered by John Waters, NSFocus, and Oded Horovitz.