Remote IIS Code Execution Flaw Affects Only Select Web Servers

Summary:

• This vulnerability affects: IIS 6.0, 7.0 and 7.5
• How an attacker exploits it: By sending a specially crafted HTTP request
• Impact: In the worst case, an attacker can gain complete control of your IIS server
• What to do: Install Microsoft’s IIS updates, or let Windows Update do it for you

Exposure:

Microsoft’s Internet Information Services (IIS) is one of the most popular web servers used on the Internet. All server versions of Windows come with IIS, though some of its services may not start by default.

In a security bulletin released as part of Patch Day, Microsoft describes an unpatched code execution vulnerability in IIS. The flaw has to do with IIS’ inability to allocate memory properly when handling certain types of authentication information received from a client. By sending a specially crafted HTTP request containing such authentication information, a remote attacker could exploit this vulnerability to execute code on your IIS server with the privileges of the IIS Worker Process Identity (WPI). According to Microsoft, WPI has the same privileges as a Windows’ Network Service account by default. However, in some cases, IIS administrators may give WPI administrative privileges to get their web applications to work. In these cases, the attacker could leverage this IIS vulnerability to gain complete control of your web server.

Though this vulnerability sounds extremely serious, a few mitigating factors significantly lessen its severity. First of all, your IIS server is only vulnerable to this flaw if you’ve installed an add on feature called Extended Protection for Authentication. This add on came with a non-security update referred to in this Microsoft Knowledge Base article. Furthermore, even if you’ve installed this update, Extended Protection for Authentication is not enabled by default; you’d actually have to enable the component first. Finally, even if you’ve installed and enabled this optional component, Microsoft claims only authenticated attackers can exploit this vulnerability. Meaning, only users with valid account on your website could exploit this flaw.

Though the mitigating factors above significantly limit the severity of this vulnerability to average IIS administrators, this flaw does pose a very high risk to the IIS administrators that do use Extended Protection for Authentication. Whether or not you’re one of those administrators, we still recommend you apply Microsoft’s IIS update as soon as possible.

Solution Path:

Microsoft has released IIS updates to fix this vulnerability. IIS administrators should download, test and deploy the corresponding update as soon as possible, or let Windows Update do it for you:

• IIS 6.0
  • Windows Server 2003
  • Windows Server 2003 x64
  • Windows Server 2003 Itanium
• IIS 7.0
  • Windows Vista
  • Windows Vista x64
  • Window Server 2008
  • Window Server 2008 x64
  • Window Server 2008 Itanium
• IIS 7.5
  • Windows 7
  • Windows 7 x64
  • Window Server 2008 R2 x64
  • Window Server 2008 R2 Itanium

For All WatchGuard Users:

WatchGuard’s HTTP-Server proxy action allows you to control many aspects pertaining to the HTTP requests you accept to your web server. In some cases, this control can allow you to configure your proxies in ways that prevent certain types of attacks from succeeding. However, neither Microsoft, nor this flaw’s original discoverer, have disclosed enough technical detail about this flaw for us to say whether or not our proxy can help. If we do learn technical details that suggest our proxies do help, we’ll update this alert. However for now, Microsoft’s patches are your primary recourse.

Status:

Microsoft has released updates to correct this vulnerability.

References:

• Microsoft Security Bulletin MS10-40

This alert was researched and written by Corey Nachreiner, CISSP.