TechNet Home > TechNet Security > Bulletins

Microsoft Security Bulletin (MS00-018)

Patch Available for "Chunked Encoding Post" Vulnerability

Originally Posted: March 20, 2000

Summary

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Internet Information Server 4.0. The vulnerability could allow a malicious user to consume all resources on a web server and prevent it from servicing other users.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq00-018.mspx.

Top of section

General Information

Issue

IIS 4.0 supports chunked encoding transfers, but does not limit the size of the buffer that can be reserved. This would allow a malicious user to request an extremely large buffer for a POST or PUT operation, but never actually send data, thereby blocking memory on the server that had been allocated to the session. If sufficient memory on the server were blocked in this fashion, it could prevent the server from performing useful work. There is no capability through this attack to create, modify or delete data on the server, nor is there any capability to usurp administrative control of the server. If the malicious user closed his session, the memory would be released and the server's operation would return to normal. Otherwise, the machine could be put back into normal service by stopping and restarting the service.

Affected Software Versions

•	Microsoft Internet Information Server 4.0

Vulnerability Identifier: CVE-2000-0226

Top of section

Patch Availability

•	X86: http://www.microsoft.com/downloads/details.aspx?FamilyId=6D619D61-44B3-4BEC-856E-A6F8B390370A&displaylang=en
•	Alpha: http://www.microsoft.com/downloads/details.aspx?FamilyId=6994C35D-7B64-4147-B966-43FFBAF7E267&displaylang=en

NOTE: Additional security patches are available at the Microsoft Download Center

Top of section

More Information

Please see the following references for more information related to this issue.

•	Microsoft Security Bulletin MS00-018: Frequently Asked Questions
•	Microsoft Knowledge Base (KB) article 252693, Chunked Encoding Request with No Data Causes IIS Memory Leak.
•	RFC 2616, Hypertext Transfer Protocol - HTTP 1.1
•	Microsoft TechNet Security web site.

Obtaining Support on this Issue

This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support

Acknowledgments

Microsoft thanks Petteri Stenius for reporting this issue to us and working with us to protect customers.

Revisions

•	March 20, 2000: Bulletin Created.

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Top of section

Top of page