what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

iis.isapi.htr.txt

iis.isapi.htr.txt
Posted Apr 11, 2002
Authored by Peter Grundl

Microsoft IIS 4.0 and 5.0 contains a buffer overrun condition in the isapi extension that handles .htr extensions that allows attackers to crash the service and/or execute arbitrary code on the server. A flaw in ism.dll which handles files with the .htr extension is the cause of this vulnerability. Microsoft advisory on this vulnerability here.

tags | overflow, arbitrary
SHA-256 | d27278de1182e49dc003e21db2c36a8adea55112733bdca6d516e9cfd57786bf

iis.isapi.htr.txt

Change Mirror Download
--------------------------------------------------------------------

-=>Microsoft IIS .htr ISAPI buffer overrun<=-
courtesy of KPMG Denmark

BUG-ID: 2002010
CVE: CAN-2002-0071
Released: 11th Apr 2002
--------------------------------------------------------------------
Problem:
========
There is a buffer overrun condition in the isapi extension that
handles .htr extensions that could allow an attacker to crash the
service and possibly execute arbitrary code on the server.


Vulnerable:
===========
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Server 5.0


Details:
========
This vulnerability was discovered by Dave Aitel from @stake and by
Peter Gründl from KPMG. It was done independently, and both
reported the same two vulnerabilities to the same vendor at around
the same time.

Dave Aitel released an advisory on this issue:
https://archives.neohapsis.com/archives/bugtraq/2002-04/0114.html

Ism.dll handles files with the extension .htr and a flaw in the
module could allow an attack to disable parts of or all of the
functionality of a website. It is theoretically possibly to
execute code with this overflow, although attempted exploitation
would most likely result in a Denial of Service situation.

The problem is with the modules parameter handling, as declared
variables are subject to a buffer overrun ("/foo.htr?<buffer>=x").
The number of overflows needed and the result depends on the
internal state of the IIS memory allocations. A determined
attacker could proceed to crash the service, and repeatedly send
the malicious payload as the injection vector would now be
relatively fixed, when the server was rebooted.


Vendor URL:
===========
You can visit the vendors webpage here: https://www.microsoft.com


Vendor response:
================
The vendor was contacted on the 31st of January, 2002. On the 18th
of March we received a private hotfix, which corrected the issue.
On the 10th of April, the vendor released a public bulletin.


Corrective action:
==================
The vendor has released a patched ism.dll, which is included in
the security rollup package MS02-018, available here:
https://www.microsoft.com/technet/security/bulletin/ms02-018.asp


Author: Peter Gründl (pgrundl@kpmg.dk)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close