Archive of CERT general posting, CERT Advisory CA-2003-09 Buffer Overflow in Microsoft IIS 5.0

18/03/03, CERT Advisory CA-2003-09 Buffer Overflow in Microsoft IIS 5.0
From: CERT Advisory <>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: CERT Advisory CA-2003-09 Buffer Overflow in Microsoft IIS 5.0
From: CERT Advisory <>
Date: Mon, 17 Mar 2003 14:06:03 -0500
List-archive: <>
List-help: <>, <>
List-owner: <>
List-post: NO (posting not allowed on this list)
List-subscribe: <>
List-unsubscribe: <>
Mail-from: From Tue Mar 18 03:47:36 2003
Organization: CERT(R) Coordination Center - +1 412-268-7090


CERT Advisory CA-2003-09 Buffer Overflow in Microsoft IIS 5.0

   Original issue date: March 17, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.

Systems Affected

     * Systems running Microsoft Windows 2000 with IIS 5.0 enabled


   A buffer overflow vulnerability exists in Microsoft IIS 5.0 running on
   Microsoft Windows 2000. IIS 5.0 is installed and running by default on
   Microsoft  Windows 2000 systems. This vulnerability may allow a remote
   attacker to run arbitrary code on the victim machine.

   An  exploit  is  publicly  available  for  this  vulnerability,  which
   increases the urgency that system administrators apply a patch.

I. Description

   IIS  5.0 includes support for WebDAV, which allows users to manipulate
   files   stored   on   a   web  server  (RFC2518).  A  buffer  overflow
   vulnerability  exists  in ntdll.dll (a portion of code utilized by the
   IIS  WebDAV  component).  By sending a specially crafted request to an
   IIS  5.0  server, an attacker may be able to execute arbitrary code in
   the  Local  System  security  context, essentially giving the attacker
   compete control of the system.

   Microsoft   has   issued   the   following   bulletin  regarding  this
   vulnerability: urity/bulletin/ms03-007.asp

   This  vulnerability  has been assigned the identifier CAN-2003-0109 by
   the Common Vulnerabilities and Exposures (CVE) group:

II. Impact

   Any  attacker  who can reach a vulnerable web server can gain complete
   control  of  the system and execute arbitrary code in the Local System
   security  context.  Note  that  this may be significantly more serious
   than a simple "web defacement."

III. Solution

Apply a patch from your vendor

   A patch is available from Microsoft at

Disable vulnerable service

   Until  a  patch  can  be  applied,  you  may  wish  to disable IIS. To
   determine if IIS is running, Microsoft recommends the following:

Go  to  Start  |  Settings  |  Control  Panel | Administrative Tools | Services.  

   If the World Wide Web Publishing service is listed then IIS
   is installed

   To  disable  IIS,  run  the  IIS lockdown tool. This tool is available

   If  you  cannot  disable  IIS, consider using the IIS lockdown tool to
   disable  WebDAV (removing WebDAV can be specified when running the IIS
   lockdown tool). Alternatively, you can disable WebDAV by following the
   instructions located in Microsoft's Knowledgebase Article 241520, "How
   to Disable WebDAV for IIS 5.0":;en-us;241520

Restrict buffer size

   If  you  cannot  use  either  IIS  lockdown  tool or URLScan, consider
   restricting the size of the buffer IIS utilizes to process requests by
   using  Microsoft's URL Buffer Size Registry Tool. This tool can be run
   against  a  local  or  remote Windows 2000 system running Windows 2000
   Service Pack 2 or Service Pack 3. The tool, instructions on how to use
   it,  and  instructions on how to manually make changes to the registry
   are available here:

URL Buffer Size Registry Tool -
Microsoft Knowledge Base Article 816930 -;en-us;816930

Microsoft Knowledge Base Article 260694 -;en-us;260694

   You  may  also wish to use URLScan, which will block web requests that
   attempt  to  exploit  this vulnerability. Information about URLScan is
   available at:;[LN];326444

Appendix A. Vendor Information

   This  appendix  contains information provided by vendors. When vendors
   report  new  information,  this section is updated and the changes are
   noted  in  the  revision  history. If a vendor is not listed below, we
   have not received their comments.

Microsoft Corporation

     Please see Microsoft Security Bulletin MS03-007.

   Author: Ian A. Finlay

   This document is available from:

CERT/CC Contact Information

          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

Getting security information

   CERT  publications  and  other security information are available from
   our web site

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History

   March 17, 2003: Initial release

Version: PGP 6.5.8


Previous message sorted by date: CERT Advisory CA-2003-08 Increased Activity Targeting Windows Shares
Next message sorted by date: CERT Advisory CA-2003-10 Integer overflow in Sun RPC XDR library routines
Previous message sorted by thread: CERT Advisory CA-2003-08 Increased Activity Targeting Windows Shares
Next message by thread: CERT Advisory CA-2003-10 Integer overflow in Sun RPC XDR library routines
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Jan 2004