COMMAND

    IIS

SYSTEMS AFFECTED

    Microsoft Internet Information Server 4.0

PROBLEM

    The following  is based  on Security  Bulletin from  the Microsoft
    and it  was found  by Petteri  Stenius.   IIS 4.0 supports chunked
    encoding transfers,  but does  not limit  the size  of the  buffer
    that  can  be  reserved.   This  would  allow  a malicious user to
    request an  extremely large  buffer for  a POST  or PUT operation,
    but  never  actually  send  data,  thereby  blocking memory on the
    server that  had been  allocated to  the session.   If  sufficient
    memory  on  the  server  were  blocked  in  this fashion, it could
    prevent  the  server  from  performing  useful  work.  There is no
    capability through this  attack to create,  modify or delete  data
    on the server, nor is there any capability to usurp administrative
    control of the server.  If the malicious user closed his  session,
    the  memory  would  be  released  and the server's operation would
    return to normal.  Otherwise,  the machine could be put  back into
    normal service by stopping and restarting the service.

SOLUTION

    Patch availability:

        - X86: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19761
        - Alpha: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19762