COMMAND

    IIS ISM.DLL

SYSTEMS AFFECTED

    Windows NT running IIS

PROBLEM

    Following is based on Cerberus Information Security Advisory.  The
    Cerberus Security Team has security flaw with Microsoft's Internet
    Information Server  4 and  5 that  allows attackers  to obtain the
    contents of files they should not be able to access.  For  example
    text based files (eg .txt,.log and .ini) in the /scripts directory
    are not normally accessible due to the virtual directory have only
    script and execute access. Using this vulnerability it is possible
    to gain access to these files' contents.

    By  making  a  specially  formed  request  to Internet Information
    Server it is possible to obtain the contents of files.  By  making
    a request for the name of the file and then appending around 230 +
    %20s  (these  represents  spaces)  and  then  ".htr"  this  tricks
    Internet  Information  Server  into  thinking  that  the client is
    requesting a ".htr"  file.  The  .htr file extention  is mapped to
    the ISM.DLL ISAPI application  and IIS redirects all  requests for
    .htr resources to this DLL.

    ISM.DLL is then passed  the name of the  file to open and  execute
    but before  doing this  ISM.DLL truncates  the buffer  sent to  it
    chopping off the  .htr and a  few spaces and  ends up opening  the
    file we want to get the source of. The contents are then returned.

    This  attack  can  only  be  launched  once though, unless the web
    service is stopped  and restarted. If  a .htr request  has already
    been made to the machine then this attack will fail. It will  only
    work when ISM.DLL is loaded into memory for the first time.

SOLUTION

    If you don't  use the functionality  provided for by  ISM.DLL then
    it would be  best to unmap  the .htr extention  from ISM.DLL using
    the Internet  Service Manager  MMC snap-in.   Right click  on  the
    computer name and edit the Master web properties.  If this is  not
    acceptable  then  a  patch  for  this  issue  can be obtained from
    Microsoft:

        http://www.microsoft.com/technet/security/bulletin/ms00-031.asp

    Note that MS discovered that the IIS 5.0 patch only eliminated the
    one vulnerability  and not  the "File  Fragment Reading  via .HTR"
    vulnerability so they released a new version of IIS 5.0 patch.