Microsoft IIS 4.0 Chunked Transfer Encoding Buffer Overflow Vulnerability
BID:1066
Info
Microsoft IIS 4.0 Chunked Transfer Encoding Buffer Overflow Vulnerability
| Bugtraq ID: | 1066 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Mar 20 2000 12:00AM |
| Updated: | Mar 20 2000 12:00AM |
| Credit: | Discovered by Petteri Stenius and publicized in Microsoft Security Bulletin (MS00-018) released on March 20, 2000. |
| Vulnerable: |
Microsoft IIS 4.0 alpha Microsoft IIS 4.0 |
| Not Vulnerable: | |
Discussion
Microsoft IIS 4.0 Chunked Transfer Encoding Buffer Overflow Vulnerability
Due to unchecked buffer code that handles chunked encoding transfers, remote users are able to consume CPU cycles in Microsoft IIS until the program is rendered completely unstable and eventually crash. The remote user can request a POST or PUT command using chunked transfer encoding compromised of a large buffer without actually filling it. This can cause the server to hang indefinitely until the remote user cancels the session or until the IIS service is stopped and restarted.
Due to unchecked buffer code that handles chunked encoding transfers, remote users are able to consume CPU cycles in Microsoft IIS until the program is rendered completely unstable and eventually crash. The remote user can request a POST or PUT command using chunked transfer encoding compromised of a large buffer without actually filling it. This can cause the server to hang indefinitely until the remote user cancels the session or until the IIS service is stopped and restarted.
Exploit / POC
Microsoft IIS 4.0 Chunked Transfer Encoding Buffer Overflow Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Microsoft IIS 4.0 Chunked Transfer Encoding Buffer Overflow Vulnerability
Solution:
Microsoft has released patches which rectify this issue:
Microsoft IIS 4.0 alpha
Microsoft IIS 4.0
Solution:
Microsoft has released patches which rectify this issue:
Microsoft IIS 4.0 alpha
-
Microsoft Q252693
http://download.microsoft.com/download/iis40/Patch/4.2.739.1/ALPHA/EN- US/chkenc4a.exe
Microsoft IIS 4.0
References
Microsoft IIS 4.0 Chunked Transfer Encoding Buffer Overflow Vulnerability
References:
References: