From researchteam5@esecurityonline.com Fri May 3 03:39:13 2002 From: researchteam5@esecurityonline.com To: vulnwatch@vulnwatch.org, bugtraq@securityfocus.com Cc: ken.williams@ey.com Date: Mon, 29 Apr 2002 15:05:58 -0500 Subject: [VulnWatch] eSecurityOnline Security Advisory 3401 - Microsoft Internet Infor mation Server / Exchange 2000 invalid request denial of service vulnerabi lity eSO Security Advisory: 3401 Discovery Date: March 1, 2001 ID: eSO:3401 Title: Microsoft Internet Information Server / Exchange 2000 invalid request denial of service vulnerability Impact: Remote attackers can cause a denial of service condition Affected Technology: Microsoft IIS 5 Microsoft Exchange 2000 Microsoft Windows 2000 Server Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Advanced Server SP1 Vendor Status: Patches are available (MS01-014) Discovered By: Kevin Kotas of the eSecurityOnline Research and Development Team CVE Reference: CAN-2001-0146 Advisory Location: http://www.eSecurityOnline.com/advisories/eSO3401.asp Description: Microsoft Internet Information Server and Exchange 2000 are vulnerable to a flaw that allows a remote attacker to cause a denial of service condition. The problem is due to a component incorrectly handling requests of excessive length. An attacker can continuously make a request that will cause the inetinfo process to repeatedly crash, which in turn will cause IIS, FTP, NNTP, and other services to become temporarily unavailable. Technical Recommendation: Install the latest patches from the vendor. Microsoft IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=28155 Microsoft Exchange 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=28369 As a workaround for protecting IIS: With Regedit running, locate the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w3svc\parameters And add if not present: Value Name: MaxClientRequestBuffer Data Type: REG_DWORD Select Decimal from the DWORD Editor dialog box. In the Data text box, type the number of bytes, or characters, for the maximum allowed URL request length. The length is site-specific, but generally 10000 should suffice and keep site functionality. Finally, restart IIS. Thoroughly test after applying this workaround. Windows 2000 Service Pack 2 also addresses the vulnerability. Windows 2000 Service Pack 2 can be downloaded from: http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/ Vendor Advisory: MS01-014 Acknowledgements: eSecurityOnline would like to thank Microsoft security for their cooperation in resolving the issue. Copyright 2002 eSecurityOnline LLC. All rights reserved. THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY ESECURITYONLINE LLC "AS IS", "WHERE IS", WITH NO WARRANTY OF ANY KIND, AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE, CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN THIS VULNERABILITY ALERT.