Copyright 2022 - CSIM - Asian Institute of Technology

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: CERT Advisory CA-2003-09 Buffer Overflow in Microsoft IIS 5.0
From: CERT Advisory <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Date: Mon, 17 Mar 2003 14:06:03 -0500


CERT Advisory CA-2003-09 Buffer Overflow in Microsoft IIS 5.0

   Original issue date: March 17, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.

Systems Affected

     * Systems running Microsoft Windows 2000 with IIS 5.0 enabled


   A buffer overflow vulnerability exists in Microsoft IIS 5.0 running on
   Microsoft Windows 2000. IIS 5.0 is installed and running by default on
   Microsoft  Windows 2000 systems. This vulnerability may allow a remote
   attacker to run arbitrary code on the victim machine.

   An  exploit  is  publicly  available  for  this  vulnerability,  which
   increases the urgency that system administrators apply a patch.

I. Description

   IIS  5.0 includes support for WebDAV, which allows users to manipulate
   files   stored   on   a   web  server  (RFC2518).  A  buffer  overflow
   vulnerability  exists  in ntdll.dll (a portion of code utilized by the
   IIS  WebDAV  component).  By sending a specially crafted request to an
   IIS  5.0  server, an attacker may be able to execute arbitrary code in
   the  Local  System  security  context, essentially giving the attacker
   compete control of the system.

   Microsoft   has   issued   the   following   bulletin  regarding  this
   vulnerability: urity/bulletin/ms03-007.asp

   This  vulnerability  has been assigned the identifier CAN-2003-0109 by
   the Common Vulnerabilities and Exposures (CVE) group:

II. Impact

   Any  attacker  who can reach a vulnerable web server can gain complete
   control  of  the system and execute arbitrary code in the Local System
   security  context.  Note  that  this may be significantly more serious
   than a simple "web defacement."

III. Solution

Apply a patch from your vendor

   A patch is available from Microsoft at

Disable vulnerable service

   Until  a  patch  can  be  applied,  you  may  wish  to disable IIS. To
   determine if IIS is running, Microsoft recommends the following:

Go  to  Start  |  Settings  |  Control  Panel | Administrative Tools | Services.  

   If the World Wide Web Publishing service is listed then IIS
   is installed

   To  disable  IIS,  run  the  IIS lockdown tool. This tool is available

   If  you  cannot  disable  IIS, consider using the IIS lockdown tool to
   disable  WebDAV (removing WebDAV can be specified when running the IIS
   lockdown tool). Alternatively, you can disable WebDAV by following the
   instructions located in Microsoft's Knowledgebase Article 241520, "How
   to Disable WebDAV for IIS 5.0":;en-us;241520

Restrict buffer size

   If  you  cannot  use  either  IIS  lockdown  tool or URLScan, consider
   restricting the size of the buffer IIS utilizes to process requests by
   using  Microsoft's URL Buffer Size Registry Tool. This tool can be run
   against  a  local  or  remote Windows 2000 system running Windows 2000
   Service Pack 2 or Service Pack 3. The tool, instructions on how to use
   it,  and  instructions on how to manually make changes to the registry
   are available here:

URL Buffer Size Registry Tool -
Microsoft Knowledge Base Article 816930 -;en-us;816930

Microsoft Knowledge Base Article 260694 -;en-us;260694

   You  may  also wish to use URLScan, which will block web requests that
   attempt  to  exploit  this vulnerability. Information about URLScan is
   available at:;[LN];326444

Appendix A. Vendor Information

   This  appendix  contains information provided by vendors. When vendors
   report  new  information,  this section is updated and the changes are
   noted  in  the  revision  history. If a vendor is not listed below, we
   have not received their comments.

Microsoft Corporation

     Please see Microsoft Security Bulletin MS03-007.

   Author: Ian A. Finlay

   This document is available from:

CERT/CC Contact Information

   Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

Getting security information

   CERT  publications  and  other security information are available from
   our web site

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to This email address is being protected from spambots. You need JavaScript enabled to view it.. Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History

   March 17, 2003: Initial release

Version: PGP 6.5.8


Powered by: MHonArc

Login Form


School of Engineering and technologies     Asian Institute of Technology