WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec

Microsoft IIS HTR Chunked Encoding heap overflow allows arbitrary code


Date Discovered

There is another heap overflow condition in the Chunked Encoding data transfer mechanism of Internet Information Server 4.0 and Internet Information Services 5.0. Although similar to a previous heap overflow MS02-018, this vulnerability is in the Internet Services Application Programming Interface (ISAPI) extension that implements HTR. The previous heap overflow vulnerability lay in the ISAPI extension that implemented Active Server Pages (ASP).

Chunked encoding is a process that allows a client to submit a variable-sized quantity of data to a web server, called a chunk. The web server can then receive and process this data.

An attacker could send a specially chosen request to an affected web server to either disrupt web services or gain the ability to run a program on the server. Such a program would run with full system privileges in IIS 4.0. Exploiting IIS 5.0 would give the attacker fewer but nevertheless significant privileges. In either case, the attacker could overflow the heap with random data to corrupt program code and cause the IIS service to fail, preventing the use by legitimate users, or, he could change the operation of the server. Specifically, he could overflow the heap and then overwrite a section of the heap on the server with new program code, revising the functionality of the server software. The attacker could overwrite static global variables, stored function pointers, process management structures, memory management structures, or any number of data types that will allow him to gain control of the target application in one session.

Mitigating factors that affect the overall impact of successful exploitation of this vulnerability include:

  • Systems on which HTR is disabled are not at risk from this vulnerability.
  • Microsoft has released an IIS Lockdown tool that disables HTR by default.
  • Microsoft has released a URLScan tool that provides a means of blocking chunked encoding transfer requests by default.

Platforms Affected

Components Affected
Microsoft Internet Information Server 4.0
Microsoft Internet Information Server 5.0

Patch : Microsoft IIS 4.0 Patch Q321599

These patches address the HTR Chunked Encoding buffer overflow in Microsoft IIS 4.0.

This IIS 4.0 patch can be installed on systems running Windows NT 4.0 Service Pack 6a.

IIS 4.0: A reboot can be avoided by stopping the IIS service, installing the patch with the /z switch, then restarting the service. Knowledge Base article Q319733 provides additional information on this procedure.

To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q321599.

To verify the individual files, consult the file manifest in Knowledge Base article Q321599.

Patch : Microsoft IIS 5.0 Patch Q321599

These patches address the HTR Chunked Encoding buffer overflow in Microsoft IIS 5.0.

The IIS 5.0 patch can be installed on systems running Windows 2000 Service Pack 1 or Service Pack 2.

To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q321599.

To verify the individual files, use the date/time and version information provided in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q321599\Filelist.

Workaround : Remove Unused Script Mappings from Microsoft IIS

Microsoft IIS is preconfigured to support common filename extensions, such as .asp and .shtm files. When IIS receives a request for a file of these types, the call is handled by a DLL. If you do not require use any of these extensions or functionality, remove the mappings:

To remove unused file type mappings:
  1. Open Internet Services Manager.
  2. Right-click the Web server and choose Properties from the context menu.
  3. In Master Properties, select WWW Service and click Edit.
  4. In the HomeDirectory tab, click Configuration.
  5. Remove the following mappings for functionality that is not needed:

    • Web-based password reset: .htr
    • Internet Database Connector: .idc (all IIS 5 Web sites should use ADO or similar technology)
    • Server-Side Includes: .stm, .shtm and .shtml
    • Internet Printing: .printer
    • Index Server: .htw, .ida and .idq
Source: Microsoft MS02-028
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-028.asp

Source: CVE CAN-2002-0364
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0364

Source: Security Focus.com BID 4855
URL: http://online.securityfocus.com/bid/4855/info/

Copyright © by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.