{"vuid":"VU#721963","idnumber":"721963","name":"Microsoft Internet Information Server (IIS) buffer overflow in server-side includes (SSI) containing long invalid file name","keywords":["Microsoft Internet Information Server","IIS","Active Server Pages","ASP","buffer overflow","server-side include","ssi","long invalid file name","MS02-018"],"overview":"A buffer overflow in IIS could allow an intruder to execute arbitrary code with the privileges of the ASP.DDL.","clean_desc":"Server-side include files (SSI files) are files which reside on a web server and which are included by scripts, programs, or web pages. SSI files are often used to provide common headers or graphics across multiple web pages, or to reuse code in multiple web pages. Web browsers can't request that a particular file be included, but may be able to influence when and how a file gets included. Quoting from Microsoft Security Bulletin MS02-018: In some cases, requesting a particular web page will cause it to be included within an ASP script as part of its processing. Because this involves putting user input into a buffer, IIS always performs a check beforehand, designed to make sure the input is valid. Specifically, it performs an operation on the file name that should only succeed if the file name is valid. A security vulnerability results because it’s possible to levy a request that includes a very long, invalid file name, but do it in a way that has two effects. First, the ASP ISAPI extension concludes that the filename needs to be processed as part of an ASP file, and does a server-side include. Second, the filename evades the safety check. The result is that the file name – which is longer than the buffer allocated to hold it – causes a buffer overrun in the ASP file when it’s processed. In order to exploit the vulnerability, ASP has to be enabled on the server.","impact":"An intruder can interrupt the ordinary operation of a vulnerable IIS server or execute arbitrary code with the privileges of ASP ISAPI extension, ASP.DLL. On IIS 4.0, ASP.DLL runs as part of the operating system thus allowing an intruder to take full administrative control. On IIS 5.0 and 5.1, ASP.DLL runs with the privileges of the IWAM_computername account.","resolution":"Apply a patch as described in MS02-018.","workarounds":"Until a patch can be applied, you may wish to disable ASP if that is possible in your environment. In general, if ASP (or any service) is not needed, we recommend disabling it. The IIS Lockdown Tool can be used to help you disable ASP.","sysaffected":"","thanks":"Our thanks to Microsoft Corporation, upon whose \nadvisory\n this document is based.","author":"This document was written by Shawn V. Hernan.","public":["http://www.microsoft.com/technet/security/bulletin/MS02-018.asp","http://www.microsoft.com/technet/security/tools/locktool.asp"],"cveids":["CVE-2002-0149"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-04-10T15:20:47Z","publicdate":"2002-04-10T00:00:00Z","datefirstpublished":"2002-04-10T20:21:13Z","dateupdated":"2002-04-10T20:21:17Z","revision":4,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"17","cam_population":"15","cam_impact":"18","cam_easeofexploitation":"15","cam_attackeraccessrequired":"20","cam_scorecurrent":"48.6","cam_scorecurrentwidelyknown":"56.19375","cam_scorecurrentwidelyknownexploited":"86.56875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":48.6,"vulnote":null}