COMMAND

    IIS

SYSTEMS AFFECTED

    IIS 4.0, 5.0

PROBLEM

    Following is  based on  a Georgi  Guninski security  advisory #19.
    This advisory describes two  vulnerabilites but Georgi decided  to
    put them together.

    Affected is  IIS 5.0/Windows  2000. It  is exploited  with browser
    (IE,  NS)  but  the  problem  is  in  the  web  server.   For  the
    /_vti_bin/shtml.dll  vulnerability  FrontPage  server   extensions
    must be  installed, but  FrontPage Service  Release 1.2  fixes the
    bug.

    Using specially designed URLs,  IIS 5.0 may return  user specified
    content  to  the  browser.    This  poses  great  security   risk,
    especially if the  browser is JavaScript  enabled and the  problem
    is greater in IE.  By  clicking on links or just visiting  hostile
    web pages the  target IIS sever  may return user  defined malicous
    active content.   This is  a bug  in IIS  5.0, but  it affects end
    users and is exploited with a browser.

    Issues:
    1) .shtml files -  specially designed urls involving  .shtml files
       may return hostile content
    2) /_vti_bin/shtml.dll  -  specially  designed  urls  may   return
       hostile content (this issue is already fixed by Microsoft)

    Both issues takes advantage  of an unescaped error  message return
    by IIS or FrontPage Extensions.

    1) The following URL:

        http://iis5server/<SCRIPT>alert('document.domain='+document.domain)</SCRIPT>.shtml

       executes in the browser javascript provided by "iis5server" but
       defined by a (malicous) user.  The URL may be used in a link or
       a script.

    2) The following URL:

        http://iis5server/_vti_bin/shtml.dll/<SCRIPT>alert('document.domain='+document.domain)</SCRIPT>

       executes in the browser javascript provided by "iis5server" but
       defined by a (malicous) user.  The URL may be used in a link or
       a script.

    The cross site  scripting issue is  known since long  time, it had
    great publicity in February 2000.  For information of the  general
    problem, see the following documents:

        http://www.cert.org/advisories/CA-2000-02.html
        http://microsoft.com/technet/security/CSOverv.asp
        http://oliver.efri.hr/~crv/security/bugs/mUNIXes/css.html

    Some malicous things that be  done with this vulnerability in  web
    sites running IIS, assuming JavaScript is enabled in the browser:

        1) Reading the documents on web servers inside a firewall  (in
           the intranet).
        2) Stealing cookies - great danger.
        3) For  IE: if  the user  has put  a web  site in the "Trusted
           sites" zones, other browser attacks may be launched.
        4) Others.

    At the  time of  writing this  www.microsoft.com is  vulnerable to
    issue 1.  Demonstration is available at: (note: MS shall fix  this
    very soon and the demo shall stop working):

        http://www.nat.bg/~joro/iisshtml.html

SOLUTION

    Issue 2  is fixed  by Microsoft  with Frontpage  Server Extensions
    Service    Release    1.2    available    for    download     from
    http://msdn.microsoft.com.

    Patch availability for 1st issue:

        - Internet Information Server 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24000
        - Internet Information Server 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23999