Microsoft Corp. on Wednesday released patches for vulnerabilities in three separate products, including a new buffer overrun flaw in IIS that enables an attacker to run arbitrary code on a target machine.
The vulnerability is in HTR, an old scripting language that is rarely used anymore. IIS 4.0 and 5.0 both include support for HTR for reasons of backward compatibility. The flaw is in the Chunked Encoding data transfer mechanism, and by sending a specially crafted session to the vulnerable server, an attacker could overwrite a section of the heap memory.
An attacker can then manipulate portions of the overwritten memory to move foreign data into memory addresses that the attacker supplies, which would alter the flow of execution into the attackers own payload, according to a bulletin on the flaw released by eEye Digital Security Inc., which discovered the problem.
This vulnerability is quite similar to another problem found with HTR earlier this year. There are attack tools available for the previous flaw, Microsoft said, which makes the new vulnerability all the more dangerous.
"While many may believe that the risk for these types of vulnerabilities is fairly low due to the fact that addressing is dynamic and brute force techniques would need to be used in an attack…this premise is false as successful exploitation can be made with one attempt across .dll versions," eEye said in its advisory.
The patch is available online.
Microsoft also issued a patch for a buffer overrun vulnerability in the Remote Access Service phonebook, which is used for dial-up connections and is included in NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000 and Windows XP, as well as the Routing and Remote Access Server, all of which are vulnerable.
An attacker could use the flaw to log on to an affected server, modify a phonebook entry with specially malformed code and then establish a connection using this entry. The attackers code would then be executed on the vulnerable system. Alternately, the flaw could be used to cause a system failure.
There are also two new vulnerabilities in SQL Server 2000s SQLXML service. There is an unchecked buffer in an ISAPI extension that could enable an attacker to run code on the IIS server, as well as vulnerability in a function that specifies an XML tag. This second flaw could allow an attacker to run scripts on the vulnerable machine with escalated privileges, Microsoft said.
The patch for these flaws is also available online.
- Microsoft Warns of 10 IIS Flaws
- Microsoft Updates MSN Chat Control Patch
- Trusting in Microsoft
- On the Mend?
- More Security Coverage