Severity: Medium
12 February, 2008
Summary:
- These vulnerabilities affect: Internet Information Services 7 and earlier
- How an attacker exploits them: By modifying a file in a root directory; or by sending maliciously crafted ASP input
- Impact: Elevation of privilege. A local user could take over a computer; a remote attacker could become a low-privileged user
- What to do: Deploy the appropriate IIS patches at your earliest convenience
Exposure:
Microsoft’s two security bulletins detail vulnerabilities found in Internet Information Services (IIS) versions 5.1, 6.0, and 7. Each bulletin describes a security vulnerability in IIS, but in both cases, common administrative practices blunt the likelihood of a successful exploit, or make the attacker expend a lot of effort for a low-yield result. For those reasons, Microsoft has rated the severity of each security flaw as Important, but not Critical. We briefly recap the bulletins below.
MS08-005: File Change Notification Vulnerability
IIS suffers from a problem in the way it handles files in three root-level folders (specifically, FTPRoot, NNTPFile\Root, and WWWRoot). If an attacker can successfully upload a script and execute it in one of these directories, he might be able to take over the IIS server. However, to exploit the vulnerability, the attacker would need login credentials to the victim server, and he would need write access to the vulnerable folders — which, by default, are not configured to grant write access (at least in XP SP2 and Windows Server 2003). Very few real-world scenarios meet those conditions.
Microsoft rating: Important.
MS08-006: ASP Vulnerability
An Active Server Page (ASP) is really just an HTML page that contains scripts, which the Web server executes before sending the page to a user’s browser. Web developers use ASP commonly to implement anything a Web page displays that should change dynamically; for instance, date and time. Many ASP pages are also forms, where users are allowed to input data. A flaw in the way IIS handles such input could allow an attacker to trigger the flaw in ASP. However, all he gets for his trouble is an elevation of privilege from a guest user to a low-privileged authenticated user. Further reducing the impact of this threat: It doesn’t work on Vista, and it doesn’t work in IIS 7. And on Windows Server 2003, if you disable classic ASP, the exploit is not possible.
Microsoft rating: Important.
Solution Path
Microsoft has released patches for IIS to correct these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network at your earliest convenience.
Note: Microsoft no longer officially supports Windows NT 4.0, 98, ME or XP with SP1. If you manage any of these operating systems, Microsoft recommends that you migrate to supported versions, thus preventing potential exposure to vulnerabilities. You can learn more about Microsoft’s Product Life-Cycle here.
- 2000
- XP
- XP 64-bit Edition
- Server 2003
- Server 2003 64-bit Edition
- Server 2003 Itanium Edition
- Vista
- Vista 64-bit Edition
Note: Windows 2000 SP 4, Vista, and Server 2008 are not affected
For All WatchGuard Users:
Attempts to exploit these flaws must come through port 80. If your users need to access the World Wide Web, you must leave this port open. In the case of the File Change Notification vulnerability, one possible attack vector is local, which means the attack probably would not pass through your gateway firewall at all. For these reasons, your best defense is to apply the patches above.
Status:
Microsoft has released patches correcting these issues.
November 13, 2008 at 10:07 am |
Thanks for the information.
It’ll come in handy.