|
|
|
|
| |
| Microsoft has released a patch that eliminates a security vulnerability in a component that ships as part of Microsoft Internet Information Server. The vulnerability could potentially allow an attacker to prevent an affected web server from providing useful service. |
| |
Credit:
This security hole was reported by eEye Digital Security
|
| |
Vulnerable systems:
Microsoft IIS 4.0
Microsoft IIS 5.0
The FrontPage Server Extensions (FPSE) ship with and are installed by default as part of IIS 4.0 and 5.0. The most familiar FPSE functions allow web site and content management; however, FPSE also provides browse-time support functions. Among the functions included in the latter category are ones that help process web forms that have been submitted by a user. A vulnerability exists in one of these functions. If a malicious user levied an especially malformed form submission to an affected server, it would cause the IIS service to fail. The vulnerability does not provide the opportunity to misuse any of the FPSE administrative or content management functions.
To resume normal operation on an IIS 4.0 server, the operator would need to restart the service. In contrast, if an IIS 5.0 server were attacked via this vulnerability, the IIS service would, by default, automatically restart almost immediately. Although any web sessions that were in progress at the time of the attack would be lost, the server would be able to accept new connections as soon as the service was restarted. FPSE is installed by default as part of IIS 4.0 and 5.0, but, in keeping with best practices, Microsoft recommends that they be disabled if not needed.
Patch Availability
Microsoft IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26277
Microsoft IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26704
Note: The IIS 5.0 patch can be applied atop system running either Windows 2000 Gold or Service Pack 1. It will be included in Windows 2000 Service Pack 2.
Note: The IIS 4.0 patch can be applied atop system running Windows NT 4.0 Service Pack 6a or 5. It will be included in Windows NT 4.0 Service Pack 7.
Note: IIS users who have removed the FPSE are not affected by this vulnerability and do not need to take further action.
What?s the scope of the vulnerability?
This is a denial of service vulnerability. By sending an especially malformed form submission to an affected server, it would be possible for a malicious user to disrupt the server?s operation.
The extent of the disruption would depend on the version of IIS in use on the server. If an IIS 4.0 server were successfully attacked via this vulnerability, the server operator would need to take action to restore service; an IIS 5.0 server would automatically restore service, but any web sessions that had been in progress at the time of the attack would be interrupted.
What causes the vulnerability?
A component of FrontPage Server Extensions (FPSE) that handles web forms doesn?t adequately validate its input before using it. By sending a malformed form submission, it would be possible to cause the IIS service to fail.
Is this a vulnerability in FrontPage?
No. FrontPage and FrontPage Server Extensions are two completely different products. The most obvious difference is where the products run. FrontPage runs on a client machine, like a laptop or workstation; FPSE runs on the web server itself. Although FPSE has features that support FrontPage users, it also has features that aren?t related in any way to FrontPage.
What are FrontPage Server Extensions?
FPSE is a set of programs that are included with IIS 4.0 and 5.0, and which aid in managing and developing content for a web site. FPSE?s functionality can be divided broadly into two categories:
Content management and administration tools. FPSE provides features that let administrators use FrontPage to remotely manage their web sites, or allow web developers using FrontPage to remotely add or modify the web pages on a site.
Browse-time support. FPSE also includes functions that provide functionality commonly needed by web applications. For example, FPSE provides a component that can be incorporated into a web page to enable the user to search the site. This saves web developers from needing to write code to perform common functions.
Is this a vulnerability in IIS?
No. Although FPSE is included with IIS 4.0 and 5.0, the problem has nothing to do with these products per se. The problem lies entirely within FPSE.
Does the problem lie in the FPSE content management and administration functions, or in the browse-time support functions?
The problem lies in one of the browse-time support functions. Specifically, the problem lies in one of the browse-time functions that provides support for processing of web forms. If a form were submitted in a particular way, it would disrupt service on the web server.
What do you mean when you say that exploiting the vulnerability would "disrupt service"?
The effect of the exploiting the vulnerability would differ depending on whether the server was running IIS 4.0 or 5.0. In either case, though, it would interrupt service on the server.
On an IIS 4.0 machine, exploiting the vulnerability would cause the IIS service to fail. The operator would need to restart it in order to resume normal operation.
On an IIS 5.0 machine, exploiting the vulnerability would cause the service to fail, but it would automatically restart itself almost immediately. Any web sessions that were underway at the time of the attack would be lost, but the server would be able to start new sessions.
Is FPSE installed by default on IIS servers?
Yes, but you can remove FPSE if you'd like. Security best practices recommend always disabling any services that aren?t needed, so customers who aren?t using the FPSE functionality may wish to remove it. To do this, open a command prompt and issue the following commands:
cd \Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin
fpsrvadm -o uninstall -p all
Could this vulnerability be used to add new content to a web site or to gain administrative control over it?
No. It?s strictly a denial of service vulnerability.
Could someone exploit this vulnerability accidentally while using a web form?
No. To exploit the vulnerability, a malicious user would need to deliberately create an especially malformed form submission request, and then send it to an affected server. The malformation does not occur in normal use.
I don't host any forms on my web site, but I do have FPSE installed. Could I be affected by the vulnerability?
Yes. As long as FPSE is installed on the web server, the vulnerability could be exploited.
Who should use the patch?
Microsoft recommends that all users running an affect IIS server consider installing the patch.
What does the patch do?
The patch eliminates the vulnerability by rejecting the malformed form submission. This is appropriate, as the form submission that exploits this vulnerability is an invalid one.
|
|
|
|
|
|
|
