Possible Buffer Overflow in IIS
Impact
If the system has this buffer overflow condition, an attacker
could send a specially constructed request which crashes the
server or executes arbitrary code with the privileges of the web
server.
Background
Microsoft IIS web servers accept requests for a number of
different types of files.
Three such file types are .HTR files (for remote
administration of passwords), .IDC files (Internet
Database Connectors), and .STM files (server side include
files). Whenever any file of one of these types is requested
by a client, a corresponding DLL file is executed on the server,
regardless of whether or not the requested file actually exists
on the server.
The Problem
In Microsoft IIS version 4.0,
the DLL files which are executed when .HTR, .IDC,
or .STM files are requested have a buffer overflow condition
which could allow an attacker to crash the server or execute arbitrary
commands on the web server.
SAINT was unable to confirm this vulnerability. The server
is not vulnerable to this attack if any of the following
conditions exist:
- Windows NT 4.0 Service Pack 6 has been applied
- The ext-fix hotfix has been applied
- The workaround for this problem has been applied. That is, "check if this
file exists" has been selected for each of the affected file types
- The following three files do not exist on the server:
ism.dll, ssinc.dll, and httpodbc.dll
If none of the above conditions exist, then the server is
probably vulnerable.
Resolutions
Install
Service Pack 6. If you do not wish to install the service pack, then install
the ext-fix hotfix or apply the workaround for this vulnerability.
See Microsoft Knowledge Base article
Q234905 for information on the hotfix and the workaround.
Where can I read more about this?
More information on this vulnerability is available from Microsoft Security
Bulletin
99-019 and from Microsoft Knowledge Base article
Q234905.