• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Three IIS Flaws Allow Authentication Bypass, DoS, or Code Execution

September 14, 2010 By Corey Nachreiner

Summary:

  • This vulnerability affects: IIS 5.1, 6.0, 7.0 and 7.5
  • How an attacker exploits it: By sending specially crafted HTTP requests or URLs
  • Impact: In the worst case, an attacker can gain complete control of your IIS server
  • What to do: Install Microsoft’s IIS update immediately, or let Windows Update do it for you

Exposure:

Microsoft’s Internet Information Services (IIS) is one of the most popular web servers used on the Internet. All server versions of Windows come with IIS, though some of its services may not start by default.

In a security bulletin released as part of Patch Day, Microsoft describes three vulnerabilities affecting IIS. The worst is a buffer overflow vulnerability involving the way IIS handles FastCGI enabled requests. By sending you IIS server a specially crafted HTTP request, an attacker could exploit this vulnerability to gain complete control of your IIS server. This flaw sounds quite bad, however a key mitigating factor limits its severity. FastCGI is not enabled by default on IIS server. You are only vulnerable to this flaw if you’ve specifically enabled it.

The two remaining flaws include a Denial of Service flaw that an attacker could leverage to crash your IIS server and an authentication bypass vulnerability that attackers could leverage to gain access to web resources that require authentication.

Though Microsoft only rates these flaws as Important, we recommend IIS administrator download, test and install the IIS update immediately.

Solution Path:

Microsoft has released IIS updates to fix this vulnerability. IIS administrators should download, test and deploy the corresponding update as soon as possible, or let Windows Update do it for you:

  • IIS 5.1 (XP)
  • IIS 6.0
    • Windows XP
    • Windows Server 2003
    • Windows Server 2003 x64
    • Windows Server 2003 Itanium
  • IIS 7.0
    • Windows Vista
    • Windows Vista x64
    • Window Server 2008
    • Window Server 2008 x64
    • Window Server 2008 Itanium
  • IIS 7.5
    • Windows 7
    • Windows 7 x64
    • Window Server 2008 R2 x64
    • Window Server 2008 R2 Itanium
  • IIS FastCGI Update:
    • Windows 7
    • Windows 7 x64
    • Window Server 2008 R2 x64
    • Window Server 2008 R2 Itanium
  • IIS 5.1 Authentication Update (XP)

For All WatchGuard Users:

WatchGuard’s HTTP-Server proxy action allows you to control many aspects pertaining to the HTTP requests you accept to your web server. In some cases, this control can allow you to configure your proxies in ways that prevent certain types of attacks from succeeding. However, neither Microsoft, nor this flaw’s original discoverer, have disclosed enough technical detail about this flaw for us to say whether or not our proxy can help. If we do learn technical details that suggest our proxies do help, we’ll update this alert. However for now, Microsoft’s patches are your primary recourse.

Status:

Microsoft has released updates to correct this vulnerability.

References:

  • Microsoft Security Bulletin MS10-65

This alert was researched and written by Corey Nachreiner, CISSP.

Share This:

Related

Filed Under: Security Bytes Tagged With: iis, Microsoft

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use