Security Bulletin

Microsoft Security Bulletin MS03-019 - Important

Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution (817772)

Published: May 28, 2003 | Updated: May 30, 2003

Version: 2.0

Originally posted: May 28, 2003
Updated: May 30, 2003

Summary

Who should read this bulletin: System administrators running Microsoft® Windows NT 4.0 or Microsoft Windows 2000

Impact of vulnerability: Allow an attacker to execute code of their choice

Maximum Severity Rating: Important

Recommendation: System administrators install the patch at the earliest available opportunity.

Affected Software:

• Microsoft Windows NT 4.0
• Microsoft Windows 2000

Non Affected Software:

• Microsoft Windows XP
• Microsoft Windows Server 2003

General Information

Technical details

Technical description:

On May 28th, Microsoft released the initial version of this bulletin, rating the severity of the vulnerability as Moderate. Subsequent to that release we have determined that the actions an attacker could take as a result of exploiting this vulnerability could include the ability to execute arbitrary code. As a result Microsoft has reissued this bulletin and changed the severity rating to Important. The original patch corrects the vulnerability and is not being re-released.

Microsoft Windows Media Services is a feature of Microsoft Windows 2000 Server, Advanced Server, and Datacenter Server and is also available as a downloadable version for Windows NT 4.0 Server. Windows Media Services contain support for a method of delivering media content to clients across a network known as multicast streaming. In multicast streaming however, the server has no connection or knowledge of the clients that may be receiving the stream coming from the server. To facilitate logging of client information for the server Windows 2000 includes a capability specifically designed for that purpose. To help with this problem, Windows 2000 includes logging capabilities for multicast and unicast transmissions.

This capability is implemented as an Internet Services Application Programming Interface (ISAPI) extension - nsiislog.dll. When Windows Media Services are installed in Windows NT 4.0 Server or added through add/remove programs to Windows 2000, nsiislog.dll is installed to the Internet Information Services (IIS) Scripts directory on the server.

There is a flaw in the way in which nsiislog.dll processes incoming requests. A vulnerability exists because an attacker could send specially formed communications to the server that could cause IIS to fail or execute code on the user's system.

Windows Media Services is not installed by default on Windows 2000, and must be downloaded to install on Windows NT 4.0. An attacker attempting to exploit this vulnerability would have to be aware which computers on the network had Windows Media Services installed on it and send a specific request to that server.

Mitigating factors:

• Windows Media Services 4.1 is not installed by default on Windows 2000, and must be downloaded to install on Windows NT 4.0.
• Windows Media Services are not available for Windows 2000 Professional or Windows NT 4.0 Workstation
• The attacker would have to know which server on the network Windows Media Services had been installed on.

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0227

Tested Versions:

Microsoft tested Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

Why has Microsoft changed the severity rating of this bulletin?
Subsequent to the release of this bulletin we have determined that the actions an attacker could take as a result of exploiting this vulnerability could include the ability to execute arbitrary code. As a result Microsoft is reissuing this bulletin with a severity rating of Important.

Does the original patch still fix the vulnerability?
Yes. The original patch corrects the vulnerability and is not being re-released. There is no need to reinstall the patch if you have already applied it.

What's the scope of the vulnerability?
This is a Buffer Overrun vulnerability. An attacker who successfully exploited this vulnerability could cause a Windows 2000 or Windows NT 4.0 server to fail in such a way that could allow code to execute in the security context of the IIS service.

How can an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by constructing a specific network request and sending it to the server performing logging. The attacker would have to know which server on the network or internet was performing logging in order to cause the server to stop responding to IIS requests.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause execute code of their choice on a computer running IIS with streaming media logging enabled. The code would in the context of the account IIS is running as, which would allow the attacker to take any action on the system.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer used by the nsiislog.dll file for logging. If a specially crafted request is sent to the server, the logging file will attempt to write a larger buffer than is possible, which then in turn causes the IIS service to fail.

What is nsiislog.dll?
Nsiislog.dll is an IIS ISAPI extension that was shipped as part of Windows 2000 Server and Advanced Server to provide logging capabilities for Media Streaming in Microsoft Media Services.

In what versions of IIS might be affected by the vulnerable version of nsiislog.dll?
The vulnerable version of nsiislog.dll can be installed into IIS 4.0, and 5.0.

What products do IIS 4.0 and 5.0 ship with?

• Internet Information Server 4.0 ships as part of the Windows NT 4.0 Option Pack (NTOP).
• Internet Information Service 5.0 ships as part of Windows 2000 Datacenter Server, Advanced Server, Server and Professional.

Do IIS 4.0, and 5.0 run by default?

• IIS 4.0 runs by default when the NTOP is installed on a Windows NT 4.0 server. It does not run by default when the NTOP is installed on a Windows NT 4.0 workstation, unless Peer Web Services were already running when it was installed.
• IIS 5.0 runs by default on all Windows 2000 server products. It does not run by default on Windows 2000 Professional.

What are Microsoft Windows Media Services?
Windows Media Services is a feature of Windows 2000 Server, Advanced Server, and Datacenter Server and provides streaming audio and video services over corporate intranets and the Internet. In addition, a downloadable version can be added to Windows NT 4.0.

Can I install Windows Media Services into Windows 2000 Professional or Windows NT 4.0 Workstation?
No - Windows Media Services are only available for Microsoft Windows Server operating systems, such as Windows 2000 Server, Advanced Server and Datacenter Server, or Windows NT 4.0 Server.

What is Multicast Media Streaming?
Multicast media streaming is a method of delivering media content to clients across a network. As opposed to unicast method of media streaming, multicasting sends a single copy of the data to those clients who request it. Multiple copies of data are not sent across the network, nor is data processed by clients who do not want it. For more information on Multicast Media Streaming, please see the following web site: https:

How can I determine of someone has set up my computer to perform multicast streaming media logging?
To determine if your computer has been configured for multicast streaming media logging, perform the following steps:

• From the Start Menu, click search.
• Click For Files or Folders
• In the search dialog, type in the file name, NSIISLOG.DLL
• Click Search Now.

If the file NSISSLOG.DLL is present in any directory shared by IIS, then the server is configured for logging of clients of multicast streams.

What does the Patch do?
The fix eliminates the potential for an attacker to execute code of their choice by ensuring that the Nsiislog.dll file correctly responds to requests.

Patch availability

Download locations for this patch

• Microsoft Windows NT 4.0:

  https://www.microsoft.com/download/details.aspx?FamilyId=8D7E3716-1AA7-4EDC-B084-7D50C8D3C2AB&displaylang;=en

• Microsoft Windows 2000:

  https://www.microsoft.com/download/details.aspx?FamilyId=9EFA4EBD-2068-4742-917D-A2638688C029&displaylang;=en

Additional information about this patch

Installation platforms:

• The Windows NT 4.0 patch can be installed on systems running Service Pack 6a.
• The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 2 or Service Pack 3.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 4.

Reboot needed: No.

Patch can be uninstalled: No.

Superseded patches: None.

Verifying patch installation:

• To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\\Updates\Windows Media Services\wm817772

• To verify the individual files, use the date/time and version information provided in Knowledge Base article 817772.

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

• Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
• Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Acknowledgments

Microsoft thanks Brett Moore for reporting this issue to us and working with us to protect customers.

Support:

• Microsoft Knowledge Base article 817772 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
• Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

• V1.0 May 28, 2003: Bulletin Created.
• V2.0 May 30, 2003: Re-released bulletin with new rating of Important to reflect additional action an attacker could take.

Built at 2014-04-18T13:49:36Z-07:00 </https:>