|
|
|
Credit:
The information has been provided by Microsoft Security.
The original article can be found at: http://www.microsoft.com/technet/security/Bulletin/MS06-034.mspx
|
|
Vulnerable Systems:
* Microsoft Windows 2000 Service Pack 4 Download the update
* Microsoft Windows XP Professional Service Pack 1 and Microsoft Windows XP Professional Service Pack 2 Download the update
* Microsoft Windows XP Professional x64 Edition Download the update
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 Download the update
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems Download the update
* Microsoft Windows Server 2003 x64 Edition family Download the update
* Microsoft Internet Information Services (IIS) 6.0
* Microsoft Internet Information Services (IIS) 5.1
* Microsoft Internet Information Services (IIS) 5.0
Immune Systems:
* Microsoft Windows XP Home Service Pack 1 and Microsoft Windows XP Home Service Pack 2
Internet Information Services Using Malformed Active Server Pages Vulnerability - CVE-2006-0026:
There is a remote code execution vulnerability in Internet Information Services (IIS). An attacker could exploit the vulnerability by constructing a specially crafted Active Server Pages (ASP) file, potentially allowing remote code execution if the Internet Information Services (IIS) processes the specially crafted file. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Mitigating Factors for Internet Information Services Using Malformed Active Server Pages ASP Vulnerability - CVE-2006-0026:
* On IIS 5.0 and IIS 5.1, ASP enabled applications by default run in the 'Pooled Out of Process' application, which means they run in DLLHOST.exe, which is running in the context of the low privilege IWAM_ account.
* By default, IIS 5.1 on Windows XP Professional and IIS 6.0 on Windows Server 2003 are not enabled.
* By default, ASP is not enabled on IIS 6.0. If ASP is enabled, it runs in the context of a W3WP.exe worker process running as the low privilege 'NetworkService' account.
* An attacker would require valid logon credentials to exploit this vulnerability. However, if a server has been intentionally configured to allow users, either anonymous or authenticated, to upload web content such as .ASP pages to web sites, the server could be attacked successfully by exploiting by this vulnerability.
Workarounds for Internet Information Services Using Malformed Active Server Pages Vulnerability - CVE-2006-0026:
We have not identified any workarounds for this vulnerability.
FAQ Workarounds for Internet Information Services Malformed Active Server Pages Vulnerability - CVE-2006-0026:
What is the scope of the vulnerability?
There is a remote code execution vulnerability in Internet Information Services (IIS) that results from the way that IIS handles Active Server Pages (ASP). An attacker could exploit the vulnerability by constructing a specially crafted Active Server Pages (ASP) file, which could potentially allow remote code execution if the Internet Information Services (IIS) processed the file. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
What causes the vulnerability?
An unchecked buffer in IIS.
What is Active Server Pages (ASP)?
Microsoft Active Server Pages (ASP) is a server-side scripting technology that can be used to create dynamic and interactive Web applications. An ASP page is an HTML page that contains server-side scripts that are processed by the Web server before being sent to the user's browser.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Who could exploit the vulnerability?
An attacker would require valid logon credentials to the server in order to exploit the vulnerability. However if a server had been purposely configured to allow users, either anonymous or authenticated, to upload web content such as .ASP pages to web sites, the server could be attacked by exploit this vulnerability.
How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a specially crafted ASP file and uploading the file to an affected system. If IIS processed the file it could then cause the affected system to execute code.
What systems are primarily at risk from the vulnerability?
Windows 2000 Service Pack 4 systems running IIS 5.0 are primarily at risk from this vulnerability because IIS is enabled by default. Windows XP Professional and Windows Server 2003 are also at risk if the service is enabled.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the Internet if they are granted access to write to the server. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT professionals can visit the Security Guidance Center Web site.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
|
|
|
|