COMMAND

    IIS

SYSTEMS AFFECTED

    IIS 4, 5

PROBLEM

    Following is based on a Internet Security Systems Security  Alert.
    ISS X-Force is aware of  a serious vulnerability that can  be used
    to attack  all recent  versions of  Microsoft Internet Information
    Server  (IIS).   A  flaw  exists  in  ISAPI Index Server extension
    query processing that  may lead to  Web page defacement  and theft
    of  sensitive  or  confidential  information.   In  addition, this
    vulnerability can be  used in conjunction  with other exploits  to
    further compromise affected systems.

    Internet  Services  Application   Programming  Interface   (ISAPI)
    extensions allow for additional functionality to be added to  IIS.
    The  ISAPI  Index  Server  extension  provides a hook to integrate
    Microsoft Index Server with IIS.  The vulnerability is  introduced
    during  the  IIS  installation  process,  when  two  Index  Server
    Dynamic Link  Library (DLL  ) files  are installed.   Index Server
    itself does  not need  to be  installed for  attackers to  exploit
    this  vulnerability  because  these  DLL  files  are mapped by IIS
    default installations.

    When a vulnerable IIS installation receives an Index Server  ISAPI
    query,  IIS  parses  the   query  to  determine  which   extension
    corresponds  to  the  request.   Once  the  query is mapped to the
    correct  extension,  the  body  of  the  request  is  parsed.  The
    vulnerability  is  caused  by  a  lack  of  bounds checking on the
    length of the  Index Server ISAPI  request.  Two  potential attack
    scenarios exist.  A Denial of Service (DoS) attack can be launched
    against IIS  by sending  a very  long string  to the  Index Server
    ISAPI extension.   Additionally, an attacker  may use an  advanced
    exploit  to  send  a  specially-crafted  long  request  to execute
    arbitrary code on the vulnerable  system.  The Index Server  ISAPI
    extension  runs  under   the  "System"  security   context.    Any
    successful attack  will run  under this  context and  may lead  to
    unrestricted access of the target machine and its contents.

SOLUTION

    Detailed exploit  information has  been released,  and ISS X-Force
    urges  all  administrators  to  download  and  apply the following
    patches made available by Microsoft.

    For Microsoft Windows NT version 4.0:

        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833

    For  Microsoft  Windows  2000  Professional,  Server  and Advanced
    Server:

        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800

    Patches for Windows  2000 Datacenter Server  are hardware-specific
    and available from the original equipment manufacturer.

    For more  information on  this vulnerability  please refer  to the
    Microsoft Security Bulletin at:

        http://www.microsoft.com/technet/security/bulletin/MS01-033.asp