__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Cumulative Patch for Internet Information Service [Microsoft Security Bulletin MS02-062] November 1, 2002 14:00 GMT Number N-011 ______________________________________________________________________________ PROBLEM: This patch is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 and 5.1. SOFTWARE: Microsoft Internet Information Server 4.0 Microsoft Internet Information Services 5.0 Microsoft Internet Information Services 5.1 DAMAGE: The most serious vulnerability of the four affected by this patch is that it could enable applications on a server to gain system-level privileges. SOLUTION: Apply patch ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. To exploit any of these vulnerabilities ASSESSMENT: the attacker would need the ability to load and execute applications, or entice a user to visit a malicious web site or open an HTML e-mail. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-011.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default.asp? url=/technet/security/bulletin/MS02-062.asp PATCHES: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43566 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43296 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43578 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43602 ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS02-062 *****] Microsoft Security Bulletin MS02-062 Cumulative Patch for Internet Information Service (Q327696) Originally posted: October 30, 2002 Summary Who should read this bulletin: Customers hosting web servers using Microsoft® Windows NT® 4.0, Windows® 2000, or Windows XP. Impact of vulnerability: Four vulnerabilities, the most serious of which could enable applications on a server to gain system-level privileges. Maximum Severity Rating: Moderate Recommendation: Customers using IIS 4.0, 5.0 or 5.1 should consider applying the patch Affected Software: Microsoft Internet Information Server 4.0 Microsoft Internet Information Services 5.0 Microsoft Internet Information Services 5.1 Technical details Technical description: This patch is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 and 5.1. A complete listing of the patches superseded by this patch is provided below, in the section titled “Additional information about this patch”. Before applying the patch, system administrators should take note of the caveats discussed in the same section. In addition to including previously released security patches, this patch also includes fixes for the following newly discovered security vulnerabilities affecting IIS 4.0, 5.0 and/or 5.1: A privilege elevation vulnerability affecting the way ISAPIs are launched when an IIS 4.0, 5.0 or 5.1 server is configured to run them out of process. By design, the hosting process (dllhost.exe) should run only in the security context of the IWAM_computername account; however, it can actually be made to acquire LocalSystem privileges under certain circumstances, thereby enabling an ISAPI to do likewise. A denial of service vulnerability that results because of a flaw in the way IIS 5.0 and 5.1 allocate memory for WebDAV requests. If a WebDAV request were malformed in a particular way, IIS would allocate an extremely large amount of memory on the server. By sending several such requests, an attacker could cause the server to fail. A vulnerability involving the operation of the script source access permission in IIS 5.0. This permission operates in addition to the normal read/write permissions for a virtual directory, and regulates whether scripts, .ASP files and executable file types can be uploaded to a write-enabled virtual directory. A typographical error in the table that defines the file types subject to this permission has the effect of omitting .COM files from the list of files subject to the permission. As a result, a user would need only write access to upload such a file. A pair of Cross-Site Scripting (CSS) vulnerabilities affecting IIS 4.0, 5.0 and 5.1, and involving administrative web page. Each of these vulnerabilities have the same scope and effect: an attacker who was able to lure a user into clicking a link on his web site could relay a request containing script to a third-party web site running IIS, thereby causing the third-party site’s response (still including the script) to be sent to the user. The script would then render using the security settings of the third-party site rather than the attacker’s. In addition, the patch causes 5.0 and 5.1 to change how frequently the socket backlog list – which, when all connections on a server are allocated, holds the list of pending connection requests – is purged. The patch changes IIS to purge the list more frequently in order to make it more resilient to flooding attacks. The backlog monitoring feature is not present in IIS 4.0. Mitigating factors: Out of Process Privilege Elevation: This vulnerability could only be exploited by an attacker who already had the ability to load and execute applications on an affected web server. Normal security practices recommend that untrusted users not be allowed to load applications onto a server, and that even trusted users’ applications be scrutinized before allowing them to be loaded. WebDAV Denial of Service: The vulnerability does not affect IIS 4.0, as WebDAV is not supported in this version of IIS. The vulnerability could only be exploited if the server allowed WebDAV requests to be levied on it. The IIS Lockdown Tool, if deployed in its default configuration, disables such requests. Script Source Access Vulnerability: The vulnerability could only be exploited if the administrator had granted all users write and execute permissions to one or more virtual directories on the server. Default configurations of IIS would be at no risk from this vulnerability. The vulnerability does not affect IIS 4.0, as WebDAV is not supported in this version of IIS. The vulnerability could only be exploited if the server allowed WebDAV requests to be levied on it. The IIS Lockdown Tool, if deployed in its default configuration, disables such requests. Cross-site Scripting in IIS Administrative Pages: The vulnerabilities could only be exploited if the attacker could entice another user into visiting a web page and clicking a link on it, or opening an HTML mail. By default, the pages containing the vulnerability are restricted to local IP address. As a result, the vulnerability could only be exploited if the client itself were running IIS. Severity Rating: Out of Process Privilege Elevation: Internet Servers Intranet Servers Client Systems IIS 4.0 Moderate Moderate None IIS 5.0 Moderate Moderate None IIS 5.1 Moderate Moderate None WebDAV Denial of Service: Internet Servers Intranet Servers Client Systems IIS 4.0 None None None IIS 5.0 Moderate Moderate None IIS 5.1 Moderate Moderate None Script Source Access Vulnerability: Internet Servers Intranet Servers Client Systems IIS 4.0 None None None IIS 5.0 Low Low None IIS 5.1 None None None Cross-site Scripting in IIS Administrative Pages: Internet Servers Intranet Servers Client Systems IIS 4.0 None None Low IIS 5.0 None None Low IIS 5.1 None None Low The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: Out of Process Privilege Elevation: CAN-2002-0869 WebDAV Denial of Service: CAN-2002-1182 Script Source Access Vulnerability: CAN-2002-1180 Cross-site Scripting in IIS Administrative Pages: CAN-2002-1181 Tested Versions: Microsoft tested IIS 4.0, 5.0 and 5.1 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. Patch availability Download locations for this patch IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43566 IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43296 IIS 5.1: 32-bit: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43578 64-bit: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43602 Additional information about this patch Installation platforms: The IIS 4.0 patch can be installed on systems running Windows NT 4.0 Service Pack 6a. The IIS 5.0 patch can be installed on systems running Windows 2000 Service Pack 2 or Service Pack 3. The IIS 5.1 patch can be installed on systems running Windows XP Professional Gold and Service Pack 1. Inclusion in future service packs: No additional service packs are planned for Windows NT 4.0. The IIS 5.0 fixes will be included in Windows 2000 Service Pack 4. The IIS 5.1 fixes will be included in Windows XP Service Pack 2. Reboot needed: IIS 4.0: A reboot can be avoid by stopping the IIS service, installing the patch with the /z switch, then restarting the service. Knowledge Base article Q327696 provides additional information on this procedure. IIS 5.0: In most cases, the patch does not require a reboot. The installer stops the needed services, applies the patch, then restarts them. However, if the needed services cannot be stopped for any reason, it will require a reboot. If this occurs, a prompt will be displayed advising of the need to reboot. IIS 5.1: No. (In some cases, a pop-up dialogue may say that the system needs to be rebooted in order for the patch installation process to be completed. This dialogue, if it appears, can be ignored) Patch can be uninstalled: Yes Superseded patches: This patch supersedes the ones provided in the following Microsoft Security Bulletins: MS02-028. MS02-018. (This is a cumulative patch, and supersedes additional patches) Verifying patch installation: IIS 4.0: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q327696. To verify the individual files, consult the file manifest in Knowledge Base article Q327696. IIS 5.0: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q327696. To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q327696\Filelist. IIS 5.1: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\Q327696. To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\Q327696\Filelist. Caveats: The fixes for four vulnerabilities affecting IIS 4.0 servers are not included in the patch, because they require administrative action rather than a software change. Administrators should ensure that in addition to applying this patch, they also have taken the administrative action discussed in the following bulletins: Microsoft Security Bulletin MS00-028 Microsoft Security Bulletin MS00-025 Microsoft Security Bulletin MS99-025 (which discusses the same issue as Microsoft Security Bulletin MS98-004) Microsoft Security Bulletin MS99-013 The patch does not include fixes for vulnerabilities involving non-IIS products like Front Page Server Extensions and Index Server, even though these products are closely associated with IIS and typically installed on IIS servers. At this writing, the bulletins discussing these vulnerabilities are: Microsoft Security Bulletin MS01-043 Microsoft Security Bulletin MS01-025 Microsoft Security Bulletin MS00-084 Microsoft Security Bulletin MS00-018 Microsoft Security Bulletin MS00-006 There is, however, one exception. The fix for the vulnerability affecting Index Server which is discussed in Microsoft Security Bulletin MS01-033 is included in this patch. We have included it because of the seriousness of the issue for IIS servers. Customers using IIS 4.0 should ensure that they have followed the correct installation order before installing this or any security patch. Specifically, customers should ensure that Windows NT 4.0 Service Pack 6a has been applied (or re-applied) after installing the IIS 4.0 service. Customers using Site Server should be aware that a previously documented issue involving intermittent authentication errors has been determined to affect this and a small number of other patches. Microsoft Knowledge Base article Q317815 discusses the issue and how resolve it. Localization: Localized versions of this patch are available at the locations discussed in “Patch Availability”. Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site Other information: Acknowledgments Microsoft thanks the following people for reporting this issue to us and working with us to protect customers: Li0n of A3 Security Consulting Co., Ltd. ( http://www.a3sc.co.kr) for reporting the Out of process privilege elevation vulnerability. Mark Litchfield of Next Generation Security Software Ltd. (http://www.nextgenss.com) for reporting the WebDAV denial of service vulnerability. Luciano Martins of Deloitte & Touche Argentina (http://www.deloitte.com.ar) for recommending the change in the socket backlog list purge rate. Support: Microsoft Knowledge Base article Q327696 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (October 23, 2002): Bulletin Created. [***** End Microsoft Security Bulletin MS02-062 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-002: Microsoft HTML Help ActiveX Control Vulnerabilities N-003: Microsoft Cumulative Patch for SQL Server N-004: SGI rpcbind User-level Vulnerabilities N-005: Apache 1.3.27 HTTP Server Release N-006: HP pam_authz in LDAP-UX Integration Vulnerabilities N-007: Microsoft Outlook Express Unchecked Buffer in S/MIME Vulnerability N-008: Microsoft Elevation of Privilege in SQL Server Web Tasks N-009: MIT krb5 Buffer Overflow in kadmind4 CIACTech03-001: Spamming using the Windows Messenger Service N-010: Web-Based Enterprise Management on Solaris 8 Installs Insecure Files