=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN395
_____________________________________________________________________

DATE                      : 12/07/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows avec serveur IIS 5.0, 5.1 et 6.0

======================================================================

MS06-034 Vulnerability in Microsoft Internet Information Services using
Active Server Pages Could Allow Remote Code Execution
CVE-2006-0026

Affected Software
   - Microsoft Windows 2000 Service Pack 4
   - Microsoft Windows XP Professional Service Pack 1
   - Microsoft Windows XP Professional Service Pack 2
   - Microsoft Windows XP Professional x64 Edition
   - Microsoft Windows Server 2003
   - Microsoft Windows Server 2003 Service Pack 1
   - Microsoft Windows Server 2003 for Itanium-based Systems
   - Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems
   - Microsoft Windows Server 2003 x64 Edition family

Affected Components:
   - Microsoft Internet Information Services (IIS) 6.0
   - Microsoft Internet Information Services (IIS) 5.1
   - Microsoft Internet Information Services (IIS) 5.0

Non-Affected Software:
   - Microsoft Windows XP Home Service Pack 1
   - Microsoft Windows XP Home Service Pack 2

There is a remote code execution vulnerability in Internet Information Services
(IIS). An attacker could exploit the vulnerability by constructing a specially
crafted Active Server Pages (ASP) file, potentially allowing remote code
execution if the Internet Information Services (IIS) processes the specially
crafted file. An attacker who successfully exploited this vulnerability could
take complete control of an affected system.
	
Mitigating Factors
- ------------------
On IIS 5.0 and IIS 5.1, ASP enabled applications by default run in the
'Pooled Out of Process' application, which means they run in DLLHOST.exe, which
is running in the context of the low privilege IWAM_<machinename> account.

By default, IIS 5.1 on Windows XP Professional and IIS 6.0 on Windows Server
2003 are not enabled.

By default, ASP is not enabled on IIS 6.0. If ASP is enabled, it runs in the
context of a W3WP.exe worker process running as the low privilege
'NetworkService' account.

An attacker would require valid logon credentials to exploit this vulnerability.
However, if a server has been intentionally configured to allow users, either
anonymous or authenticated, to upload web content such as .ASP pages to web
sites, the server could be attacked successfully by exploiting by this
vulnerability.


           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================