CVE-2005-4360 - Input Validation vulnerability in Microsoft Internet Information Server 5.1

Publication

2005-12-20

Last modification

2018-10-19

Summary

The URL parser in Microsoft Internet Information Services (IIS) 5.1 on Windows XP Professional SP2 allows remote attackers to execute arbitrary code via multiple requests to ".dll" followed by arguments such as "~0" through "~9", which causes ntdll.dll to produce a return value that is not correctly handled by IIS, as demonstrated using "/_vti_bin/.dll/*/~0". NOTE: the consequence was originally believed to be only a denial of service (application crash and reboot).

Description

Microsoft IIS is prone to a remote code-execution vulnerability because the application fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the vulnerable application, which may lead to the complete compromise of affected computers.This issue affects Microsoft IIS 5.1 running on Windows XP SP2.Note: this issue was previously reported as a denial-of-service vulnerability. New information from the vendor states that code execution is possible.

Solution

The vendor released an advisory along with fixes to address this issue. Please see the referenced advisory for more information. Microsoft IIS 5.1 Microsoft Security Update for Windows XP (KB939373) http://www.microsoft.com/downloads/details.aspx?FamilyId=fccbfe90-f838 -47df-8310-352e2fb47132

Exploit

To demonstrate this issue, the following request will crash the application if issued a number of times (four requests will do the trick, according to the author): http://www.example.xom/_vti_bin/.dll/*\~0 The following proof-of-concept exploit also demonstrates this issue by crashing the application: /data/vulnerabilities/exploits/IIS_Mal_URI_Dos.cpp

Classification

CWE-20 - Input Validation

Risk level (CVSS AV:N/AC:L/Au:N/C:N/I:C/A:N)

High

7.8

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

OVAL definition

{
    "accepted": "2007-08-20T08:04:38.567-04:00",
    "class": "vulnerability",
    "contributors": [
        {
            "name": "Sudhir Gandhe",
            "organization": "Secure Elements, Inc."
        },
        {
            "name": "Robert L. Hollis",
            "organization": "ThreatGuard, Inc."
        }
    ],
    "definition_extensions": [
        {
            "comment": "Microsoft Windows XP SP2 or later is installed",
            "oval": "oval:org.mitre.oval:def:521"
        },
        {
            "comment": "Microsoft IIS 5.1 is installed",
            "oval": "oval:org.mitre.oval:def:460"
        }
    ],
    "description": "The URL parser in Microsoft Internet Information Services (IIS) 5.1 on Windows XP Professional SP2 allows remote attackers to execute arbitrary code via multiple requests to \".dll\" followed by arguments such as \"~0\" through \"~9\", which causes ntdll.dll to produce a return value that is not correctly handled by IIS, as demonstrated using \"/_vti_bin/.dll/*/~0\".  NOTE: the consequence was originally believed to be only a denial of service (application crash and reboot).",
    "family": "windows",
    "id": "oval:org.mitre.oval:def:1703",
    "status": "accepted",
    "submitted": "2007-07-10T18:34:24",
    "title": "IIS Memory Request Vulnerability",
    "version": "34"
}

Affected Products

Vendor Product Versions
Microsoft Internet Information Server  5.1