Bugtraq mailing list archives

Microsoft Security Bulletin (MS00-006)

From: secnotif () MICROSOFT COM (Microsoft Product Security)
Date: Fri, 31 Mar 2000 15:39:36 -0800


The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

-----BEGIN PGP SIGNED MESSAGE-----

Microsoft Security Bulletin (MS00-006)
- --------------------------------------

Patch Available for "Malformed Hit-Highlighting Argument"
Vulnerability

Originally Posted: January 26, 2000
Revised March 31, 2000

Summary
=======
On January 26, 2000 Microsoft released the original version of this
bulletin to announce the availability of a patch that  eliminates two
security vulnerabilities in Microsoft(r) Index Server. The first
vulnerability could allow a malicious user to  view -- but not to
change, add or delete -- files on a web server. The second
vulnerability could reveal where web  directories are physically
located on the server.

On February 04, 2000, a new variant of the second vulnerability was
discovered, which was already eliminated by the patch.  Microsoft
updated this bulletin in order to advise customers of it, but
customers who already applied the patch did not need  to take any
action.

On February 11, 2000, Microsoft re-released the Windows 2000 version
of this patch to take advantage of improvements in the  Hotfix
packaging tool. These improvements enable the hotfix tool to detect
the default language of the system, and also give  users better
inventory control based on the Knowledge Base article and Service
Pack. Although the patch itself was not  changed by this re-release,
Microsoft nevertheless recommended that Windows 2000 customers apply
the new version in order to  ensure that the new tool was present on
their systems.

On March 31, 2000, Microsoft re-released the Windows NT 4.0 version of
this patch, to address a recently-discovered variant  of the
vulnerability. Only the Windows NT 4.0 patch was affected by the new
variant.

Frequently asked questions about this vulnerability can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-006.asp

Issue
=====
This patch eliminates two vulnerabilities whose only relationship is
that both occur in Index Server. The first is the  "Malformed
Hit-Highlighting Argument" vulnerability. The ISAPI filter that
implements the hit-highlighting (also known as  "WebHits")
functionality does not adequately constrain what files can be
requested. By providing a deliberately-malformed  argument in a
request to hit-highlight a document, it is possible to escape the
virtual directory. This would allow any file  residing on the server
itself, and on the same logical drive as the web root directory, to be
retrieved regardless of  permissions. A new variant of this
vulnerability was announced on March 31, 2000. This variant could
allow the source of  server-side files such as .ASP files to be read.
The new variant affects only Index Server 2.0, and Windows 2000
customers  who applied the original patch were never at risk from it.

The second vulnerability involves the error message that is returned
when a user requests a non-existent Internet Data Query  file. The
error message provides the physical path to the web directory that was
contained in the request. Although this  vulnerability would not allow
a malicious user to alter or view any data, it could be a valuable
reconnaissance tool for  mapping the file structure of a web server. A
new variant of this vulnerability was announced on February 04, 2000.
This  variant could allow a malicious user to read files. The variant
was eliminated by the original patch, and customers who  applied the
original version of the patch were never at risk from it.

Indexing Services in Windows 2000 is affected only by the "Malformed
Hit-Highlighting" vulnerability - it is not affected by  the second
vulnerability. Also, it is important to note that, although Indexing
Services in Windows 2000 is installed by  default, it is not started
unless the administrator has explicitly turned it on.

Affected Software Versions
==========================
 - Microsoft Index Server 2.0
 - Indexing Service in Windows 2000

Patch Availability
==================
 - Index Server 2.0:
   Intel:
   http://www.microsoft.com/downloads/release.asp?ReleaseID=17727
   Alpha:
   http://www.microsoft.com/downloads/release.asp?ReleaseID=17728
 - Indexing Services for Windows 2000:
   Intel:
   http://www.microsoft.com/downloads/release.asp?ReleaseID=17726

NOTE: The Download Center page incorrectly gives 26 January 2000 as
the date of the patch. We are working to correct this  error, but have
verified that the patch that is on the Download Center is the most
recent version.

NOTE: Additional security patches are available at the Microsoft
Download Center.

More Information
================
Please see the following references for more information related to
this issue.
 - Frequently Asked Questions: Microsoft Security Bulletin MS00-006,
   http://www.microsoft.com/technet/security/bulletin/fq00-006.asp.
 - Microsoft Knowledge Base (KB) article Q251170,
   Malformed Argument in Hit-Highlighting Request Allows Access to
   Web Server Files,
   http://www.microsoft.com/technet/support/kb.asp?ID=251170.
 - Microsoft Knowledge Base (KB) article Q252463,
   Index Server Error Message Reveals Physical Location of Web
   Directories,
   http://www.microsoft.com/technet/support/kb.asp?ID=252463.
 - Microsoft TechNet Security web site,
   http://www.microsoft.com/technet/security/default.asp

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.

Acknowledgments
===============
Microsoft thanks David Litchfield of Cerberus Information Security,
Ltd, (http://www.cerberus-infosec.co.uk) for reporting the "Malformed
Hit-Highlighting Argument" vulnerability to us and working with us to
protect customers.

Revisions
=========
 - January 26, 2000: Bulletin Created.
 - February 04, 2000: Bulletin revised to provide additional detail
   about Indexing Services, and to discuss an additional variant of
   the "Malformed Hit-Highlighting Argument" vulnerability that is
   eliminated by the original patch.
 - February 11, 2000: Bulletin revised to reflect availability of
   patch for Windows 2000 with new version of Hotfix.exe
 - March 31, 2000: Bulletin revised to discuss new variant of
   "Malformed Hit-Highlighting Argument" vulnerability affecting
   Windows NT 4.0.

- --------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT  DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR  PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING DIRECT,  INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT
CORPORATION OR ITS  SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.

Last updated Friday, March 31, 2000
(c) 2000 Microsoft Corporation. All rights reserved. Terms of use.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQEVAwUBOOU3Mo0ZSRQxA/UrAQHUnQf/YVSA4mbIfUWeJ0mDsPf72xg56UnSg6Ak
faSpDCvILIKVq68WYg5aJk4SMki3d5SkvUqZKt8cb7U74JE8xyQxK1/RVeP+HBG6
MFCYxC/GrvrPaQjodvJnDIRtGuCmtj6pxC0Kabc8Jgdu1PBgWlwVaRnHf1qTM2OB
wSTidReVXtE/DgzK6mz/qmqiw+gba7TKH8CawID9FlyPQvZoxQZFQ5mP6qRrHarM
SvvVkplWeufPaOuwvrwguHDKfFS5Q/SlaB3WyH5ln06R70WsOUBHYuQHrwl76KIo
PE+1rEWz2QyWDsf4QDBWchTWouS6QXdZueqbsKp03t5X3lq/iNdRmg==
=a8Kg
-----END PGP SIGNATURE-----

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

For  more  information on  the  Microsoft  Security Notification  Service
please  visit  http://www.microsoft.com/technet/security/notify.asp.  For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.

Current thread:

New ZZ v1.2, (continued)
- - - New ZZ v1.2 Simple Nomad (Mar 29)
    - [RHSA-2000:008-01] ircii buffer overflow bugzilla () REDHAT COM (Mar 30)
    - Microsoft Security Bulletin (MS00-019) Microsoft Product Security (Mar 30)
    - Microsoft Security Bulletin (MS00-021) Microsoft Product Security (Mar 30)
    - Napster, Inc. response to Colten Edwards Elias Levy (Mar 30)
    - Cobalt apache configuration exposes .htaccess Paul Schreiber (Mar 30)
    - Re: Napster, Inc. response to Colten Edwards Danny Crawford (Mar 30)
    - Re: Napster, Inc. response to Colten Edwards Dylan Griffiths (Mar 30)
    - Alert: MS Index Server (CISADV000330) Cerberus Security Team (Mar 30)
    - Webstar 4.0 Buffer overflow vulnerability Ilhom Djalilov (Mar 31)
    - Microsoft Security Bulletin (MS00-006) Microsoft Product Security (Mar 31)
    - [ Cobalt ] Security Advisory -- 03.31.2000 Jeff Lovell (Mar 31)
    - SalesLogix Eviewer Web App Bug: URL request crashes eviewer web application Todd Beebe (Mar 31)
    - Windmail allow web user get any file Frankie Zie (Mar 25)
    - Re: Local Denial-of-Service attack against Linux Gigi Sullivan (Mar 26)
    - Re: Local Denial-of-Service attack against Linux Gigi Sullivan (Mar 31)
- Re: gpm-root Alessandro Rubini (Mar 23)