1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
Rule:
--
Sid:
1806
--
Summary:
This event is generated when an attempt is made to exploit a buffer overflow associated with chunked encoding processing of HTR in Internet Information Services (IIS).
--
Impact:
Remote Access. If the exploit is successful, an attacker can gain remote access of the target host.
--
Detailed Information:
A buffer overflow exists with chunked encoding processing associated with HTR in IIS. Chunked encoding allows different sized chunks of data to be passed from the web client to the server. HTR is an older scripting language still supported by IIS. A heap overflow vulnerability exists because of an error in chunked encoding data transfer associated with the Internet Services Application Programming Interface (ISAPI) extension that implements HTR.
--
Affected Systems:
Microsoft IIS 4.0, 5.0
--
Attack Scenarios:
An attacker can craft a chunked encoded request to exploit the heap overflow.
--
Ease of Attack:
Moderate. Microsoft advises that this heap overflow is not as difficult to exploit as others.
--
False Positives:
None Known.
--
False Negatives:
None Known.
--
Corrective Action:
Apply the appropriate patch:
Microsoft IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39579
Microsoft IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39217
Investigate running the IIS Lockdown Tool to disable HTR functionality.
--
Contributors:
Original rule written by Brian Caswell <bmc@sourcefire.com>
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>
--
Additional References:
CVE
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0364
Bugtraq
http://www.securityfocus.com/bid/4855
Microsoft
http://www.microsoft.com/technet/security/bulletin/ms02-028.asp
--
|
