'Alert: Microsoft Security Bulletin (MS99-039) - IIS 4.0 HTTP/FTP'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    Alert: Microsoft Security Bulletin (MS99-039) - IIS 4.0 HTTP/FTP
From:       Russ <Russ.Cooper () RC ! ON ! CA>
Date:       1999-09-23 21:51:22
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----

URLs may be wrapped to multiple lines.

Microsoft have released a Security Bulletin - MS99-039 - which
corrects two problems associated with IIS 4.0. The first has to do
with IIS' ability to deny a user access based on the user's domain.
The second has to do with the FTP server's ability to deny access to a
file which has been marked as "No Access".

IIS can be configured to block access to users based on the user's
domain name (as opposed to their IP address). In this case, if a
denied user attempts to connect to a site blocking his/her domain name
from an IP address which IIS cannot resolve to that domain name (via
in-addr.arpa or netbios lookup), instead of denying the user access it
will grant access for the first session.

The bulletin is ambiguous when talking about "deny the first session",
it also states it will "deny the first request". Chances are this will
be corrected shortly, but the vulnerability actually will allow the
first *session*, meaning potentially an endless connection to numerous
pages. A session doesn't end until it times out, or the server is
restarted, and consists of any number of individual requests for one,
or more, pages.

Couple of things to note from this.

The vulnerability explanation tells us that at some point IIS
determines that the IP address you came from, not being available via
in-addr.arpa or netbios lookups, should be blocked. It obviously
cannot map this to the domain name that's been configured to be
blocked, so its doing it on the basis that because it can't be
resolved, it must be a bad address?? This, only if you have configured
it to block *any* domains based on name rather than IP address.

This means it builds dynamic tables (presumably) and stores
unresolvable client IP addresses in there. This is obviously not being
done right away (because you are able to get that first session), and
is what is preventing subsequent sessions from being permitted.

Of course a reboot of the box would blow this table away, meaning that
someone who was previously blocked by these means would then be able
to get that first session again.

One might also question how efficiently IIS handles such a table. It
would be fairly trivial to send it spoofed requests from all sorts of
unresolvable domain names (who owns 10.in-addr.arpa?) to see if the
table fills up and what effect that has on the server's performance.

Probably better to avoid domain names as a blocking mechanism
altogether, which seems to eliminate this vulnerability. Its much
easier, typically, to peg down an IP address (range) than to try and
track someone worth blocking by domain name.

Finally, there's a question as to how/if this affects Site Server
and/or Outlook Web Access (and anything else that runs on IIS and is
session-oriented). Might want to make sure you test this patch
carefully if you're running an IIS add-on (course you should always do
this if you can).

Meanwhile, there's a second issue addressed by the Security Bulletin.

There is a vulnerability in certain versions of the FTP service. The
vulnerability would allow someone with a browser to gain access to
file(s) marked as "No Access".

The vulnerability was introduced by early versions of the IIS
FTPSVC2.DLL fix (I cannot find the name of this hotfix, nor can I
determine if it was ever publicly available, it may only have been
available via PSS).

They refer you to;

http://support.microsoft.com/support/kb/articles/q237/9/87.asp

as the original fix, and say that this version, and subsequent ones,
may be affected by the vulnerability. This gets a bit confusing. The
Security Bulletin FAQ says that the original version of that fix was
v719. The KB article shows the version as v718.

They say you can apply the fix atop SP4 or SP5 (no mention of SP3), so
its probably just a good idea to get the patch installed (with the
caveat above for the http issue).

Pertinent links are;

Security Bulletin MS99-039
http://www.microsoft.com/security/bulletins/MS99-039.asp
http://www.microsoft.com/security/bulletins/MS99-039faq.asp

Vulnerability applies to:
- - Microsoft Internet Information Server 4.0 (all SPs)

Patch available via:
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/IIS40/
hotfixes-postSP6/security/IPRFTP-fix/

Related KB articles:
- - Combined FTP and Domain Restriction Security Patch for IIS 4.0,
  http://support.microsoft.com/support/kb/articles/q241/8/05.asp
- - Denying Access With Domain Name Restriction Still Allows
  Unresolved Clients,
  http://support.microsoft.com/support/kb/articles/q241/5/62.asp
- - Files can be downloaded from an FTP Server when the file
  permissions are explicitly No Access,
  http://support.microsoft.com/support/kb/articles/q241/4/07.asp

Cheers,
Russ - NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQCVAwUBN+qg2xBh2Kw/l7p5AQEjxQP/fP0uzQZl99k9Hr6/MXBD2YnSiOjw4Vbe
05rZvv8htYXv1wqX9t5vK0XoNAUgKZu40gQz45kF0JT+pKKbc4gGhKQIaO1dFBhT
NQoDi4QND7RroqhALquCYm/lGvlqx7oXU7bhPBL5RvABy0xvlElkTsR/tnJM9b7F
goesJvOZpzo=
=puhG
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic