Microsoft Internet Information Services Remote Code Execution

Notification Type: IBM Internet Security Systems Protection Alert
Notification Date: July 10, 2007
Notification Version: 1.0
   
Name: Microsoft Internet Information Services Remote Code Execution
Public disclosure/
In the wild date:		 July 10, 2007 (vuln disclosure)
Aliases: MS07-041
CVE: CVE-2005-4360
Description: By sending specially-crafted URL requests to a Web page hosted by IIS, a remote attacker could execute arbitrary code on the system.

 

ISS Coverage
Product Content Version
Network Sensor 7.0
Proventia A
Proventia IPS (G/GX)
Server Sensor 7.0
Proventia Multifunction Appliance
Proventia Server (Linux)		 27.060
Proventia Server (Windows)
Proventia Desktop		 x.x.x.2070
RealSecure Desktop 7.0 EQM
BlackICE PC Protection 3.6 CQM
Propagation Techniques ISS Protection Available
remote exploit HTTP_IIS_Tilde_DoS July 12, 2007

Detailed Description
Business Impact: This issue is a remote code execution vulnerability in Microsoft Internet Information Services 5.1.  This vulnerability was first disclosed as a denial-of-service issue in 2005, and a DOS proof-of-concept has been publicly available since then. Recently, new information has come to light indicating that this vulnerability can be leveraged to obtain remote code execution. Although the exploit is difficult to reproduce, we may see public exploitation in the weeks after disclosure due to the amount of information that is already available and the novelty of the attack methodology. As web servers are critical infrastructure, IBM ISS X-Force advises administrators with vulnerable IIS servers to treat this issue with the highest priority.
CVSS: Base Score: 8.0
  Access Vector: Remote
Access Complexity: High
Authentication: Not Required
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
Impact Bias: Normal
Adjusted Temporal Score: 5.9
  Exploitability: Unproven
Remediation Level: Official-Fix
Report Confidence: Confirmed
Affected Products: For a full list of affected versions, see XFDB reference below.
Technical Description: Microsoft Internet Information Services (IIS) could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption vulnerability. An attacker could exploit this vulnerability by sending specially-crafted URL requests to a Web page hosted by IIS.
Remediation: Microsoft has released a patch to remediate this issue.  See References for details.

References
XFDB http://xforce.iss.net/xforce/xfdb/35197
Microsoft http://www.microsoft.com/technet/security/bulletin/MS07-041.mspx

Revision History
1.0 Initial publication.


About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.