• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Remote IIS Code Execution Flaw Affects Only Select Web Servers

June 8, 2010 By The Editor

Summary:

  • This vulnerability affects: IIS 6.0, 7.0 and 7.5
  • How an attacker exploits it: By sending a specially crafted HTTP request
  • Impact: In the worst case, an attacker can gain complete control of your IIS server
  • What to do: Install Microsoft’s IIS updates, or let Windows Update do it for you

Exposure:

Microsoft’s Internet Information Services (IIS) is one of the most popular web servers used on the Internet. All server versions of Windows come with IIS, though some of its services may not start by default.

In a security bulletin released as part of Patch Day, Microsoft describes an unpatched code execution vulnerability in IIS. The flaw has to do with IIS’ inability to allocate memory properly when handling certain types of authentication information received from a client. By sending a specially crafted HTTP request containing such authentication information, a remote attacker could exploit this vulnerability to execute code on your IIS server with the privileges of the IIS Worker Process Identity (WPI). According to Microsoft, WPI has the same privileges as a Windows’ Network Service account by default. However, in some cases, IIS administrators may give WPI administrative privileges to get their web applications to work. In these cases, the attacker could leverage this IIS vulnerability to gain complete control of your web server.

Though this vulnerability sounds extremely serious, a few mitigating factors significantly lessen its severity. First of all, your IIS server is only vulnerable to this flaw if you’ve installed an add on feature called Extended Protection for Authentication. This add on came with a non-security update referred to in this Microsoft Knowledge Base article. Furthermore, even if you’ve installed this update, Extended Protection for Authentication is not enabled by default; you’d actually have to enable the component first. Finally, even if you’ve installed and enabled this optional component, Microsoft claims only authenticated attackers can exploit this vulnerability. Meaning, only users with valid account on your website could exploit this flaw.

Though the mitigating factors above significantly limit the severity of this vulnerability to average IIS administrators, this flaw does pose a very high risk to the IIS administrators that do use Extended Protection for Authentication. Whether or not you’re one of those administrators, we still recommend you apply Microsoft’s IIS update as soon as possible.

Solution Path:

Microsoft has released IIS updates to fix this vulnerability. IIS administrators should download, test and deploy the corresponding update as soon as possible, or let Windows Update do it for you:

  • IIS 6.0
    • Windows Server 2003
    • Windows Server 2003 x64
    • Windows Server 2003 Itanium
  • IIS 7.0
    • Windows Vista
    • Windows Vista x64
    • Window Server 2008
    • Window Server 2008 x64
    • Window Server 2008 Itanium
  • IIS 7.5
    • Windows 7
    • Windows 7 x64
    • Window Server 2008 R2 x64
    • Window Server 2008 R2 Itanium

For All WatchGuard Users:

WatchGuard’s HTTP-Server proxy action allows you to control many aspects pertaining to the HTTP requests you accept to your web server. In some cases, this control can allow you to configure your proxies in ways that prevent certain types of attacks from succeeding. However, neither Microsoft, nor this flaw’s original discoverer, have disclosed enough technical detail about this flaw for us to say whether or not our proxy can help. If we do learn technical details that suggest our proxies do help, we’ll update this alert. However for now, Microsoft’s patches are your primary recourse.

Status:

Microsoft has released updates to correct this vulnerability.

References:

  • Microsoft Security Bulletin MS10-40

This alert was researched and written by Corey Nachreiner, CISSP.

Share This:

Related

Filed Under: Security Bytes Tagged With: iis, Microsoft

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity’s Toll on Mental Health
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Cybersecurity’s Toll on Mental Health
  • Successfully Prosecuting a Russian Hacker
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use