IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ADVISORY 01-013

"Buffer Overflow Vulnerability in Microsoft's Internet Information Services (IIS) 4.0 and 5.0"
June 19, 2001

The NIPC and FedCIRC are jointly issuing this advisory to highlight the significance of the above vulnerability, addressed in Microsoft Security Bulletin MS01-033 from yesterday. Attackers can remotely gain SYSTEM LEVEL ACCESS (root) on any computer running Microsoft's IIS web server software. System-level access allows a user full access to the server, so as to install malicious code, run programs, reconfigure, add, change, or delete files.

The vulnerability is in the Internet services application programming interface (ISAPI) extension that is used to manage indexing services and custom searches. An attacker who successfully establishes a connection with an Internet Information Services (IIS) web server could introduce malicious code by exploiting a buffer overflow vulnerability.

Recommendation:

The Microsoft bulletin describing this vulnerability and its patch to fix the problem may be found at: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp Microsoft strongly recommends that all web server administrators mitigate this vulnerability immediately by applying the patch.

Background:

As reported by Microsoft, this vulnerability affects all default installs of IIS versions 4.0 and 5.0 (Windows NT and Windows 2000 web server IIS software). Customers who have only installed the Indexing services but not IIS web server are not affected by this vulnerability. Additionally, users are only vulnerable if the IIS web service is not just installed but actually running. Simply having it installed on a computer is not sufficient for a hacker to complete an exploit. However, if IIS has been installed removing the script mapping to the ISAPI extension files (idq.dll and ida.dll) will not ensure protection because Windows re-maps such files whenever a new Windows component is added to the system.

The NIPC and FedCIRC consider this to be a significant threat due to the large installed based of IIS users, the potential for remote compromise, and the level of access granted by this vulnerability. This advisory is being issued prior to any reported victims. Additionally, based on the life cycle of such vulnerabilities, system administrators can expect to see new exploits targeting this service in the very near future.

Recipients of this advisory are encouraged to report computer crime to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate authorities. Incidents may be reported online at http://www.nipc.gov/incident/cirr.htm The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov. FedCIRC Operations Center can be reached at 1-888-282-0870 or fedcirc@fedcirc.gov.