MS02-028: Heap overrun in HTR-chunked encoding might enable web server compromise (321599)



The information in this article applies to:

  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Server 4.0

This article was previously published under Q321599
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

SYMPTOMS

A buffer overrun vulnerability exists in Internet Information Services (IIS) 5.0 and Internet Information Server (IIS) 4.0. By sending a specially-chosen request to an affected Web server, an attacker might either disrupt Web services or gain the ability to run a program on the server. Such a program would run with full-system rights in IIS 4.0, and with fewer (but nevertheless significant) rights in IIS 5.0.

Microsoft recommends that you remove the functionality that contains the vulnerability unless there is a business-critical reason for retaining it, and customers who do so are at no risk from this vulnerability. By default, the IIS Lockdown Tool disables this functionality. Customers who have retained the functionality but deployed the URLScan tool as discussed in Microsoft Security Bulletin MS02-018 are also protected against the vulnerability.

CAUSE

This vulnerability occurs because of an arithmetic error in the ISAPI extension that implements the HTR functionality. Specifically, the error lies in a function that enables data to be uploaded to a Web server through chunked encoding, and it causes IIS to allocate a buffer of the wrong size to hold incoming data, with the result that the data can overrun the end of the buffer.

RESOLUTION

Internet Information Services 5.0

To resolve this problem, obtain the latest service pack for Windows 2000. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Download Information

The following file is available for download from the Microsoft Download Center:
Release Date: June 12, 2002

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file. You do not have to restart your computer after you apply this update. This update supports the following setup switches:

-?
Display the list of installation switches.

-u
Unattended mode.

-f
Force other programs to quit when the computer shuts down.

-n
Do not back up files for uninstallation.

-o
Overwrite OEM files without prompting.

-z
Do not restart when installation is complete.

-q
Quiet mode (no user interaction).

-l
List installed hotfixes.

-x
Extracts the files without running Setup.

For example, to install the update without any user intervention, and then to not force the computer to restart, use the following command line:

q321599_w2k_sp4_x86_en -u -q -z

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date         Time   Version        Size    File name and path
   ----------------------------------------------------------------------------
   16-May-2002  11:54  5.0.2195.5671  46,352  %Windir%\System32\inetsrv\Ism.dll
Note Because of file dependencies, this update may contain additional files. This update requires Windows 2000 Service Pack 2 (SP2) or Service Pack 1 (SP1).

Internet Information Server 4.0

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate the computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to the computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If the computer is sufficiently at risk, we recommend that you apply this hotfix now.

To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site: Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following file is available for download from the Microsoft Download Center:
Release Date: June 12, 2002

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Installation Options

Follow these steps to avoid having to restart your computer:

Note Although you can avoid the need to restart your computer after applying this patch, the computer will not be considered patched and protected until after you restart the computer. Unlike in Windows 2000 (IIS 5), in Windows NT 4.0 (IIS 4), the earlier DLLs are not automatically updated. Only take the steps to avoid a restart if you want to apply more than one patch before restarting, and you have to always perform a restart after these steps.
  1. Stop all IIS services.
  2. Install the patch with the hotfix by using the /z switch.
  3. Restart the IIS services.
For additional information about the switches that you can use to apply this update, click the article number below to view the article in the Microsoft Knowledge Base:

184305 How to Install and Remove Hotfixes with Hotfix.exe

For example, the following command line installs the update without any user intervention, and then it does not force the computer to restart:

q321599i -q -m -z

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date         Time   Version    Size    File name and path
--------------------------------------------------------------------------
30-Apr-2002  07:34  4.2.776.1  54,560  %Windir%\System32\inetsrv\Ism.dll
Note Because of dependencies, this update may contain additional files. This update requires Windows NT 4.0 Service Pack 6a (SP6a).

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.

Modification Type:MajorLast Reviewed:11/17/2005
Keywords:kbHotfixServer kbQFE kbbug kbfix KbSECBulletin KbSECHack kbSecurity KbSECVulnerability kbWin2000PreSP3Fix kbWin2000sp3fix KB321599