3325 : Microsoft IIS HTR ISAPI Overflow
Printer | http://osvdb.org/3325 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
20	1687	over 8 years ago	about 1 year ago	3 times	90%

Timeline

Discovery Date	Disclosure Date
2002-04-10	2002-04-10

Description

A remote overflow exists in the Internet Services Application Programming Interface (ISAPI) ISM.DLL extensions used in HTR scripting. With a specially crafted URL, an attacker can cause either a DoS or the execution of arbitrary code, resulting in a loss of confidentiality, integrity, and/or availability.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity, Loss of Availability
Solution: Workaround, Patch / RCS
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified

Technical

Arbitrary code will be executed with the privileges of the IWAM_computername account for default installations of IIS 5.0 and 5.1.

If the vulnerability is exploited to cause a DoS, the IIS service must be restarted manually on for version 4.0, while the service would automatically restart in IIS 5.0.

Solution

Install Patch Q319733, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workarounds:

1. Disable HTR ISAPI extension - All versions of the IIS Lockdown Tool disable HTR by default.

2. The URLScan tool can be used to prevent code execution (even if HTR is enabled), but not the DoS.

Products

Microsoft Corporation	IIS	4.0
		5.0

References

CVE ID: 2002-0071 (see also: NVD)
Microsoft Knowledge Base Article: 318091 319733
Metasploit ID: 3325
CERT VU: 363715
Bugtraq ID: 4474
ISS X-Force ID: 8799
CERT: CA-2002-09
Other Advisory URL: http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0013.html
http://www.atstake.com/research/advisories/2002/a041002-1.txt
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2002-04/0137.html
http://www.nipc.gov/warnings/advisories/2002/02-002.htm
http://xforce.iss.net/xforce/alerts/id/advise114
Vendor Specific Advisory URL: http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
Vendor Specific Solution URL: http://www.microsoft.com/downloads/search.aspx?opsysid=1&search=Keyword&value='security_patch'&displaylang=en
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/urlscan.asp
CIAC Advisory: M-066
Microsoft Security Bulletin: MS02-018

Tools & Filters

Nikto	325 326 485 3373
	10932 10943 11028
Snort	1619

Credit

Riley Hassell - rileyeeye.com - eEye Digital Security

CVSSv2 Score

CVSSv2 Base Score = 7.5
Source: nvd.nist.gov | Generated: 2003-12-31 | Disagree?

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.