Ten vulnerabilities have been found in Microsoft IIS systems. The vulnerabilities affect IIS 4.0, 5.0, 5.1 and the beta version of .NET prior to Build 3605. Microsoft has released cumulative patches.
The first vulnerability is a buffer overflow that may result in code being run on the server or causing the IIS services to fail. The buffer overflow is involved in the operation of the chunked encoding transfer mechanism through Active Server Pages (ASP) in IIS 4.0 and 5.0.
The second vulnerability affects IIS 4.0, 5.0 and 5.1. This vulnerability is a buffer overflow which can be exploited in a similar manner to the first vulnerability and the impact is similar. The only difference in this vulnerability from the first one is that it is the location within the ASP data transfer mechanism.
The third vulnerability is a buffer overflow in the processing of HTTP header information. An attacker is able to spoof a check performed by IIS that checks for proper placing of headers and delimiter fields, which tricks IIS into believing that the check has been performed and all delimiter fields are present. This allows the attacker to create a URL with a header field that contains values which overflow a buffer.
The fourth vulnerability is a buffer overflow in a safety check performed upon user-supplied files. By creating a overly long file name, an attacker may be able to pass the security check and overflow the include request's static buffer. This vulnerability may allow the attacker to disrupt service or change the operations of the server.
The fifth vulnerability is a buffer overflow in the HTR ISAPI extension in IIS 4.0, 5.0 and 5.1. An attacker may be able to cause the IIS service to fail or execute code on the server by sending specially malformed HTR requests.
The sixth vulnerability lies within the handling of error messages sent from an ISAPI filter. The ISAPI filter replaces an invalid or overly long URL with a null character, which when received by IIS is processed. When attempting to process the null character as a URL, IIS performs an access violation and its services fail.
The seventh vulnerability lies within the improper handling of an error message created by the FTP services. An attacker is able to establish a FTP session and then request the status of the current FTP session in a way that creates a specific error code. This error is incorrectly reported, which allows for other code to attempt to use uninitialized data. An access violation occurs because of this, causing FTP and web services to fail.
The remaining three vulnerabilities are cross-site scripting vulnerabilities. An attacker can create a HTML e-mail or web page containing a malicious hyperlink. Once the user executes the hyperlink, a request containing script may be sent to a third-party web site running IIS. When the third-party site responds to the request, including the original script sent to it, the script is executed on the user's system with the privileges of the third-party. This may allow for the attacker to obtain data that the third-party site has stored on the user's system.
Microsoft has released cumulative patches available in Security Bulletin MS02-018. The cumulative patches also include all previously released patches except those that require administrative correction actions or non-IIS products.
Cisco has released a security advisory and patches for Cisco products installed on Microsoft platforms using IIS that are affected by the vulnerabilities announced in Microsoft IIS MS02-018. The Cisco products do not contain the vulnerabilities but are vulnerable because they run with IIS. Cisco considers all of its products and applications that use Microsoft IIS to be vulnerable and advises users to install the available patches.