Date: Mon, 21 Dec 1998 15:56:44 -0600 From: Rattle Reply-To: Bugtraq List To: BUGTRAQ@netspace.org Subject: Microsoft Security Bulletin (MS98-019) (fwd) Another IIS DoS attack? Of course! ... . Nick Levay . rattle@tlorah.net . "There are two major products that come out of Berkeley: LSD and UNIX. . We do not believe this to be a coincidence." >The following is a Security Bulletin from the Microsoft Product Security >Notification Service. > >Please do not reply to this message, as it was sent from an unattended >mailbox. > ******************************** > >Microsoft Security Bulletin (MS98-019) >-------------------------------------- > >Patch Available for IIS "GET" Vulnerability > >Originally Posted: December 21, 1998 > >Summary >======= >Microsoft has released a patch that fixes a vulnerability in Microsoft(r) >Internet Information Server(r) that could allow denial-of-service attacks >to be mounted against web servers. > >There have been no reports of customers being affected by this >vulnerability. However, Microsoft is publishing this bulletin and releasing >the patch to allow customers to address the potential security risk it >poses. As detailed below in What Customers Should Do, Microsoft recommends >that users evaluate whether they are at risk from this attack and install >the patch if appropriate. > >Issue >===== >This vulnerability involves the HTTP GET method, which is used to obtain >information from an IIS web server. Specially-malformed GET requests can >create a denial of service situation that consumes all server resources, >causing a server to "hang." In some cases, the server can be put back into >service by stopping and restarting IIS; in others, the server may need to be >rebooted. This situation cannot happen accidentally. The malformed GET >requests must be deliberately constructed and sent to the server. It is >important to note that this vulnerability does not allow data on the server >to be compromised, nor does it allow any privileges on it to be usurped. > >Affected Software Versions >========================== > - Microsoft Internet Information Server, versions 3.0 and 4.0, on x86 and >Alpha platforms. > >What Microsoft is Doing >======================= >On December 21, Microsoft released a patch that fixes the problem. This >patch is available for download from the sites listed below. Please see >What Customers Should Do for additional information on the patch. > >Microsoft has sent this security bulletin to customers subscribing >to the Microsoft Product Security Notification Service (see >http://www.microsoft.com/security/services/bulletin.asp for >more information about this free customer service). > >Microsoft has published the following Knowledge Base (KB) article on this >issue: > - Microsoft Knowledge Base (KB) article Q192296, > IIS: Patch Available for IIS "GET" Vulnerability, > http://support.microsoft.com/support/kb/articles/q192/2/96.asp. > (Note: It might take 24 hours from the original posting of this > bulletin for the updated KB article to be visible in the Web-based > Knowledge Base.) > >Microsoft has released the following hot fixes: > - Fix for IIS 3.0 on X86 platforms: > ftp://ftp.microsoft.com/bussys/iis/iis-public > /fixes/usa/security/Infget-fix/infget3i.exe > - Fix for IIS 4.0 on X86 platforms: > ftp://ftp.microsoft.com/bussys/iis/iis-public > /fixes/usa/security/Infget-fix/infget4i.exe > - Fix for IIS 3.0 on Alpha platforms: > ftp://ftp.microsoft.com/bussys/iis/iis-public > /fixes/usa/security/Infget-fix/infget3a.exe > - Fix for IIS 4.0 on Alpha platforms: > ftp://ftp.microsoft.com/bussys/iis/iis-public > /fixes/usa/security/Infget-fix/infget4a.exe >(Note: the URLs above have been wrapped for readability) > >What Customers Should Do >======================== >The patch for this vulnerability is fully supported. However, it has not >been fully regression tested and should only be applied to systems >determined to be at risk of attack. A fully regression-tested version of >the patch will be available as part of the next Windows NT service pack. > >Microsoft recommends that customers evaluate the degree of risk that this >vulnerability poses to their systems, based on physical accessibility, >network and Internet connectivity, and other factors, and determine whether >the appropriate course of action is to apply the patch or wait for the next >service pack. > >More Information >================ >Please see the following references for more information related to this >issue. > - Microsoft Security Bulletin 98-019, > Patch Available for IIS "GET" Vulnerability > (the Web-posted version of this bulletin), > http://www.microsoft.com/security/bulletins/ms98-019.asp. > - Microsoft Knowledge Base (KB) article Q192296, > IIS: Patch Available for IIS "GET" Vulnerability, > http://support.microsoft.com/support/kb/articles/q192/2/96.asp. > (Note: It might take 24 hours from the original posting of this > bulletin for the updated KB article to be visible in the Web-based > Knowledge Base.) > >Obtaining Support on this Issue >=============================== >This is a supported patch. If you have problems installing >this patch or require technical assistance with this patch, >please contact Microsoft Technical Support. For information >on contacting Microsoft Technical Support, please see >http://support.microsoft.com/support/contact/default.asp. > >Acknowledgements >================ >Microsoft wishes to acknowledge the contribution made by >Brian Steele of Cable and Wireless Grenada, Ltd. (www.candw.com), >and Eugene Kalinin of the N. N.Burdenko Neurosurgery Institute, >who reported the problem to us. > >Revisions >========= > - December 21, 1998: Bulletin Created > > >For additional security-related information about Microsoft products, >please visit http://www.microsoft.com/security > > >--------------------------------------------------------------------------- > >THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" >WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER >EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS >FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS >SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, >INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, >EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE >POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR >LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE >FOREGOING LIMITATION MAY NOT APPLY. > >(c) 1998 Microsoft Corporation. All rights reserved. Terms of Use. > > ******************************************************************* >You have received this e-mail bulletin as a result of your registration >to the Microsoft Product Security Notification Service. You may >unsubscribe from this e-mail notification service at any time by sending >an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM >The subject line and message body are not used in processing the request, >and can be anything you like. > >For more information on the Microsoft Security Notification Service >please visit http://www.microsoft.com/security/bulletin.htm. For >security-related information about Microsoft products, please visit the >Microsoft Security Advisor web site at http://www.microsoft.com/security.