Details
Vulnerable Systems:
* Microsoft Windows 2000 Service Pack 4
Download the update
* Microsoft Windows XP Professional Service Pack 1 and Microsoft Windows XP Professional Service Pack 2
Download the update
* Microsoft Windows XP Professional x64 Edition
Download the update
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Download the update
* Microsoft Windows Server 2003 for Itanium-based Systems andMicrosoft Windows Server 2003 with Service Pack 1 for Itanium-basedSystems
Download the update
* Microsoft Windows Server 2003 x64 Edition family
Download the update
* Microsoft Internet Information Services (IIS) 6.0
* Microsoft Internet Information Services (IIS) 5.1
* Microsoft Internet Information Services (IIS) 5.0
Immune Systems:
* Microsoft Windows XP Home Service Pack 1 and Microsoft Windows XP Home Service Pack 2
Internet Information Services Using Malformed Active Server Pages Vulnerability - CVE-2006-0026:
There is a remote code execution vulnerability in Internet InformationServices (IIS). An attacker could exploit the vulnerability byconstructing a specially crafted Active Server Pages (ASP) file,potentially allowing remote code execution if the Internet InformationServices (IIS) processes the specially crafted file. An attacker whosuccessfully exploited this vulnerability could take complete controlof an affected system.
Mitigating Factors for Internet Information Services Using Malformed Active Server Pages ASP Vulnerability - CVE-2006-0026:
* On IIS 5.0 and IIS 5.1, ASP enabled applications by default run inthe 'Pooled Out of Process' application, which means they run inDLLHOST.exe, which is running in the context of the low privilege IWAM_ account.
* By default, IIS 5.1 on Windows XP Professional and IIS 6.0 on Windows Server 2003 are not enabled.
* By default, ASP is not enabled on IIS 6.0. If ASP is enabled, itruns in the context of a W3WP.exe worker process running as the lowprivilege 'NetworkService' account.
* An attacker would require valid logon credentials to exploit thisvulnerability. However, if a server has been intentionally configuredto allow users, either anonymous or authenticated, to upload webcontent such as .ASP pages to web sites, the server could be attackedsuccessfully by exploiting by this vulnerability.
Workarounds for Internet Information Services Using Malformed Active Server Pages Vulnerability - CVE-2006-0026:
We have not identified any workarounds for this vulnerability.
FAQ Workarounds for Internet Information Services Malformed Active Server Pages Vulnerability - CVE-2006-0026:
What is the scope of the vulnerability?
There is a remote code execution vulnerability in Internet InformationServices (IIS) that results from the way that IIS handles Active ServerPages (ASP). An attacker could exploit the vulnerability byconstructing a specially crafted Active Server Pages (ASP) file, whichcould potentially allow remote code execution if the InternetInformation Services (IIS) processed the file. An attacker whosuccessfully exploited this vulnerability could take complete controlof an affected system.
What causes the vulnerability?
An unchecked buffer in IIS.
What is Active Server Pages (ASP)?
Microsoft Active Server Pages (ASP) is a server-side scriptingtechnology that can be used to create dynamic and interactive Webapplications. An ASP page is an HTML page that contains server-sidescripts that are processed by the Web server before being sent to theuser's browser.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Who could exploit the vulnerability?
An attacker would require valid logon credentials to the server inorder to exploit the vulnerability. However if a server had beenpurposely configured to allow users, either anonymous or authenticated,to upload web content such as .ASP pages to web sites, the server couldbe attacked by exploit this vulnerability.
How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating aspecially crafted ASP file and uploading the file to an affectedsystem. If IIS processed the file it could then cause the affectedsystem to execute code.
What systems are primarily at risk from the vulnerability?
Windows 2000 Service Pack 4 systems running IIS 5.0 are primarily atrisk from this vulnerability because IIS is enabled by default. WindowsXP Professional and Windows Server 2003 are also at risk if the serviceis enabled.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over theInternet if they are granted access to write to the server. Firewallbest practices and standard default firewall configurations can helpprotect against attacks that originate from the Internet. Microsoft hasprovided information about how you can help protect your PC. End userscan visit the
Protect Your PC Web site. IT professionals can visit the
Security Guidance Center Web site.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability throughresponsible disclosure. Microsoft had not received any information toindicate that this vulnerability had been publicly disclosed when thissecurity bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that thisvulnerability had been publicly used to attack customers and had notseen any examples of proof of concept code published when this securitybulletin was originally issued.
