COMMAND

    IIS

SYSTEMS AFFECTED

    Internet Information Server 4.0

PROBLEM

    Following is mostly based  on Microsoft Security Bulletin.   There
    are two vulnerabilities at issue here:

    - IIS 4.0 provides  the ability to restrict  access to a web  site
      based on  the user's  domain. However,  if IIS  cannot resolve a
      user's IP address  to a domain,  it will grant  the user's first
      request for a session.  It will correctly deny them thereafter.

    - A user who  accesses an FTP site  via a browser will  be able to
      download  files  even  if  they  are  marked  No  Access.   This
      vulnerability is due to  a regression error that  was introduced
      in hotfixes  released after  Windows NT  4.0 Service  Pack 5; it
      does not exist in SP5 or in previous versions.

    Neither vulnerability  provides a  means to  usurp control  of the
    server. This vulnerability was found by Roberto Franceschetti.

    The vulnerability explanation  from MS FAQ  tells us that  at some
    point IIS determines that the IP address you came from, not  being
    available via in-addr.arpa or netbios lookups, should be  blocked.
    It  obviously  cannot  map  this  to  the  domain name that's been
    configured  to  be  blocked,  so  its  doing  it on the basis that
    because it can't be  resolved, it must be  a bad address??   This,
    only if  you have  configured it  to block  *any* domains based on
    name rather than IP address.  This means it builds dynamic  tables
    (presumably) and stores unresolvable client IP addresses in there.
    This is obviously not being done right away (because you are  able
    to get that first session),  and is what is preventing  subsequent
    sessions from  being permitted.   Of course  a reboot  of the  box
    would  blow  this  table  away,  meaning  that  someone  who   was
    previously  blocked  by  these  means  would  then  be able to get
    session again.

    Second is vulnerability  in certain versions  of the FTP  service.
    The  vulnerability  would  allow  someone  with  a browser to gain
    access to file(s)  marked as "No  Access".  The  vulnerability was
    introduced  by  early  versions  of  the  IIS FTPSVC2.DLL fix.  MS
    refer you to:

        http://support.microsoft.com/support/kb/articles/q237/9/87.asp

    as the  original fix,  and say  that this  version, and subsequent
    ones,  may  be  affected  by  the  vulnerability.  This gets a bit
    confusing.   The  Security  Bulletin  FAQ  says  that the original
    version of that fix was v719.  The KB article shows the version as
    v718.  Pertinent links are:

        http://www.microsoft.com/security/bulletins/MS99-039.asp
        http://www.microsoft.com/security/bulletins/MS99-039faq.asp

SOLUTION

    You can obtain patch from:

        ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/IIS40/hotfixes-postSP6/security/IPRFTP-fix/

    The FTP vulnerability was introduced in a special Post SP5  hotfix
    (not generally available?), so the occurrence of this problem  may
    be relatively low  on existing SP5  installations.  This  "broken"
    post SP5 hotfix  was rolled up  into SP6, so  even if you  weren't
    vulnerable before SP6, you will be vulnerable after applying  SP6.
    Therefore,  it  will  be  important  to  apply  this  post SP6 fix
    immediately after applying SP6.