Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-039)
What's this bulletin about?
This bulletin announces the availability of a patch that eliminates two vulnerabilities in Microsoft® Internet Information Server (IIS) 4.0 and Microsoft Commercial Internet System (MCIS) 2.5. The first vulnerability affects only IIS 4.0 and could allow a user to bypass administrator-imposed restrictions on what domains can access the server. The second vulnerability affects both IIS 4.0 and MCIS 2.5, and could allow a user to download files from an FTP site even if the file permissions should not allow it. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerabilities and what they can do about it.
What's the scope of the vulnerabilities?
The vulnerabilities would allow users to access resources on a web server that should be denied to them. The first vulnerability, the so-called Domain Resolution vulnerability, would allow a user to obtain services from the server even if the domain restrictions on the server normally would prohibit it. The second vulnerability, the so-called FTP Download vulnerability, would allow a user to download files via FTP even if the NTFS or directory permissions should not allow it. Neither vulnerability provides an opportunity for a malicious user to usurp control over the server.
What's the Domain Resolution vulnerability?
All versions of IIS have provided the ability for an administrator to bar access to the server from certain IP addresses. In IIS 3.0 and previous versions, this was done by specifying an IP address or a range of prohibited addresses. In IIS 4.0, this feature was extended to allow the restrictions to be specified via domain names rather than IP addresses.
The Domain Resolution vulnerability could allow a user to bypass these restrictions under fairly restrictive circumstances. If a user's domain name cannot be resolved to an IP address (via either a reverse DNS lookup or a NetBIOS lookup), IIS 4.0 will approve their first session request. Subsequent session requests will be denied (this is correct behavior). Note that this vulnerability only occurs if the domain name cannot be resolved. Resolvable domain names are handled correctly, even on the first session request.
The easiest way to understand the vulnerability is to consider a scenario. Suppose the administrator configures IIS to prevent hosts in the example.com domain from using its resources. Now suppose host1.example.com, whose IP address is 10.0.0.1, requests a session from the server. Upon receiving the request, IIS will try to resolve 10.0.0.1 to a domain name. If it resolves 10.0.0.1 to host1.example.com, the server will correctly refuse service to the host.
The problem lies in how IIS handles the case in which it cannot resolve 10.0.0.1. By design, IIS should refuse access in this case. However, the vulnerability causes it to allow access, but only for the first request. If 10.0.0.1 completed its session and then subsequently requested another, IIS would correctly refuse service. This vulnerability occurs on a per-address basis: if a new IP address, 10.0.0.2, requested a session but the address could not be resolved, IIS would grant the first request but refuse all subsequent ones.
What's the FTP Download vulnerability?
If a user sends a download request to an FTP site via a web browser, the site will honor the request even if the permissions on the file are set to No Access. When exploited via web browser, this vulnerability does not allow any broader exposure; the user can only download inappropriate files, and cannot add, delete or modify files on the server. This vulnerability occurs because of the specific way that web browsers request FTP files, and is present in hotfixes released after Windows NT 4.0 Service Pack 5.
It is possible to create the same vulnerability via a command-line FTP client, but only by deliberately selecting commands for that purpose. If a malicious user exploited this vulnerability via a command-line FTP client, he or she could delete files as well as download them.
What products are affected by the vulnerabilities?
| • | The Domain Resolution vulnerability affects IIS 4.0. |
| • | The FTP Download vulnerability was introduced in post-SP5 hotfixes to IIS 4.0 and MCIS 2.5. Specifically, it was introduced in the hotfix discussed in Knowledge Base article 237987. If you have applied this hotfix (version number 0719) or any later one, you could be affected by this vulnerability. |
I am running Site Server. Is it affected by these vulnerabilities?
No. IIS 4.0 is the only product affected by the Domain Resolution vulnerability, and only IIS 4.0 and MCIS 2.5 are affected by the FTP Download vulnerability.
I am running Windows NT 4.0 Service Pack 4, so I'm affected by the Domain Resolution vulnerability but not the FTP Download vulnerability. Can I apply the patch?
Yes. Even though the FTP Download vulnerability doesn't exist in Windows NT 4.0 Service Packs 4 or 5, you can still apply the patch atop these service packs.
Will these vulnerabilities be fixed by Windows NT 4.0 Service Pack 6?
No. These vulnerabilities were discovered too late for a fix to be included in SP6. If you apply SP6, you will need to re-apply this patch afterward. The fix for these vulnerabilities will, however, be included in SP7.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How can I tell if I installed the patch correctly?
Knowledge Base article 241805 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security. In particular, an IIS Security Checklist is available at http://www.microsoft.com/technet/security/chklist/iischk.mspx.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
