1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Web Attack: Microsoft IIS CVE-1999-0874

Web Attack: Microsoft IIS CVE-1999-0874

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects a buffer overflow in the filter dynamic linked libraries that are employed to process several server-side file types (.HTR, .STM and .IDC files as examples)

Additional Information

Microsoft IIS (Internet Information Services) provides support for several file types that require server-side processing.

A buffer overflow vulnerability has been reported in the filter dynamic linked libraries that are employed to process several server-side file types, for example .HTR, .STM and .IDC files.

An attacker may exploit this vulnerability by making a malicious HTTP request for one of the affected file types. The malicious request will be handled by the affected filter DLL and, ultimately, an internal buffer in memory may be overrun. Data contained adjacent to the affected buffer will be corrupted with attacker-supplied data. As this memory space contains values that are crucial to controlling program execution flow, it has been reported that a skilled attacker may exploit this vulnerability to execute arbitrary code. Code execution will occur in the context of the affected IIS server. This issue might also be exploited to deny service to the affected server.

It should be noted that the affected DLLs are installed by default with IIS.

Affected

  • Microsoft IIS 4.0

Response

Workaround:
Microsoft recommends disabling the script mapping for .HTR files as a workaround.

To disable the script mapping for .HTR files:

1. From the desktop, start the Internet Services Manager by clicking Start > Programs > Windows NT 4.0 Option Pack > Microsoft Internet Information Server > Internet Service Manager
2. Double-click Internet Information Server.
3. Right-click on the computer name, and then select Properties.
4. In the Master Properties drop-down list, click "WWW Service", and then click Edit.
5. On the Home Directory tab, click Configuration.
6. Highlight the line in the extension mappings that contains ".HTR", and then click Remove.
7. Repeat these steps for .STM and .IDC extensions.
8. In response to "Remove selected script mapping?" say Yes.
9. Click OK three times.
10. Close ISM.

Solution:
Microsoft has made the following fix available:
ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/ext-fix/

This vulnerability was patched in NT Service Pack 6.

eEye has made available a filter patch that will limit .HTR requests to 255 bytes, yet allow normal requests to continue to work. The filter and source are available at
http://www.eeye.com/database/advisories/ad06081999/ad06081999-ogle.html
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube