Eight new IIS security holes exposed

A patchy Web server

  • alert
  • submit to reddit

3 Big data security analytics techniques

There are eight new security stuff-ups affecting various editions of Microsoft IIS (Internet Information Server), the most serious of which will enable an attacker to take over the system, MS revealed today.

If you're wondering why you haven't heard about them before, chalk it up to Trustworthy Computing, a Redmond policy which leaves everyone exposed to attack until MS is satisfied with its patches and spills the beans. We prefer to know these things as soon as possible so we can look into temporary workarounds and shutter the window of opportunity straight away, but MS is clearly opposed to that approach. (One workaround we rather like is called Apache, but we digress....)

Before we get into the gory details, we have to mention that we've received anecdotal reports that some of the MS patches have been breaking some of the machines they're installed on. So do test them before integrating them into critical systems. If you've installed one of the patches, I'd like to hear from you whether your experience was good or bad, in hopes of confirming the problem or, alternatively, putting the rumor down.

And now for a brief roundup.

First up, a buffer overflow involving chunked encoding with the ASP (Active Server Page) ISAPI filter. This can be exploited to crash or run arbitrary code on the machine. Essentially, an attacker can cause IIS to miscalculate incoming data and so allocate undersized buffers. There's a good writeup and a sample exploit by eEye, which discovered it, posted here. Affects IIS 4.0 and 5.0.

Next, a mysterious one which Microsoft claims to have discovered and which it says "is related to the preceding one, but which lies elsewhere within the ASP data transfer mechanism." Whatever it is, it appears it can be exploited much like the chunk encoding flaw above, and affects IIS 4.0, 5.0 and 5.1.

We have another buffer overflow involving HTTP header processing, in which an attacker can spoof delimiter checking and persuade IIS that delimiting characters are present when they're not. Thus a malicious URL with bogus HTTP header field values can overstuff the buffers created to process them. Affects IIS 4.0, 5.0 and 5.1.

And we have yet another buffer overflow, this time caused by a bad safety check for server-side includes, which MS caught. It's possible for an invalid and very long file name to pass the include safety check, resulting in a file name bigger than its intended buffer, and obviously a buffer overflow. Affects IIS 4.0, 5.0 and 5.1.

We have one more, this time involving the HTR ISAPI extension in which malformed .htr file requests can cause a heap overflow. According to MS, an attacker can "cause [IIS] to temporarily stop providing Web services or, in very unusual cases, could gain control of the server." According to @Stake's Dave Aitel, who discovered it, "this heap overflow can be used to execute arbitrary machine code. In the default installation, this results in remote execution in the IUSR_machine security context." The difference in these two accounts is a matter of emphasis. In any case an attacker wouldn't get administrator privileges directly from exploiting it, but the ability to run arbitrary code means he wouldn't have terribly far to go. The relevant @Stake advisory contains a few details left out of the MS bulletin, and is worth reading. Aitel has also developed a free tool called Spike which finds the HTR and ISAPI overflow vulns, available here. Affects IIS 4.0 and 5.0.

For a change of pace, we've got a denial of service vulnerability involving the way an ISAPI filter included in FrontPage Server Extensions and ASP.NET generates a errors when a request is received containing a URL exceeding the maximum length set by the filter. IIS attempts to process the URL while returning an error message, resulting in an access violation which causes it to crash. Affects IIS 4.0, 5.0, and 5.1

We've got another denial of service vulnerability where an attacker can establish an FTP session in which a status request can interfere with normal error reporting, causing an access violation. This can crash both FTP and HTTP services. Affects IIS 4.0, 5.0 and 5.1.

And last but not least, we've got three CSS (Cross-Site Scripting) vulnerabilities, which MS has lumped together thus: "One involving the results page that?s returned when searching the IIS Help Files, one involving HTTP error pages; and one involving the error message that?s returned to advise that a requested URL has been redirected."

"All of these vulnerabilities have the same scope and effect: an attacker who was able to lure a user into clicking a link on his web site could relay a request containing script to a third-party web site running IIS, thereby causing the third-party site?s response (still including the script) to be sent to the user. The script would then render using the security settings of the third-party site rather than the attacker?s."

If you'd like to know what that means, you can check out a Web page by Thor Larholm which tells you a few things MS neglects. Such things as how CSS allows for "stealing cookies from any IIS site, cross-domain scripting to any IIS site, hijacking Hotmail and Passport accounts, elevating privileges through ActiveX components, hijacking the MSN Messenger client, etc." Affects IIS 4.0, 5.0 and 5.1.

The Microsoft bulletin, from which much of the above has been drawn, is located here. It also contains links to the three patches MS has released, with cautions, caveats and useful advice. And don't forget to check out the IIS lockdown tool, and the URL Scanning tool which MS provides free. ®

SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.