[NT-2K-XP]MS02-062: Cumulative Patch For..


Recommended Posts

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------

Title: Cumulative Patch for Internet Information Service

(Q327696)

Date: 30 October 2002

Software: Internet Information Service

Impact: Four vulnerabilities, the most serious of which

could enable applications on a server to gain

system-level privileges.

Max Risk: Moderate

Bulletin: MS02-062

Microsoft encourages customers to review the Security Bulletin at:

http://www.microsoft.com/technet/security/...in/MS02-062.asp.

- ----------------------------------------------------------------------

Issue:

======

This patch is a cumulative patch that includes the functionality of

all security patches released for IIS 4.0 since Windows

NT 4.0 Service Pack 6a, and all security patches released to date for

IIS 5.0 and 5.1. A complete listing of the patches

superseded by this patch is provided below, in the section titled

"Additional information about this patch". Before applying

the patch, system administrators should take note of the caveats

discussed in the same section.

In addition to including previously released security patches, this

patch also includes fixes for the following newly

discovered security vulnerabilities affecting IIS 4.0, 5.0 and/or

5.1:

- A privilege elevation vulnerability affecting the way ISAPIs

are launched when an IIS 4.0, 5.0 or 5.1 server is configured

to run them out of process. By design, the hosting process

(dllhost.exe) should run only in the security context of the

IWAM_computername account; however, it can actually be made to

acquire LocalSystem privileges under certain circumstances,

thereby enabling an ISAPI to do likewise.

- A denial of service vulnerability that results because of a flaw

in the way IIS 5.0 and 5.1 allocate memory for WebDAV requests.

If a WebDAV request were malformed in a particular way, IIS would

allocate an extremely large amount of memory on the server. By

sending several such requests, an attacker could cause the server

to fail.

- A vulnerability involving the operation of the script source

access permission in IIS 5.0. This permission operates in

addition to the normal read/write permissions for a virtual

directory, and regulates whether scripts, .ASP files and

executable file types can be uploaded to a write-enabled virtual

directory. A typographical error in the table that defines the

file types subject to this permission has the effect of omitting

.COM files from the list of files subject to the permission. As a

result, a user would need only write access to upload such a file.

- A pair of Cross-Site Scripting (CSS) vulnerabilities affecting

IIS 4.0, 5.0 and 5.1, and involving administrative web page. Each

of these vulnerabilities have the same scope and effect: an

attacker who was able to lure a user into clicking a link on his

web site could relay a request containing script to a third-party

web site running IIS, thereby causing the third-party site's

response (still including the script) to be sent to the user.

The script would then render using the security settings of

the third-party site rather than the attacker's.

In addition, the patch causes 5.0 and 5.1 to change how frequently

the socket backlog list - which, when all connections on a

server are allocated, holds the list of pending connection requests -

is purged. The patch changes IIS to purge the list more

frequently in order to make it more resilient to flooding attacks.

The backlog monitoring feature is not present in IIS 4.0.

Mitigating Factors:

====================

Out of Process Privilege Elevation:

- This vulnerability could only be exploited by an attacker

who already had the ability to load and execute applications

on an affected web server. Normal security practices recommend

that untrusted users not be allowed to load applications onto

a server, and that even trusted users' applications be

scrutinized before allowing them to be loaded.

WebDAV Denial of Service:

- The vulnerability does not affect IIS 4.0, as WebDAV is not

supported in this version of IIS.

- The vulnerability could only be exploited if the server allowed

WebDAV requests to be levied on it. The IIS Lockdown Tool

(http://www.microsoft.com/technet/security/tools/tools/locktool.asp),

if deployed in its default configuration, disables such requests.

Script Source Access Vulnerability:

- The vulnerability could only be exploited if the administrator

had granted all users write and execute permissions to one or

more virtual directories on the server. Default configurations of

IIS would be at no risk from this vulnerability.

- The vulnerability does not affect IIS 4.0, as WebDAV is not

supported in this version of IIS.

- The vulnerability could only be exploited if the server allowed

WebDAV requests to be levied on it. The IIS Lockdown Tool, if

deployed in its default configuration, disables such requests.

Cross-site Scripting in IIS Administrative Pages:

- The vulnerabilities could only be exploited if the attacker

could entice another user into visiting a web page and clicking

a link on it, or opening an HTML mail.

- By default, the pages containing the vulnerability are restricted

to local IP address. As a result, the vulnerability could only

be exploited if the client itself were running IIS.

Aggregate Risk Rating:

============

- Internet systems: Moderate

- Intranet systems: Moderate

- Client systems: Low

Patch Availability:

===================

- A patch is available to fix this vulnerability. Please read the

Security Bulletin at

http://www.microsoft.com/technet/security/...in/ms02-062.asp

for information on obtaining this patch.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.