ISS Server Sensor version 7.0 XPU 20.16 and 7.0 XPU 20.18 are vulnerable to a denial of service attack when a properly malformed URL is submitted via SSL to the underlying Microsoft IIS server causing it to shut down.
cf59a86c78129d05f3e03a7951390576cc8459296c094f26713223ffb646f0e0
[enteredgelogo.jpg]
EnterEdge Technology takes a holistic approach to ensuring the Confidentiality, Integrity and Availability of data. By
combining best-of-breed technology with security expertise, education and managed security services, EnterEdge helps
organizations lower costs and improve efficiencies.
[securitycenterheader.gif]
Release Date: August 14, 2003
CVE Number: CAN-2003-0702
Severity: High (Denial of Service)
Systems Affected (confirmed):
ISS Server Sensor version 7.0 XPU 20.16
ISS Server Sensor version 7.0 XPU 20.18
Synopsis: By sending a properly formatted URL via SSL, an attacker can successfully shut down Microsofts IIS service
stopping all web and ftp servers.
Technical Description: This vulnerability was tested with an IIS 5.0 server, running an ISS host based server sensor 7.0
xpu 20.16 and xpu 20.18.
ISS server sensor 7.0 has the ability to plug into ISS via an ISAPI plug-in to allow for IDS on SSL traffic.
By simply sending a properly formatted URL via SSL, the ISAPI filter will crash IIS shutting down the service entirely.
IIS 5 may automatically restart the service when it detects that the service has stopped.
We are currently testing this vulnerability in XPU 20.16 and 20.18 for remote code execution or code redirection.
We contacted ISS on or about August 14th concerning this issue. ISS has since released XPU 20.19 which addresses this
specific issue.
Credit: EnterEdge Technology, LLC
Copyright (c) 1998-2003 EnterEdge Technology
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way
without express consent of EnterEdge Technology. If you wish to reprint the whole or any part of this alert in any other
medium excluding electronic medium, please e-mail research@enteredge.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an
AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any
damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this
information is at the user's own risk.
Feedback
Please send suggestions, updates, and comments to: research@enteredge.com
EnterEdge Technology http://www.enteredge.com
Copyright © 2001 EnterEdge Technology, LLC 5500 Interstate N. Pkwy Suite 440 Atlanta, GA 30328
Phone: 770.955.9899 Fax 770.955.9896