COMMAND

    IIS

SYSTEMS AFFECTED

    IIS 4, 5

PROBLEM

    Following is based on Internet Security Systems Security Advisory.
    Internet  Security  Systems  (ISS)  X-Force  has  determined  that
    Microsoft Internet  Information Server  (IIS) is  vulnerable to  a
    remote  Denial  of  Service  (DoS)  attack.   IIS is a popular web
    server application for Windows  NT, and comprises the  majority of
    Windows NT  based web  servers.   This vulnerability  may allow  a
    remote  attacker  to  effectively  disable  vulnerable versions of
    IIS.

    This vulnerability causes a Windows NT system to consume 100%  CPU
    usage. The  inetinfo.exe process  cannot be  stopped, requiring  a
    full reboot of the server.  Microsoft IIS version 4.0 is affected.
    IIS version 5.0 is affected, however the impact is limited.

    Microsoft Internet Information Server is a popular web server that
    runs exclusively on Windows NT. The vulnerability exists primarily
    in IIS  4.0 and  to a  limited extent  in 5.0.  IIS uses IISADMPWD
    virtual directory to give  users the ability to  change passwords.
    When   IIS    is    installed,   it    creates    the    directory
    %system32%\inetsrv\iisadmpwd  that  contains  .htr  files used for
    web-based password administration. Only when the virtual directory
    IISADMPWD is created does  the ability to change  passwords become
    enabled.  On vulnerable systems, an attacker can send a  malformed
    request  to  force  inetinfo.exe  to  utilize  100% of the CPU and
    adversely affect the ability of IIS to field requests.  After  the
    vulnerability has been exploited, the inetinfo.exe process  cannot
    be  stopped,  requiring  a  full  reboot  of  the server to regain
    functionality.  The effect  on IIS 5.0 is  not as severe.   If the
    vulnerability is exploited against this version of IIS, access  to
    any  .htr  file  on  the  server  fails.  CPU utilization does not
    increase to 100% as it does in version 4.0.

    This  vulnerability  was  discovered  by  Steven  Maks  of ISS and
    researched by Dan Ingevaldson of ISS X-Force.

SOLUTION

    Microsoft has made patches available for IIS versions 4 and 5:

        IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20905
        IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20903

    The  ISS  X-Force  recommends   deleting  the  IISADMPWD   virtual
    directory as follows:

      IIS 4.0
        - Start the Microsoft Management Console for IIS.
        - Click the Windows Start Menu.
        - Select Programs.
        - Select Windows NT 4.0 Option Pack.
        - Select Microsoft Internet Information Server.
        - Select Internet Service Manager.

    In the left-hand  pane, follow the  path below and  drill down the
    tree to the IISADMPWD virtual directory:

        Console Root\Internet Information Server\<Computer Name>\Default Web Site\IISADMPWD

    Right-click  the  IISADMPWD  virtual  directory  and select Delete
    from the pop-up menu item.

      IIS 5.0
        - Start the Microsoft Management Console for IIS.
        - Click the Windows Start Menu.
        - Select Programs.
        - Select Administrative Tools.
        - Select Internet Service Manager.

    In the left-hand  pane, follow the  path below and  drill down the
    tree to the IISADMPWD virtual directory:

        Internet Information Server\<Computer Name>\Default Web Site\IISADMPWD

    Right-click the IISADMPWD virtual directory and select Delete from
    the pop-up menu item.