Microsoft Security Bulletin MS00-044

Technical description:

There are two vulnerabilities at issue here:

• The "Absent Directory Browser Argument" vulnerability. An administrative script installed as part of IIS 3.0 but preserved on upgrade to IIS 4.0 or IIS 5.0 does not correctly handle the case where an expected argument is missing. The absence of the argument causes the script to go into an infinite loop, at which point the script consumes all CPU resources on the server. In addition, the permissions on this tool and several related ones, which were appropriate under IIS 3.0, are inappropriate under IIS 4.0 and 5.0. This could allow web site visitors to use these tools, which provide the ability to view the directory structure on the server.
• A new variant on the "File Fragment Reading via .HTR" vulnerability. The original version of this vulnerability was discussed in Microsoft Security Bulletin MS00-031. The new vulnerability differs only in the specific way that it could be exploited - like the original version, the effect of the vulnerability is that fragments of .ASP and other files could potentially be retrieved from the server. As in the original version, the mechanics of the new variant make it likely that the parts of an .ASP file most interesting to a malicious user would be stripped out.

Microsoft believes that the most appropriate way to eliminate these vulnerabilities is to remove the script mapping for HTR, as discussed in the IIS 4.0 Security Checklist. Only customers with business-critical HTR scripts should retain the functionality and install the patch.

What's this bulletin about?
Microsoft Security Bulletin MS00-044 announces the availability of a patch that eliminates two vulnerabilities in Microsoft® Internet Information Server. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This is a denial of service vulnerability. A malicious user could exploit this vulnerability to prevent an IIS server from providing useful service. In addition, it could allow a malicious user to view the directory structure on the web server. The vulnerability only affects IIS 4.0 or IIS 5.0 machines that have been upgraded from IIS 3.0.
This patch also eliminates a new variant of the previously-discussed "File Fragment Reading via .HTR" vulnerability. Like the original version, this new variant could allow parts of certain files on the server to be read, but would not allow files to be added, deleted or changed.
Microsoft has long recommended removing the file mapping for HTR files, and customers who have done this would not be at risk from either vulnerability. Microsoft recommends that, as a first choice, customers disable the HTR functionality altogether; only customers who have a compelling reason to retain the HTR functionality should retain the functionality and apply this patch.

How are these vulnerabilities related to each other?
They are only related in the sense that all involve the processing of .HTR files.

What is HTR?
HTR is a first-generation advanced scripting technology delivered as part of IIS 2.0. HTR was never widely adopted, largely because a far superior technology, Active Server Pages (.ASP), was introduced in IIS 4.0 and became popular before customers had invested significant development resources in HTR.
The widest present-day use of the HTR technology is in a collection of HTR scripts included by default in IIS; these enable IIS to provide Windows NT password services via IIS web servers. Windows NT users can use the .HTR scripts to change their own passwords, and administrators can use them to perform a wide array of password administration functions. More information on these scripts is available in Knowledge Base article Q184619.

Can I disable the HTR functionality?
Yes. Microsoft has long recommended (for instance, in the IIS 4.0 Security Checklist and the Windows 2000 Internet Server Security Configuration Tool) that customers consider disabling the HTR functionality. However, after a recent review, we believe that an even stronger recommendation is in order.
Microsoft now advocates that all customers remove the .HTR script mapping, unless they have a business-critical reason not to. Microsoft believes that for most customers, the risk of retaining this functionality significantly outweighs the gain. As an immediate step, we will shortly provide a tool that will unmap HTR and eliminate all HTR scripts on a server. As a longer-term step, we expect to drop support for HTR altogether in a future version of IIS.

Why is Microsoft strengthening its recommendation that customer disable HTR?
The HTR functionality has been a troublesome component from a security perspective - several security vulnerabilities have been found in it (see Microsoft Security Bulletins MS99-019 and MS00-031). Given how rarely it is used, and Microsoft's intention to eventually phase it out entirely, Microsoft believes that for the vast majority of customers, there is no good reason to retain the functionality. Customers who disable the functionality now would not need to apply any of the previously-released patches involving the HTR functionality, nor would they need to apply the patch provided here, nor any future ones.

How do I disable the HTR functionality?
Just follow these steps:

• Open the Internet Services Manager
• Right-click the web server, then choose Properties, then Master Properties, then WWW Service.
• Choose Edit, then HomeDirectory, then Configuration
• Remove the .HTR entry

It's worth noting that, in addition to .HTR, Microsoft also recommends removing several other so-called script mappings. These are discussed in the IIS 4.0 Security Checklist

What is the "Absent Directory Browser Argument" vulnerability?
Among the default HTR scripts provided in IIS 3.0 (and preserved on upgrade to IIS 4.0 and IIS 5.0) were several that allowed web site administrators to view directories on the server. One of these scripts, if called without an expected argument, will enter an infinite loop that can consume all of the system's CPU availability, thereby preventing the server from responding to requests for service.

How could an affected server be put back into service?
Just stop and restart the IIS service. It's not necessary to reboot the server.

Does this vulnerability affect all IIS 4.0 and IIS 5.0 systems?
No. It only affects systems that have been upgraded from IIS 3.0. The administrative script at issue here is not installed as part of IIS 4.0 or 5.0, but is retained if already present from an earlier IIS 3.0 installation.

So, if I've never had IIS 3.0 on my web server, I can't be affected by this vulnerability?
That's correct. (Note, however, that the new variant of the "File Fragment Reading via .HTR" vulnerability, discussed below, does affect IIS 4.0 and 5.0 regardless of whether IIS 3.0 was installed or not).

Are there any other problems associated with this tool?
Yes. This tool, and several related ones in the same folder, have inappropriate permissions. This could allow a user visiting an affected web site to execute them.

What could a malicious user do with these tools?
The tools could be used to view the directory structure on the web server. Although it would not allow the user to add, change or delete files on the server, it could be a useful reconnaissance tool, because it would let a malicious user determine where on the server certain files can be found.

Why do the tools have incorrect permissions?
In IIS 3.0, HTR scripts could only be executed locally - that is, from the server itself. Because only an administrator should be able to log onto a web server locally, it wasn't necessary for the scripts to authenticate the user, and it wasn't necessary to restrict who could execute them. However, IIS 4.0 introduced the capability for HTR scripts to be called remotely. The combination of these two factors - loose permissions inherited from IIS 3.0, coupled with the ability under IIS 4.0 to remotely execute HTR scripts - resulted in a security risk.
To rectify this problem, Microsoft recommends that customers increase the security on the /scripts/iisadmin folder in each web site on their server, and only allow the folder and its contents to be accessed by administrators. Of course, this step is only necessary if you choose to retain the HTR functionality -- if you disable the .HTR functionality, it will render the tools inoperable and the permissions will be a moot issue.

What is the new variant of the "File Fragment Reading Via .HTR" vulnerability?
The original version of this vulnerability was discussed in Microsoft Security Bulletin MS00-031. The new variant simply offers an additional way to exploit the same vulnerability.

What would this vulnerability allow a malicious user to do?
Microsoft Security Bulletin MS00-031 provides the best description of the vulnerability and the risk it poses. However, in a nutshell, the vulnerability could allow a malicious user to request files from the server, which would then be processed as though they were .HTR files. The result of this could be that parts of the .ASP source code would be sent to the malicious user.
In theory, this could expose sensitive data contained in the .ASP files. However, in practice, it's unlikely that this would occur. The HTR processing tends to remove the very content that would be of most interest to the malicious user. Further, if best practices have been followed, there will be no sensitive information in the file, and hence nothing to compromise.

Who should use the patch?
As discussed above, Microsoft recommends that customers remove the HTR functionality altogether unless it's needed. Only customers who have business-critical HTR scripts should retain the HTR functionality and apply the patch.

What does the patch do?
The patch eliminates the ""Absent Directory Browser Argument" vulnerability by causing the script to correctly handle missing arguments. It eliminates the new variant of the "File Fragment Reading via .HTR" vulnerability by causing the malformed URL to be rejected.
Please note that even after installing the patch, Microsoft recommends that customers strengthen the permissions on the /scripts/iisadmin folder in each web site, in order to allow only administrators to access it.

How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .

How can I tell if I installed the patch correctly?
The Knowledge Base provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

• Microsoft has developed a procedure that eliminates the vulnerability.
• Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
• Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
• Microsoft has issued a Knowledge Base article explaining the "Absent Directory Browsing Argument" vulnerability and procedure in more detail.
• Microsoft has issued a Knowledge Base article explaining the new variant of the "File Fragment Reading via .HTR" vulnerability in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.

Download locations for this patch

• The patches for this issue have been superseded by ones subsequently released as part of Microsoft Security Bulletin MS01-004.

  Note: The patch should only be installed by customers who have a business-critical need for the .HTR functionality. Microsoft recommends that all other customers disable the .HTR functionality altogether, as discussed in the FAQ.

  Note: Customers who choose to install the patch should also strengthen the permissions on the /scripts/iisadmin folder in each web site on the server, and ensure that only administrators can access it.