===================================================================== CERT-Renater Note d'Information No. 2008/VULN038 _____________________________________________________________________ DATE : 13/02/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running IIS. ====================================================================== MS08-006 MS08-005 ______________________________________________________________________ MS08-006 - Important - Vulnerability in Internet Information Services Could Allow Remote Code Execution (942830) Published: February 12, 2008 Version: 1.0 This important update resolves a privately reported vulnerability in Internet Information Services (IIS). A remote code execution vulnerability exists in the way that IIS handles input to ASP Web pages. An attacker who successfully exploited this vulnerability could then perform actions on the IIS server with the same rights as the Worker Process Identity (WPI). The WPI is configured with Network Service account privileges by default. IIS servers with ASP pages whose application pools are configured with a WPI that uses an account with administrative privileges could be more seriously impacted than IIS servers whose application pool is configured with the default WPI settings. Affected Software o Windows XP Professional Service Pack 2 - Microsoft Internet Information Services 5.1 o Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 - Microsoft Internet Information Services 6.0 o Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 - Microsoft Internet Information Services 6.0 o Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 - Microsoft Internet Information Services 6.0 o Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems - Microsoft Internet Information Services 6.0 Vulnerability Information ASP Vulnerability - CVE-2008-0075 A remote code execution vulnerability exists in the way that Internet Information Services handles input to ASP Web pages. An attacker could exploit the vulnerability by passing malicious input to a Web site's ASP page. An attacker who successfully exploited this vulnerability could then perform any actions on the IIS Server with the same rights as the Worker Process Identity (WPI), which by default is configured with Network Service account privileges. Workarounds for ASP Vulnerability - CVE-2008-0075 o On Windows Server 2003, disable classic ASP __________________________________________________________________________ MS08-005 - Important - Vulnerability in Internet Information Services Could Allow Elevation of Privilege (942831) Published: February 12, 2008 Version: 1.0 This important update resolves a privately reported vulnerability in Internet Information Services (IIS). A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Affected Software o Microsoft Windows 2000 Service Pack 4 - Microsoft Internet Information Services 5.0 o Windows XP Professional Service Pack 2 - Microsoft Internet Information Services 5.1 o Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 - Microsoft Internet Information Services 5.1 o Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 - Microsoft Internet Information Services 6.0 o Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 - Microsoft Internet Information Services 6.0 o Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems - Microsoft Internet Information Services 6.0 o Windows Vista - Microsoft Internet Information Services7.0 o Windows Vista x64 Edition - Microsoft Internet Information Services 7.0 Vulnerability Information File Change Notification Vulnerability - CVE-2008-0074 A local elevation of privilege vulnerability exists in the way that the Internet Information Service handles file change notifications in the FTPRoot, NNTPFile\Root, and WWWRoot folders. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. Workarounds for File Change Notification Vulnerability - CVE-2008-0074 o On Windows Server 2003, stop the FTP and NNTP services o Deny write access to the NNTP root, FTP root, and WWW root folders for any accounts that are used to execute user controlled ASP pages. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================