Cerberus Information Security Advisory (CISADV000327)
http://www.cerberus-infosec.co.uk/advisories.html

Released                   : 27th March 2000
Name                        : IIS ISM.DLL buffer truncation exposes files
Affected Systems       : Windows NT running IIS
Issue                          : Remote attackers can gain access to files'
contents
                                    they should not normally have access to.

Description
***********
The Cerberus Security Team has security flaw with Microsoft's Internet
Information Server 4 and 5 that allows attackers to obtain the contents of
files they should not be able to access. For example text based files (eg
.txt,.log and .ini) in the /scripts directory are not normally accessible
due to the virtual directory have only script and execute access. Using this
vulnerability it is possible to gain access to these files' contents.


Details
*******
By making a specially formed request to Internet Information Server it is
possible to obtain the contents of files. By making a request for the name
of the file and then appending around 230 + %20s (these represents spaces)
and then ".htr" this tricks Internet Information Server into thinking that
the client is requesting a ".htr" file. The .htr file extention is mapped to
the ISM.DLL ISAPI application and IIS redirects all requests for .htr
resources to this DLL.

ISM.DLL is then passed the name of the file to open and execute but before
doing this ISM.DLL truncates the buffer sent to it chopping off the .htr and
a few spaces and ends up opening the file we want to get the source of. The
contents are then returned.

This attack can only be launched once though, unless the web service is
stopped and restarted. If a .htr request has already been made to the
machine then this attack will fail. It will only work when ISM.DLL is loaded
into memory for the first time.


Solution:
*********
If you don't use the functionality provided for by ISM.DLL then it would be
best to unmap the .htr extention from ISM.DLL using the Internet Service
Manager MMC snap-in. Right click on the computer name and edit the Master
web properties. If this is not acceptable then a patch for this issue can be
obtained from Microsoft. Please see below. A check for this has been added
to Cerberus' security scanner, available from the website.

Vendor Status
*************
Microsoft were informed on the 16th of March about this issue and have
developed a patch available from
http://www.microsoft.com/technet/security/bulletin/ms00-031.asp

About Cerberus Information Security, Ltd
*****************************************
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other security auditing services. They are the
developers of CIS (Cerberus' Internet security scanner) available for free
from their website: http://www.cerberus-infosec.co.uk

To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally they continually research operating
system and popular service software vulnerabilites leading to the discovery
of "world first" issues. This not only keeps the team sharp but also helps
the industry and vendors as a whole ultimately protecting the end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major vulnerabilities have been discovered by the Cerberus Security
Team - over 70 to date, making them a clear leader of companies offering
such security services.

Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd are located in London, UK but serves customers across the
World. For more information about Cerberus Information Security, Ltd please
visit their website or call on +44(0)208 395 4980.

Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.

Copyright (C) 2000 by Cerberus Information Security, Ltd