Possible Buffer Overflow in IIS

Impact

If the system has this buffer overflow condition, an attacker could send a specially constructed request which crashes the server or executes arbitrary code with the privileges of the web server.

Background

Microsoft IIS web servers accept requests for a number of different types of files. Three such file types are .HTR files (for remote administration of passwords), .IDC files (Internet Database Connectors), and .STM files (server side include files). Whenever any file of one of these types is requested by a client, a corresponding DLL file is executed on the server, regardless of whether or not the requested file actually exists on the server.

The Problem

In Microsoft IIS version 4.0, the DLL files which are executed when .HTR, .IDC, or .STM files are requested have a buffer overflow condition which could allow an attacker to crash the server or execute arbitrary commands on the web server.

SAINT was unable to confirm this vulnerability. The server is not vulnerable to this attack if any of the following conditions exist:

If none of the above conditions exist, then the server is probably vulnerable.

Resolutions

Install Service Pack 6. If you do not wish to install the service pack, then install the ext-fix hotfix or apply the workaround for this vulnerability. See Microsoft Knowledge Base article Q234905 for information on the hotfix and the workaround.

Where can I read more about this?

More information on this vulnerability is available from Microsoft Security Bulletin 99-019 and from Microsoft Knowledge Base article Q234905.