CVE Number: CAN-2003-0702

Severity: High (Denial of Service)

Systems Affected (confirmed):
ISS Server Sensor version 7.0 XPU 20.16
ISS Server Sensor version 7.0 XPU 20.18

Synopsis: By sending a properly formatted URL via SSL, an attacker can successfully shut down Microsoft’s IIS service stopping all web and ftp servers.

Technical Description: This vulnerability was tested with an IIS 5.0 server, running an ISS host based server sensor 7.0 xpu 20.16 and xpu 20.18.

ISS server sensor 7.0 has the ability to plug into ISS via an ISAPI plug-in to allow for IDS on SSL traffic.

By simply sending a properly formatted URL via SSL, the ISAPI filter will crash IIS shutting down the service entirely. IIS 5 may automatically restart the service when it detects that the service has stopped.

We are currently testing this vulnerability in XPU 20.16 and 20.18 for remote code execution or code redirection.

We contacted ISS on or about August 14th concerning this issue. ISS has since released XPU 20.19 which addresses this specific issue.

Credit: EnterEdge Technology, LLC

Copyright (c) 1998-2003 EnterEdge Technology
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of EnterEdge Technology. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail research@enteredge.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to: research@enteredge.com
EnterEdge Technology  http://www.enteredge.com