From xforce@iss.net Sun May 14 13:42:59 2000 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Date: Thu, 11 May 2000 12:39:55 -0400 (EDT) Subject: ISSalert: Internet Security Systems Security Advisory: Microsoft IIS Remote Denial of Service Attack TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Advisory May 11, 2000 Microsoft IIS Remote Denial of Service Attack Synopsis: Internet Security Systems (ISS) X-Force has determined that Microsoft Internet Information Server (IIS) is vulnerable to a remote Denial of Service (DoS) attack. IIS is a popular web server application for Windows NT, and comprises the majority of Windows NT based web servers. This vulnerability may allow a remote attacker to effectively disable vulnerable versions of IIS. Impact: This vulnerability causes a Windows NT system to consume 100% CPU usage. The inetinfo.exe process cannot be stopped, requiring a full reboot of the server. Affected Versions: Microsoft IIS version 4.0 is affected. IIS version 5.0 is affected, however the impact is limited. Description: Microsoft Internet Information Server is a popular web server that runs exclusively on Windows NT. The vulnerability exists primarily in IIS 4.0 and to a limited extent in 5.0. IIS uses IISADMPWD virtual directory to give users the ability to change passwords. When IIS is installed, it creates the directory %system32%\inetsrv\iisadmpwd that contains .htr files used for web-based password administration. Only when the virtual directory IISADMPWD is created does the ability to change passwords become enabled. On vulnerable systems, an attacker can send a malformed request to force inetinfo.exe to utilize 100% of the CPU and adversely affect the ability of IIS to field requests. After the vulnerability has been exploited, the inetinfo.exe process cannot be stopped, requiring a full reboot of the server to regain functionality. The effect on IIS 5.0 is not as severe. If the vulnerability is exploited against this version of IIS, access to any .htr file on the server fails. CPU utilization does not increase to 100% as it does in version 4.0. Recommendations: Microsoft has made patches available for IIS versions 4 and 5. ISS X-Force recommends that these patches be installed immediately. Internet Information Server 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20905 Internet Information Server 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20903 The ISS X-Force recommends deleting the IISADMPWD virtual directory as follows: IIS 4.0 Start the Microsoft Management Console for IIS. Click the Windows Start Menu. Select Programs. Select Windows NT 4.0 Option Pack. Select Microsoft Internet Information Server. Select Internet Service Manager. In the left-hand pane, follow the path below and drill down the tree to the IISADMPWD virtual directory: Console Root\Internet Information Server\\Default Web Site\IISADMPWD Right-click the IISADMPWD virtual directory and select Delete from the pop-up menu item. IIS 5.0 Start the Microsoft Management Console for IIS. Click the Windows Start Menu. Select Programs. Select Administrative Tools. Select Internet Service Manager. In the left-hand pane, follow the path below and drill down the tree to the IISADMPWD virtual directory: Internet Information Server\\Default Web Site\IISADMPWD Right-click the IISADMPWD virtual directory and select Delete from the pop-up menu item. The ISS X-Force has updated the ISS SAFEsuite security assessment software, Internet Scanner, to detect this vulnerability in X-Press Update 3.6. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2000-0304 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Credits: This vulnerability was discovered by Steven Maks of ISS and researched by Dan Ingevaldson of ISS X-Force. Internet Security Systems would like to thank Microsoft for their response and handling of this vulnerability. ______ About Internet Security Systems (ISS) Internet Security Systems (ISS) is a leading global provider of security management solutions for the Internet. By providing industry-leading SAFEsuite security software, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to its customers, protecting digital assets and ensuring safe and uninterrupted e-business. ISS' security management solutions protect more than 5,500 customers worldwide including 21 of the 25 largest U.S. commercial banks, 10 of the largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBORrh7DRfJiV99eG9AQHjMwP+NojfTndQxhd9M2DkA1qPl+Jb9ur6/caj 19WRZaOSeOpdw9OaHSOhVlCRdkHxnjclb0n3FhvKsplIfwBD/EM3XunUmcz+KrV9 6hA7HmBM7bLncGNdvC0ywvyw2LAHyzZaTk/lp3SsViwHKjtfWftgTqPXXRKepqfO wbdlt1vrxFs= =Wvy9 -----END PGP SIGNATURE-----