A flaw in internal object interaction allows malicious users to bring down Internet Information Server 4.0, 5.0 and 5.1 with FP2002. Frontpage contains URL parsers for dynamic components (shtml.exe/dll). If a malicious user issues a request for /_vti_bin/shtml.exe where the URL for the dynamic contents is replaced with a long URL, the submodule will filter out the URL, and return a null value to the web service URL parser, crashing IIS. Microsoft advisory on this vulnerability here.
2c7f22d92ba1efc6894fb32573cb90993ce6539d8792aa6eb6822d2b40b8c827--------------------------------------------------------------------
-=>Microsoft IIS W3SVC Denial of Service<=-
courtesy of KPMG Denmark
BUG-ID: 2002009
CVE: CAN-2002-0072
Released: 11th Apr 2002
--------------------------------------------------------------------
Problem:
========
A flaw in internal object interaction could allow a malicious user
to bring down Internet Information Server 4.0, 5.0 and 5.1.
Vulnerable:
===========
- Microsoft Internet Information Server 4.0 with FP2002
- Microsoft Internet Information Server 5.0 with FP2002
- Microsoft Internet Information Server 5.1 with FP2002
Details:
========
This vulnerability was discovered by Dave Aitel from @stake and by
Peter Gründl from KPMG. It was done independently, and both
reported the same two vulnerabilities to the same vendor at around
the same time.
Frontpage contains URL parsers for dynamic components (shtml.exe/dll)
If a malicious user issues a request for /_vti_bin/shtml.exe where
the URL for the dynamic contents is replaced with a long URL, the
submodule will filter out the URL, and return a null value to the
web service URL parser. An example string would be 35K of ascii 300.
This will cause an access violation and Inetinfo.exe will be shut
down. Due to the nature of the crash, we do not feel that it is
exploitable beyond the point of a Denial of Service.
Although servers are supposed to restart the service with "iisreset",
this only works a few times (if any), and the service is crashed
until an admin manually restarts the service or reboots the server.
Vendor URL:
===========
You can visit the vendors webpage here: http://www.microsoft.com
Vendor response:
================
The vendor was contacted on the 4th of February, 2002. On the 9th
of April we received a private hotfix, which corrected the issue.
On the 10th of April, the vendor released a public bulletin.
Corrective action:
==================
The vendor has released a patched w3svc.dll, which is included in
the security rollup package MS02-018, available here:
http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
Author: Peter Gründl (pgrundl@kpmg.dk)
--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed