Follow:

Vulnerability:Win/IIS.ISAPI.RCE!CAN-2002-0150

Severity rating
Critical

Class/Type
Vulnerability

Discovered date
2002-04-10T00:00:00

Attack vector
Remote

Authentication required
No

Public exploits available
No

Signature detection
Medium



On this page




Description

A buffer overrun exist in IIS when it processes HTTP header information in certain cases. IIS performs a safety check prior to parsing the fields in HTTP headers, to ensure that expected delimiter fields are present and in reasonable places, but it is possible to spoof the check, and convince IIS that the delimiters are present even when they are not.



Impact

An attacker could overwrite program code on the server with new program code, in essence modifying the functionality of the server software.



Technical details (analysis)

ISAPI filter is API extension for HTTP server. Specifically when IIS receives an HTTP request, it performs some checks on the HTTP headers. By specially crafting a header, it is possible to make IIS conclude that the delimiting characters are present when in fact they aren't. The vulnerability results because of an error that occurs when Active Server Pages parse HTTP header information. An initial check is performed, with the goal of ensuring that required delimiters are present in the information and in reasonable locations before moving the information in a buffer for processing. However, the check can be spoofed, with a buffer overrun as the result.



Affected software

Microsoft Internet Information Server 4.0
Microsoft Internet Information Services 5.0
Microsoft Internet Information Services 5.1



Non-affected software

All IIS versions not on the affected list.



References




Solutions




NIS signature

Name: Vulnerability:Win/IIS.ISAPI.RCE!CAN-2002-0150
Release Date: 2002-04-10T00:00:00



Known false positives

No known false positives at this time.



Work-arounds

The vulnerability requires that Active Server Pages (ASP) be enabled on the system in order to be exploited. Version 1.0 of the IIS Lockdown Tool removes ASP by default, and the current version (version 2.1) removes it by default if Static Web Server has been selected.
URLScan tool's default ruleset would likely limit the attacker to using this vulnerability for denial of service attacks only.