Created 06/28/04

Impact

Background

The Problem

The second part of the problem occurs when a client visits the compromised server using a vulnerable version of Microsoft Internet Explorer. The attacker's JavaScript code, which is appended to every web page, redirects the browser to an external address belonging to a remote attacker. The remote web page exploits the Internet Explorer Modal Dialog Zone Bypass vulnerability. This exploit runs the attack code which downloads and installs a keystroke logger onto the system by exploiting the Internet Explorer ADODB.Stream Object File Installation Weakness.

Once the keystroke logger is installed on the system, it attempts to collect login and password combinations and saves them locally in an HTML form. The form data is then uploaded to a number of remote sites.

Resolution

To avoid becoming infected, install the fix for the Internet Explorer Modal Dialog Zone Bypass and ADODB.Stream Object File Installation vulnerabilities when available. Until the fix is installed, disable client-side scripting and active content in the Internet zone in Microsoft Internet Explorer.

Where can I read more about this?

Technical Details

Updated 06/15/07
CVE 1999-0501
CVE 1999-0502
CVE 1999-0503
CVE 1999-0504
CVE 1999-0505
CVE 1999-0506

Impact

Background

The Problem

Related CVE entries:
CVE 2002-1629 Multi-Tech ProxyServer
CVE 2005-3595 Windows XP Home Edition
CVE 2007-3232 IBM Totalstorage DS400

10/27/06
CVE 2006-5288
The Cisco 2700 Series Wireless Location appliance is an internet connectivity device. It is exposed to a default administrative password issue. Versions prior to 2.1.34 are affected.

Resolution

For Cisco 2700 Series Wireless Location Appliance, change the password or mitigate as described in cisco-air-20061013-wla.

Where can I read more about this?

The Cisco 2700 Series WLA default password was described in cisco-sa-2006-1012-wla and Bugtraq ID 20490.

The IBM Totalstorage DS400 default password was posted to Full Disclosure.

Technical Details

Impact

Background

An integral feature of FrontPage Server Extensions is a remote debug capability. This functionality enables users to remotely connect to a server running FrontPage Server Extensions and remotely debug content using, for example, Visual InterDev.

FrontPage Server Extensions also come with the SmartHTML (WebBot) interpreter. This functionality is made up of a variety of dynamic link library files, and exists to support certain types of dynamic web content. Web developers may choose to insert a FrontPage WebBot (actually a specially formatted HTML comment) in a web page. When the FrontPage Editor saves the web page, a FrontPage Server Extensions application scans the page for embedded WebBot components and replaces them with the appropriate HTML text.

FrontPage Server Extensions can also include an optional subcomponent called Visual Studio Remote Application Deployment (RAD) support. This support allows Visual InterDev users to register objects on the web server.

The Problem

04/12/06
CVE 2006-0015
There is a cross-site scripting vulnerability that could allow an attacker to run client-side script on behalf of an FPSE user. Attempts to exploit this vulnerability require user interaction. An attacker who successfully exploited this vulnerability against an administrator could take complete control of a Front Page Server Extensions 2002 server.

11/19/03
CVE 2003-0822
There is a buffer overflow vulnerability in the remote debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions 2000 and 2002. This vulnerability allows remote attackers to execute arbitrary code via a carefully crafted chunked encoded request.

11/19/03
CVE 2003-0824
A vulnerability in the SmartHTML interpreter (shtml.dll) could allow an attacker to temporarily consume all available CPU resources through malicious HTTP requests.

CVE 2001-0341
Due to an unchecked buffer in the Visual Studio RAD sub-component of FrontPage Server Extensions, it could be possible for a remote attacker to execute arbitrary commands with IUSR_machinename privileges, or in some cases SYSTEM privileges. This vulnerability can only be exploited if the Visual Studio RAD sub-component is installed, which is not the case by default.

The FrontPage password file(s) indicated on the previous screen, next to the link to this tutorial, are readable by an unprivileged web user. An attacker could crack the encrypted passwords and gain unauthorized access to the web site. If any users' FrontPage passwords are the same as their system passwords, the system could be compromised as well.

10/22/02
CVE 1999-1376
The fpcount.exe utility which is installed with FrontPage Server Extensions versions prior to 98 contains a remotely exploitable buffer overflow vulnerability.

Resolutions

To fix the vulnerability in the Visual Studio RAD support, apply the patch indicated in Microsoft Security Bulletin 01-035.

To secure the FrontPage password file, set the permissions on the file(s) to be more restrictive. The exact permissions which should be used are not specified. Use the most restrictive permissions possible without denying access to legitimate users.

On Windows NT systems:

1. Find the file in Windows Explorer
2. Click on the file with the right mouse button
3. Select Properties
4. Click on the Security Tab
5. Click on the Permissions button
6. Change or remove permissions on the file as necessary.

Use the chmod command.

To fix the buffer overflow in fpcount.exe, upgrade to FrontPage Server Extensions 98 or higher.

Where can I read more about this?

For more information on the fp30reg.dll remote debug and SmartHTML buffer overflow vulnerabilities, see Microsoft Security Bulletin 03-051 and Secunia Advisory SA10195.

For more information on the vulnerability in the Visual Studio RAD support, see Microsoft Security Bulletin 01-035 and NSFOCUS Security Advisory 2001-03.

See the Rhino 9 Advisory for more information about the password file vulnerability.

The fpcount.exe vulnerability was posted to Bugtraq archive 11943.

Technical Details

Impact

Background

An integral feature of FrontPage Server Extensions is a remote debug capability. This functionality enables users to remotely connect to a server running FrontPage Server Extensions and remotely debug content using, for example, Visual InterDev.

FrontPage Server Extensions also come with the SmartHTML (WebBot) interpreter. This functionality is made up of a variety of dynamic link library files, and exists to support certain types of dynamic web content. Web developers may choose to insert a FrontPage WebBot (actually a specially formatted HTML comment) in a web page. When the FrontPage Editor saves the web page, a FrontPage Server Extensions application scans the page for embedded WebBot components and replaces them with the appropriate HTML text.

FrontPage Server Extensions can also include an optional subcomponent called Visual Studio Remote Application Deployment (RAD) support. This support allows Visual InterDev users to register objects on the web server.

The Problem

04/12/06
CVE 2006-0015
There is a cross-site scripting vulnerability that could allow an attacker to run client-side script on behalf of an FPSE user. Attempts to exploit this vulnerability require user interaction. An attacker who successfully exploited this vulnerability against an administrator could take complete control of a Front Page Server Extensions 2002 server.

11/19/03
CVE 2003-0822
There is a buffer overflow vulnerability in the remote debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions 2000 and 2002. This vulnerability allows remote attackers to execute arbitrary code via a carefully crafted chunked encoded request.

11/19/03
CVE 2003-0824
A vulnerability in the SmartHTML interpreter (shtml.dll) could allow an attacker to temporarily consume all available CPU resources through malicious HTTP requests.

CVE 2001-0341
Due to an unchecked buffer in the Visual Studio RAD sub-component of FrontPage Server Extensions, it could be possible for a remote attacker to execute arbitrary commands with IUSR_machinename privileges, or in some cases SYSTEM privileges. This vulnerability can only be exploited if the Visual Studio RAD sub-component is installed, which is not the case by default.

The FrontPage password file(s) indicated on the previous screen, next to the link to this tutorial, are readable by an unprivileged web user. An attacker could crack the encrypted passwords and gain unauthorized access to the web site. If any users' FrontPage passwords are the same as their system passwords, the system could be compromised as well.

10/22/02
CVE 1999-1376
The fpcount.exe utility which is installed with FrontPage Server Extensions versions prior to 98 contains a remotely exploitable buffer overflow vulnerability.

Resolutions

To fix the vulnerability in the Visual Studio RAD support, apply the patch indicated in Microsoft Security Bulletin 01-035.

To secure the FrontPage password file, set the permissions on the file(s) to be more restrictive. The exact permissions which should be used are not specified. Use the most restrictive permissions possible without denying access to legitimate users.

On Windows NT systems:

1. Find the file in Windows Explorer
2. Click on the file with the right mouse button
3. Select Properties
4. Click on the Security Tab
5. Click on the Permissions button
6. Change or remove permissions on the file as necessary.

Use the chmod command.

To fix the buffer overflow in fpcount.exe, upgrade to FrontPage Server Extensions 98 or higher.

Where can I read more about this?

For more information on the fp30reg.dll remote debug and SmartHTML buffer overflow vulnerabilities, see Microsoft Security Bulletin 03-051 and Secunia Advisory SA10195.

For more information on the vulnerability in the Visual Studio RAD support, see Microsoft Security Bulletin 01-035 and NSFOCUS Security Advisory 2001-03.

See the Rhino 9 Advisory for more information about the password file vulnerability.

The fpcount.exe vulnerability was posted to Bugtraq archive 11943.

Technical Details

Impact

Background

Some of the file types for which IIS may accept requests are .HTR files (for remote administration of passwords), .IDC files (Internet Database Connectors), .STM files (server side include files), .PRINTER files (printers), .IDA files (Internet Data Administration), .IDQ files (Internet Data Query), and .ASP files (Active Server Pages). Whenever any file of one of these types is requested by a client, a corresponding DLL file is executed on the server, regardless of whether or not the requested file actually exists on the server.

IIS supports redirection, which allows a user to specify that requests for a particular URL on the server should be redirected such that the user's browser loads a file from another directory, a network share, or a URL on another web server.

The Problems

02/14/08
CVE 2008-0075
Microsoft Security Bulletin 08-006 announced a vulnerability in IIS that could allow remote code execution. The vulnerability exists in the way that IIS handles input to ASP Web pages. An attacker who could exploit the vulnerability can perform actions on the IIS server with the same rights as the Worker Process Identity WPI.

07/10/07
CVE 2005-4360
A flaw in IIS 5.1 dealing with .dll requests was previously believed to only allow denial of service but has been re-evaluated by Microsoft and determined to allow remote code execution.

07/12/06
CVE 2006-0026
IIS 5.0, 5.1, and 6.0 are affected by a buffer overflow when processing ASP files. A remote attacker could execute arbitrary commands by uploading a specially crafted ASP file onto the web server, and then causing IIS to process it. An attacker would need to have valid login credentials in order to exploit this vulnerability unless the web server has been configured to allow anonymous uploads to the web site.

12/21/05
CVE 2005-4360
A flaw in IIS 5.1 could allow a remote attacker to terminate the web service by sending a specially crafted request for a .dll file four times in succession. The requested path must include an executable virtual directory on the web server, but the file does not need to exist in order for the attack to succeed. In its default configuration, IIS will restart after such an attack, but repeated attacks could lead to a sustained denial of service.

04/11/02
Microsoft Security Bulletin 02-018 announced ten newly discovered vulnerabilities affecting IIS 4.0 through 5.1, ranging in impact from denial of service to execution of arbitrary code. Each of the following vulnerabilities affects IIS 4.0, 5.0, and/or 5.1:

• Two buffer overflows affecting chunked encoding transfers via Active Server Pages (ASP) (CVE 2002-0079 CVE 2002-0147)
• A buffer overflow in the processing of HTTP headers by spoofing the check of the delimiter fields (CVE 2002-0150)
• A buffer overflow in the processing of server-side includes in ASP files (CVE 2002-0149)
• A buffer overflow affecting the HTR ISAPI extension (CVE 2002-0071)
• Denial-of-service conditions in the processing of error messages from ISAPI extensions and the processing of FTP status requests (CVE 2002-0072 CVE 2002-0073)
• Three cross-site scripting vulnerabilities (CVE 2002-0074 CVE 2002-0075 CVE 2002-0148)

11/05/02
Microsoft Security Bulletin 02-062 announced four more vulnerabilities affecting IIS 4.0, 5.0, and/or 5.1:

• A privilege elevation vulnerability affecting the way ISAPIs are launched when configured to run out of process (CVE 2002-0869)
• A denial-of-service vulnerability in the processing of WebDAV requests (CVE 2002-1182)
• An error which weakens the access control on uploading of .COM files to write-enabled virtual directories (CVE 2002-1180)
• Two cross-site scripting vulnerabilities affecting the administrative web page (CVE 2002-1181)

06/03/03
Microsoft Security Bulletin 03-018 announced four more vulnerabilities affecting IIS 4.0, 5.0, and/or 5.1:

• A cross-site scripting vulnerability affecting pages which are redirected to another page (CVE 2003-0223)
• A buffer overflow in the processing of pages containing server-side includes, which could be exploited if an attacker is able to upload such pages (CVE 2003-0224)
• A denial of service vulnerability in the processing of ASP pages, which could be exploited if an attacker is able to upload ASP pages (CVE 2003-0225)
• A denial of service vulnerability in the processing of overly long WebDAV requests (CVE 2003-0226)

07/14/04
CVE 2004-0205
A buffer overflow in IIS 4.0 could allow a remote attacker to execute arbitrary commands if permanent redirects are enabled. IIS 5 and 6 are not affected.

06/13/02
CVE 2002-0364
IIS web servers support chunked encoding, in which HTTP POST data is sent to the server in multiple parts. A heap overrun vulnerability in the ISAPI filter which handles requests for .HTR files could allow a remote attacker to execute arbitrary commands when chunked encoding is used. The requested .HTR file usually does not need to exist on the server in order for the vulnerability to be exploited.

IIS 4.0 and 5.0 are affected by this vulnerability if the .HTR application filter is enabled and the patch has not been applied. This is not the same vulnerability as the one described above.

06/18/01
CVE 2001-0241
CVE 2001-0500

The DLLs which IIS 5.0 uses to process requests for .PRINTER files on Windows 2000, and for .IDA and .IDQ files on any Windows platform that has Indexing Services installed, contain buffer overflows. A remote attacker could execute arbitrary commands with full system privileges or create a denial of service by sending a specially crafted request for a .PRINTER, .IDA, or .IDQ file. In most cases the requested file does not need to exist on the web server in order for this vulnerability to be exploited, and exploitation of the DLLs that come with Indexing Services is possible even if Indexing Services are not running.

Due to the nature of this vulnerability, it could not be confirmed by a network scan (unless the dangerous tests option was chosen). The server is not vulnerable if any of the following conditions apply:

• The patches for this vulnerability have already been applied
• The mapping for the corresponding ISAPIs have been removed

CVE 2000-0884
CVE 2001-0333

The "../" string in a pathname usually indicates a parent directory. IIS rejects URLs containing this string, thereby preventing web users from accessing files outside of the web document root directory. However, this safeguard can be averted by:

1. Representing part of the ../ string in a Unicode format, or
2. Using double encoding; that is, URL-encoding part of the ../ string, and then URL-encoding the resulting encoded string

CVE 1999-0874

In Microsoft IIS version 4.0, the DLL files which are executed when .HTR, .IDC, or .STM files are requested have a buffer overflow condition which could allow an attacker to crash the server or execute arbitrary commands on the web server.

This vulnerability could not be confirmed by a remote scan. The server is not vulnerable to this attack if any of the following conditions exist:

• Windows NT 4.0 Service Pack 6 has been applied
• The ext-fix hotfix has been applied
• The workaround for this problem has been applied. That is, "check if this file exists" has been selected for each of the affected file types
• The following three files do not exist on the server: ism.dll, ssinc.dll, and httpodbc.dll

If none of the above conditions exist, then the server is probably vulnerable.

CVE 2000-0226
An older buffer overflow affects IIS 4.0's implementation of chunked encoding and could allow an attacker to cause a denial of service with a large POST or PUT command.

CVE 2000-0886

When the web server receives a request for a .exe or .com file under an executable directory, the system calls cmd.exe to process the requested program. Anything following the filename in the request is interpreted as a command-line argument. Some arguments, such as an ampersand (&), could cause the remaining arguments to be interpreted as a new command. Thus, if an attacker knows the path and filename of a batch of .cmd file under an executable directory, he or she could run arbitrary commands by sending a specially crafted request for that file.

Similarly, script interpreters such as perl.exe and php.exe, could be tricked into running arbitrary commands by a specially crafted request for the corresponding type of file.

CVE 2000-0770
CVE 2001-0151
CVE 2001-0507
There are several other vulnerabilities in IIS 4 and 5 which are not as critical as those listed above, but which still should be addressed. The first could allow an attacker to gain additional privileges to a file in IIS 4.0 and 5.0 by sending a specially crafted URL if a parent directory has less restrictive permissions than the file. The second could allow an attacker to create a denial of service against IIS 5.0 by sending a malformed WebDAV request to the server. The third is a privilege elevation vulnerability which arises in IIS 5.0 because the table that specifies which files can be run in-process uses both absolute and relative path names, allowing a file which is not in the table to possibly match a file name in the table.

Resolutions

For IIS 5.1, also install the patches referenced in 07-041. Note that the patch referenced in Microsoft Security Bulletin 02-050 must also be installed if client side certificates are to function.

IIS 4.0 users should also install the patch referenced in Microsoft Security Bulletin 04-021 or disable the permanent redirection option under the Home Directory tab in the web site properties.

Where can I read more about this?

More information on the remote code execution in IIS 5.1 is available at Microsoft Security Bulletin 07-041.

More information on the ASP upload vulnerability is available in Microsoft Security Bulletin 06-034.

More information on the .dll request denial of service was reported in Secunia Advisory SA18106.

More information on the chunked .HTR processing vulnerability is available in Microsoft Security Bulletin 02-028 and eEye advisory 20020612.

The IIS 4.0 redirection buffer overflow was reported in Microsoft Security Bulletin 04-021.

More information on the multiple vulnerabilities in IIS 4.0 through 5.1 is available in CERT Advisory 2002-09, Microsoft Security Bulletin 02-018, Microsoft Security Bulletin 02-062, and Microsoft Security Bulletin 03-018.

More information on the buffer overflows in IIS 5.0 is available from Microsoft Security Bulletins 01-023 and 01-033, CERT advisories 2001-10 and 2001-13, and eEye advisories AD20010501 and AD20010618. General information on securing IIS 5.0 can be found in the IIS 5 security checklist.

More information on folder traversal using Unicode translation is available from Microsoft Security Bulletin 00-078 and a posting to Bugtraq. More information on folder traversal using double encoding is available from Microsoft Security Bulletin 01-026, NSFOCUS Security Advisory 2001-02, and CERT Advisory 2001-12.

More information on the buffer overflow vulnerability is available from Microsoft Security Bulletin 99-019 and from Microsoft Knowledge Base article Q234905.

More information on the filename inspection vulnerability can be found in Microsoft Security Bulletin 00-086 and NSFOCUS Security Advisory 2000-07.

More information on the other vulnerabilities was reported in Microsoft Security Bulletins 00-057, 01-016, and 01-044.

Technical Details

Impact

Background

Some of the file types for which IIS may accept requests are .HTR files (for remote administration of passwords), .IDC files (Internet Database Connectors), .STM files (server side include files), .PRINTER files (printers), .IDA files (Internet Data Administration), .IDQ files (Internet Data Query), and .ASP files (Active Server Pages). Whenever any file of one of these types is requested by a client, a corresponding DLL file is executed on the server, regardless of whether or not the requested file actually exists on the server.

IIS supports redirection, which allows a user to specify that requests for a particular URL on the server should be redirected such that the user's browser loads a file from another directory, a network share, or a URL on another web server.

The Problems

02/14/08
CVE 2008-0075
Microsoft Security Bulletin 08-006 announced a vulnerability in IIS that could allow remote code execution. The vulnerability exists in the way that IIS handles input to ASP Web pages. An attacker who could exploit the vulnerability can perform actions on the IIS server with the same rights as the Worker Process Identity WPI.

07/10/07
CVE 2005-4360
A flaw in IIS 5.1 dealing with .dll requests was previously believed to only allow denial of service but has been re-evaluated by Microsoft and determined to allow remote code execution.

07/12/06
CVE 2006-0026
IIS 5.0, 5.1, and 6.0 are affected by a buffer overflow when processing ASP files. A remote attacker could execute arbitrary commands by uploading a specially crafted ASP file onto the web server, and then causing IIS to process it. An attacker would need to have valid login credentials in order to exploit this vulnerability unless the web server has been configured to allow anonymous uploads to the web site.

12/21/05
CVE 2005-4360
A flaw in IIS 5.1 could allow a remote attacker to terminate the web service by sending a specially crafted request for a .dll file four times in succession. The requested path must include an executable virtual directory on the web server, but the file does not need to exist in order for the attack to succeed. In its default configuration, IIS will restart after such an attack, but repeated attacks could lead to a sustained denial of service.

04/11/02
Microsoft Security Bulletin 02-018 announced ten newly discovered vulnerabilities affecting IIS 4.0 through 5.1, ranging in impact from denial of service to execution of arbitrary code. Each of the following vulnerabilities affects IIS 4.0, 5.0, and/or 5.1:

• Two buffer overflows affecting chunked encoding transfers via Active Server Pages (ASP) (CVE 2002-0079 CVE 2002-0147)
• A buffer overflow in the processing of HTTP headers by spoofing the check of the delimiter fields (CVE 2002-0150)
• A buffer overflow in the processing of server-side includes in ASP files (CVE 2002-0149)
• A buffer overflow affecting the HTR ISAPI extension (CVE 2002-0071)
• Denial-of-service conditions in the processing of error messages from ISAPI extensions and the processing of FTP status requests (CVE 2002-0072 CVE 2002-0073)
• Three cross-site scripting vulnerabilities (CVE 2002-0074 CVE 2002-0075 CVE 2002-0148)

11/05/02
Microsoft Security Bulletin 02-062 announced four more vulnerabilities affecting IIS 4.0, 5.0, and/or 5.1:

• A privilege elevation vulnerability affecting the way ISAPIs are launched when configured to run out of process (CVE 2002-0869)
• A denial-of-service vulnerability in the processing of WebDAV requests (CVE 2002-1182)
• An error which weakens the access control on uploading of .COM files to write-enabled virtual directories (CVE 2002-1180)
• Two cross-site scripting vulnerabilities affecting the administrative web page (CVE 2002-1181)

06/03/03
Microsoft Security Bulletin 03-018 announced four more vulnerabilities affecting IIS 4.0, 5.0, and/or 5.1:

• A cross-site scripting vulnerability affecting pages which are redirected to another page (CVE 2003-0223)
• A buffer overflow in the processing of pages containing server-side includes, which could be exploited if an attacker is able to upload such pages (CVE 2003-0224)
• A denial of service vulnerability in the processing of ASP pages, which could be exploited if an attacker is able to upload ASP pages (CVE 2003-0225)
• A denial of service vulnerability in the processing of overly long WebDAV requests (CVE 2003-0226)

07/14/04
CVE 2004-0205
A buffer overflow in IIS 4.0 could allow a remote attacker to execute arbitrary commands if permanent redirects are enabled. IIS 5 and 6 are not affected.

06/13/02
CVE 2002-0364
IIS web servers support chunked encoding, in which HTTP POST data is sent to the server in multiple parts. A heap overrun vulnerability in the ISAPI filter which handles requests for .HTR files could allow a remote attacker to execute arbitrary commands when chunked encoding is used. The requested .HTR file usually does not need to exist on the server in order for the vulnerability to be exploited.

IIS 4.0 and 5.0 are affected by this vulnerability if the .HTR application filter is enabled and the patch has not been applied. This is not the same vulnerability as the one described above.

06/18/01
CVE 2001-0241
CVE 2001-0500

The DLLs which IIS 5.0 uses to process requests for .PRINTER files on Windows 2000, and for .IDA and .IDQ files on any Windows platform that has Indexing Services installed, contain buffer overflows. A remote attacker could execute arbitrary commands with full system privileges or create a denial of service by sending a specially crafted request for a .PRINTER, .IDA, or .IDQ file. In most cases the requested file does not need to exist on the web server in order for this vulnerability to be exploited, and exploitation of the DLLs that come with Indexing Services is possible even if Indexing Services are not running.

Due to the nature of this vulnerability, it could not be confirmed by a network scan (unless the dangerous tests option was chosen). The server is not vulnerable if any of the following conditions apply:

• The patches for this vulnerability have already been applied
• The mapping for the corresponding ISAPIs have been removed

CVE 2000-0884
CVE 2001-0333

The "../" string in a pathname usually indicates a parent directory. IIS rejects URLs containing this string, thereby preventing web users from accessing files outside of the web document root directory. However, this safeguard can be averted by:

1. Representing part of the ../ string in a Unicode format, or
2. Using double encoding; that is, URL-encoding part of the ../ string, and then URL-encoding the resulting encoded string

CVE 1999-0874

In Microsoft IIS version 4.0, the DLL files which are executed when .HTR, .IDC, or .STM files are requested have a buffer overflow condition which could allow an attacker to crash the server or execute arbitrary commands on the web server.

This vulnerability could not be confirmed by a remote scan. The server is not vulnerable to this attack if any of the following conditions exist:

• Windows NT 4.0 Service Pack 6 has been applied
• The ext-fix hotfix has been applied
• The workaround for this problem has been applied. That is, "check if this file exists" has been selected for each of the affected file types
• The following three files do not exist on the server: ism.dll, ssinc.dll, and httpodbc.dll

If none of the above conditions exist, then the server is probably vulnerable.

CVE 2000-0226
An older buffer overflow affects IIS 4.0's implementation of chunked encoding and could allow an attacker to cause a denial of service with a large POST or PUT command.

CVE 2000-0886

When the web server receives a request for a .exe or .com file under an executable directory, the system calls cmd.exe to process the requested program. Anything following the filename in the request is interpreted as a command-line argument. Some arguments, such as an ampersand (&), could cause the remaining arguments to be interpreted as a new command. Thus, if an attacker knows the path and filename of a batch of .cmd file under an executable directory, he or she could run arbitrary commands by sending a specially crafted request for that file.

Similarly, script interpreters such as perl.exe and php.exe, could be tricked into running arbitrary commands by a specially crafted request for the corresponding type of file.

CVE 2000-0770
CVE 2001-0151
CVE 2001-0507
There are several other vulnerabilities in IIS 4 and 5 which are not as critical as those listed above, but which still should be addressed. The first could allow an attacker to gain additional privileges to a file in IIS 4.0 and 5.0 by sending a specially crafted URL if a parent directory has less restrictive permissions than the file. The second could allow an attacker to create a denial of service against IIS 5.0 by sending a malformed WebDAV request to the server. The third is a privilege elevation vulnerability which arises in IIS 5.0 because the table that specifies which files can be run in-process uses both absolute and relative path names, allowing a file which is not in the table to possibly match a file name in the table.

Resolutions

For IIS 5.1, also install the patches referenced in 07-041. Note that the patch referenced in Microsoft Security Bulletin 02-050 must also be installed if client side certificates are to function.

IIS 4.0 users should also install the patch referenced in Microsoft Security Bulletin 04-021 or disable the permanent redirection option under the Home Directory tab in the web site properties.

Where can I read more about this?

More information on the remote code execution in IIS 5.1 is available at Microsoft Security Bulletin 07-041.

More information on the ASP upload vulnerability is available in Microsoft Security Bulletin 06-034.

More information on the .dll request denial of service was reported in Secunia Advisory SA18106.

More information on the chunked .HTR processing vulnerability is available in Microsoft Security Bulletin 02-028 and eEye advisory 20020612.

The IIS 4.0 redirection buffer overflow was reported in Microsoft Security Bulletin 04-021.

More information on the multiple vulnerabilities in IIS 4.0 through 5.1 is available in CERT Advisory 2002-09, Microsoft Security Bulletin 02-018, Microsoft Security Bulletin 02-062, and Microsoft Security Bulletin 03-018.

More information on the buffer overflows in IIS 5.0 is available from Microsoft Security Bulletins 01-023 and 01-033, CERT advisories 2001-10 and 2001-13, and eEye advisories AD20010501 and AD20010618. General information on securing IIS 5.0 can be found in the IIS 5 security checklist.

More information on folder traversal using Unicode translation is available from Microsoft Security Bulletin 00-078 and a posting to Bugtraq. More information on folder traversal using double encoding is available from Microsoft Security Bulletin 01-026, NSFOCUS Security Advisory 2001-02, and CERT Advisory 2001-12.

More information on the buffer overflow vulnerability is available from Microsoft Security Bulletin 99-019 and from Microsoft Knowledge Base article Q234905.

More information on the filename inspection vulnerability can be found in Microsoft Security Bulletin 00-086 and NSFOCUS Security Advisory 2000-07.

More information on the other vulnerabilities was reported in Microsoft Security Bulletins 00-057, 01-016, and 01-044.

Technical Details

Impact

Background

Some of the file types for which IIS may accept requests are .HTR files (for remote administration of passwords), .IDC files (Internet Database Connectors), .STM files (server side include files), .PRINTER files (printers), .IDA files (Internet Data Administration), .IDQ files (Internet Data Query), and .ASP files (Active Server Pages). Whenever any file of one of these types is requested by a client, a corresponding DLL file is executed on the server, regardless of whether or not the requested file actually exists on the server.

IIS supports redirection, which allows a user to specify that requests for a particular URL on the server should be redirected such that the user's browser loads a file from another directory, a network share, or a URL on another web server.

The Problems

02/14/08
CVE 2008-0075
Microsoft Security Bulletin 08-006 announced a vulnerability in IIS that could allow remote code execution. The vulnerability exists in the way that IIS handles input to ASP Web pages. An attacker who could exploit the vulnerability can perform actions on the IIS server with the same rights as the Worker Process Identity WPI.

07/10/07
CVE 2005-4360
A flaw in IIS 5.1 dealing with .dll requests was previously believed to only allow denial of service but has been re-evaluated by Microsoft and determined to allow remote code execution.

07/12/06
CVE 2006-0026
IIS 5.0, 5.1, and 6.0 are affected by a buffer overflow when processing ASP files. A remote attacker could execute arbitrary commands by uploading a specially crafted ASP file onto the web server, and then causing IIS to process it. An attacker would need to have valid login credentials in order to exploit this vulnerability unless the web server has been configured to allow anonymous uploads to the web site.

12/21/05
CVE 2005-4360
A flaw in IIS 5.1 could allow a remote attacker to terminate the web service by sending a specially crafted request for a .dll file four times in succession. The requested path must include an executable virtual directory on the web server, but the file does not need to exist in order for the attack to succeed. In its default configuration, IIS will restart after such an attack, but repeated attacks could lead to a sustained denial of service.

04/11/02
Microsoft Security Bulletin 02-018 announced ten newly discovered vulnerabilities affecting IIS 4.0 through 5.1, ranging in impact from denial of service to execution of arbitrary code. Each of the following vulnerabilities affects IIS 4.0, 5.0, and/or 5.1:

• Two buffer overflows affecting chunked encoding transfers via Active Server Pages (ASP) (CVE 2002-0079 CVE 2002-0147)
• A buffer overflow in the processing of HTTP headers by spoofing the check of the delimiter fields (CVE 2002-0150)
• A buffer overflow in the processing of server-side includes in ASP files (CVE 2002-0149)
• A buffer overflow affecting the HTR ISAPI extension (CVE 2002-0071)
• Denial-of-service conditions in the processing of error messages from ISAPI extensions and the processing of FTP status requests (CVE 2002-0072 CVE 2002-0073)
• Three cross-site scripting vulnerabilities (CVE 2002-0074 CVE 2002-0075 CVE 2002-0148)

11/05/02
Microsoft Security Bulletin 02-062 announced four more vulnerabilities affecting IIS 4.0, 5.0, and/or 5.1:

• A privilege elevation vulnerability affecting the way ISAPIs are launched when configured to run out of process (CVE 2002-0869)
• A denial-of-service vulnerability in the processing of WebDAV requests (CVE 2002-1182)
• An error which weakens the access control on uploading of .COM files to write-enabled virtual directories (CVE 2002-1180)
• Two cross-site scripting vulnerabilities affecting the administrative web page (CVE 2002-1181)

06/03/03
Microsoft Security Bulletin 03-018 announced four more vulnerabilities affecting IIS 4.0, 5.0, and/or 5.1:

• A cross-site scripting vulnerability affecting pages which are redirected to another page (CVE 2003-0223)
• A buffer overflow in the processing of pages containing server-side includes, which could be exploited if an attacker is able to upload such pages (CVE 2003-0224)
• A denial of service vulnerability in the processing of ASP pages, which could be exploited if an attacker is able to upload ASP pages (CVE 2003-0225)
• A denial of service vulnerability in the processing of overly long WebDAV requests (CVE 2003-0226)

07/14/04
CVE 2004-0205
A buffer overflow in IIS 4.0 could allow a remote attacker to execute arbitrary commands if permanent redirects are enabled. IIS 5 and 6 are not affected.

06/13/02
CVE 2002-0364
IIS web servers support chunked encoding, in which HTTP POST data is sent to the server in multiple parts. A heap overrun vulnerability in the ISAPI filter which handles requests for .HTR files could allow a remote attacker to execute arbitrary commands when chunked encoding is used. The requested .HTR file usually does not need to exist on the server in order for the vulnerability to be exploited.

IIS 4.0 and 5.0 are affected by this vulnerability if the .HTR application filter is enabled and the patch has not been applied. This is not the same vulnerability as the one described above.

06/18/01
CVE 2001-0241
CVE 2001-0500

The DLLs which IIS 5.0 uses to process requests for .PRINTER files on Windows 2000, and for .IDA and .IDQ files on any Windows platform that has Indexing Services installed, contain buffer overflows. A remote attacker could execute arbitrary commands with full system privileges or create a denial of service by sending a specially crafted request for a .PRINTER, .IDA, or .IDQ file. In most cases the requested file does not need to exist on the web server in order for this vulnerability to be exploited, and exploitation of the DLLs that come with Indexing Services is possible even if Indexing Services are not running.

Due to the nature of this vulnerability, it could not be confirmed by a network scan (unless the dangerous tests option was chosen). The server is not vulnerable if any of the following conditions apply:

• The patches for this vulnerability have already been applied
• The mapping for the corresponding ISAPIs have been removed

CVE 2000-0884
CVE 2001-0333

The "../" string in a pathname usually indicates a parent directory. IIS rejects URLs containing this string, thereby preventing web users from accessing files outside of the web document root directory. However, this safeguard can be averted by:

1. Representing part of the ../ string in a Unicode format, or
2. Using double encoding; that is, URL-encoding part of the ../ string, and then URL-encoding the resulting encoded string

CVE 1999-0874

In Microsoft IIS version 4.0, the DLL files which are executed when .HTR, .IDC, or .STM files are requested have a buffer overflow condition which could allow an attacker to crash the server or execute arbitrary commands on the web server.

This vulnerability could not be confirmed by a remote scan. The server is not vulnerable to this attack if any of the following conditions exist:

• Windows NT 4.0 Service Pack 6 has been applied
• The ext-fix hotfix has been applied
• The workaround for this problem has been applied. That is, "check if this file exists" has been selected for each of the affected file types
• The following three files do not exist on the server: ism.dll, ssinc.dll, and httpodbc.dll

If none of the above conditions exist, then the server is probably vulnerable.

CVE 2000-0226
An older buffer overflow affects IIS 4.0's implementation of chunked encoding and could allow an attacker to cause a denial of service with a large POST or PUT command.

CVE 2000-0886

When the web server receives a request for a .exe or .com file under an executable directory, the system calls cmd.exe to process the requested program. Anything following the filename in the request is interpreted as a command-line argument. Some arguments, such as an ampersand (&), could cause the remaining arguments to be interpreted as a new command. Thus, if an attacker knows the path and filename of a batch of .cmd file under an executable directory, he or she could run arbitrary commands by sending a specially crafted request for that file.

Similarly, script interpreters such as perl.exe and php.exe, could be tricked into running arbitrary commands by a specially crafted request for the corresponding type of file.

CVE 2000-0770
CVE 2001-0151
CVE 2001-0507
There are several other vulnerabilities in IIS 4 and 5 which are not as critical as those listed above, but which still should be addressed. The first could allow an attacker to gain additional privileges to a file in IIS 4.0 and 5.0 by sending a specially crafted URL if a parent directory has less restrictive permissions than the file. The second could allow an attacker to create a denial of service against IIS 5.0 by sending a malformed WebDAV request to the server. The third is a privilege elevation vulnerability which arises in IIS 5.0 because the table that specifies which files can be run in-process uses both absolute and relative path names, allowing a file which is not in the table to possibly match a file name in the table.

Resolutions

For IIS 5.1, also install the patches referenced in 07-041. Note that the patch referenced in Microsoft Security Bulletin 02-050 must also be installed if client side certificates are to function.

IIS 4.0 users should also install the patch referenced in Microsoft Security Bulletin 04-021 or disable the permanent redirection option under the Home Directory tab in the web site properties.

Where can I read more about this?

More information on the remote code execution in IIS 5.1 is available at Microsoft Security Bulletin 07-041.

More information on the ASP upload vulnerability is available in Microsoft Security Bulletin 06-034.

More information on the .dll request denial of service was reported in Secunia Advisory SA18106.

More information on the chunked .HTR processing vulnerability is available in Microsoft Security Bulletin 02-028 and eEye advisory 20020612.

The IIS 4.0 redirection buffer overflow was reported in Microsoft Security Bulletin 04-021.

More information on the multiple vulnerabilities in IIS 4.0 through 5.1 is available in CERT Advisory 2002-09, Microsoft Security Bulletin 02-018, Microsoft Security Bulletin 02-062, and Microsoft Security Bulletin 03-018.

More information on the buffer overflows in IIS 5.0 is available from Microsoft Security Bulletins 01-023 and 01-033, CERT advisories 2001-10 and 2001-13, and eEye advisories AD20010501 and AD20010618. General information on securing IIS 5.0 can be found in the IIS 5 security checklist.

More information on folder traversal using Unicode translation is available from Microsoft Security Bulletin 00-078 and a posting to Bugtraq. More information on folder traversal using double encoding is available from Microsoft Security Bulletin 01-026, NSFOCUS Security Advisory 2001-02, and CERT Advisory 2001-12.

More information on the buffer overflow vulnerability is available from Microsoft Security Bulletin 99-019 and from Microsoft Knowledge Base article Q234905.

More information on the filename inspection vulnerability can be found in Microsoft Security Bulletin 00-086 and NSFOCUS Security Advisory 2000-07.

More information on the other vulnerabilities was reported in Microsoft Security Bulletins 00-057, 01-016, and 01-044.

Technical Details

Updated 03/07/07

Impact

Background

The Problems

03/07/07
CVE 2007-1301
MailEnable Professional and Enterprise have a buffer overflow that allows remote authenticated users to cause denial of service or arbitrary code execution. Professional versions 1.6 through 1.85 and 2.0 through 2.37 are vulnerable. Enterprise versions 1.1 through 1.42 and 2.0 through 2.37 are vulnerable.

02/22/07
CVE 2007-0955
MailEnable Professional and Enterprise version 2.37 and earlier have a denial of service vulnerability in the NTLM_UnPack_Type3 function in MENTLM.dll. This vulnerability allows remote attackers to cause a denial of service (application crash) via certain base64-encoded data following an AUTHENTICATE NTLM command to the imap port (143/tcp), which results in an out-of-bounds read.

04/03/06
CVE 2006-6605
MailEnable is vulnerable to a buffer overflow in the PASS command in the POP service. These vulnerabilities are in MailEnable Standard 1.98 and earlier; Professional 1.84, and 2.35 and earlier; and Enterprise 1.41, and 2.35 and earlier unless hotfix ME-10026 has been installed.

12/20/06
CVE 2006-6423
IMAP has a pre-authentication buffer overflow vulnerability caused by specification of a crafted parameter to cause the service to wait for more incoming data and then sending an overly long string.

The vulnerability detailed above affects versions 1.6-1.84 and 2.0 through 2.35 of Professional Edition and 1.1-1.41 and 2.0 through 2.35 of Enterprise Edition unless hotfix ME-10025 has been installed.

12/06/06
CVE 2006-6239
The NetWebAdmin portion of MailEnable has a vulnerability allowing for login with a blank password. Versions 2.32 of Professional and Enterprise versions are vulnerable.

12/04/06
CVE 2006-6290
CVE 2006-6291
CVE 2006-6484
IMAP has a number of additional buffer overflow vulnerabilities. These include a boundary error in the handling of arguments passed to the EXAMINE and SELECT commands and an input validation error in the handling of arguments passed to the DELETE command. There are also additional buffer overflow vulnerabilities.

The vulnerabilities detailed above affect versions 1.6-1.82 and 2.0 through 2.32 of Professional Edition and 1.1-1.30 and 2.0 through 2.32 of Enterprise Edition. The additional buffer overflow vulnerabilities affect versions up to 1.83 and 2.34 of the Professional Edition and versions up to 1.40 and 2.34 of the Enterprise Edition as well.

11/27/06
A buffer overflow condition exists in the command continuation mechanism that allows an IMAP user to execute arbitrary commands. Since this buffer overflow can be used on the login command, it can be exploited remotely by a user without a valid login and password. Versions 1.6-1.82 and 2.0 through 2.32 of Professional Edition and 1.1-1.30 and 2.0 through 2.32 of Enterprise Edition are vulnerable.

10/04/06
CVE 2006-5176
CVE 2006-5177
The SMTP service in MailEnable Professional and Enterprise allows remote attackers to execute arbitrary code and cause denial of service via a buffer overflow when processing the signature field of NTLM Type 1 messages. Professional 2.2 and Enterprise 2.2 and earlier are affected.

09/22/06
CVE 2006-4616
The SMTP service in MailEnable Standard, Professional, and Enterprise allows remote attackers to cause a denial of service via an SPF lookup for a domain with a large number of records, which triggers a null pointer exception. Standard 1.96, Professional 2.2 and Enterprise 2.2 and earlier are affected by these vulnerabilities.

06/21/06
CVE 2006-3277
MailEnable is affected by a denial-of-service vulnerability. A remote attacker could crash the SMTP service by sending a specially crafted HELO command. MailEnable Standard 1.96, MailEnable Professional 2.1.1, and MailEnable Enterprise 2.1.1 and earlier are affected by these vulnerabilities.

06/21/06
MailEnable Enterprise 2.09 and earlier are affected by an authentication bypass vulnerability in the web administration interface. A remote attacker could gain administrative control over the mail server by requesting main.asp directly in a POST request and setting the POSTOFFICE parameter. Several other vulnerabilities in the WebMail component allow remote attackers to elevate mailbox privileges or place files in other users' Drafts folders.

04/03/06
CVE 2006-1338
The MailEnable HTTPMail protocol is vulnerable to a remote denial of service due to insufficient handling of specially formatted quoted-printable emails. The following versions resolve this issue: Professional 1.73 and Enterprise 1.21.

04/03/06
CVE 2006-1337
MailEnable is vulnerable to an unspecified authentication bypass in the POP service. The following versions resolve the issue: Professional 1.73, Enterprise 1.21 and standard 1.93.

11/22/05
12/27/05
CVE 2005-3690
CVE 2005-3813
CVE 2005-3993
CVE 2005-4402
CVE 2005-4456
CVE 2005-4457
CVE 2006-0503
CVE 2006-0504
The MailEnable IMAP service is affected by multiple buffer overflow and denial-of-service vulnerabilities. Buffer overflow vulnerabilities in the processing of arguments to the SELECT, CREATE, DELETE, RENAME, SUBSCRIBE, UNSUBSCRIBE, EXAMINE, LIST, LSUB, and UID FETCH commands could allow a user to execute arbitrary commands. Denial-of-service vulnerabilities in the RENAME command and the processing of invalid commands could allow a user to crash the IMAP service. An attacker would need a valid IMAP login and password in order to exploit these vulnerabilities.

MailEnable Professional 1.7 and 1.71 are affected by some of the above vulnerabilities. MailEnable Professional 1.6 and earlier and MailEnable Enterprise 1.1 and earlier are affected by all of these vulnerabilities.

11/22/05
CVE 2005-3691
There is a directory traversal vulnerability in the CREATE and RENAME commands which could allow an attacker to create arbitrary directories on the filesystem or rename other users' folders, thus preventing other users from accessing their e-mail.

MailEnable Professional 1.6 and earlier and MailEnable Enterprise 1.1 and earlier are affected by these vulnerabilities.

10/04/05
CVE 2005-3155
The handling of the W3C logging has an error under buffer overflow conditions. This could potentially be exploited to allow arbitrary code execution. MailEnable Professional version 1.6 (and previous) and MailEnable Enterprise version 1.1 (and previous) are affected.

07/18/05