Microsoft "Malformed HTTP Request Header" Vulnerability

Microsoft "Malformed HTTP Request Header" Vulnerability Privacy and Legal Notice INFORMATION BULLETIN J-058: Microsoft "Malformed HTTP Request Header" Vulnerability August 13, 1999 23:00 GMT

PROBLEM:       Microsoft has identified a vulnerability that could cause 
               a denial of service threat in web server products.
PLATFORM:      Microsoft(r) Internet Information Server 4.0 
               Microsoft Site Server 3.0
               Microsoft Site Server 3.0, Commerce Edition
               Microsoft Commerce Internet Server 2.0 and 2.5
DAMAGE:        The vulnerability could allow an attacker to submit requests 
               containing specially-malformed headers which could consume all
               memory causing a denial of service.
SOLUTION:      Until the corrected version of the patch is released, restart
               the affected servers with a clean log file. 
VULNERABILITY  Risk is medium.  The HTTP request headers need to be specially 
ASSESSMENT:    crafted to exploit this denial of service attack.

[  Start Microsoft Advisory  ]

This update was released by Microsoft on August 11, 1999 after they had 
released their Security Bulletin MS99-029.  The original bulletin follows.


********************************

Since releasing Microsoft Security Bulletin MS99-029 earlier today, we have
discovered a regression error in the patch that it discussed.  The error has
no effect on the bulletin -- all of the information in it is still valid --
but we have retracted the patch temporarily.  We are working to remove the
error, and will re-release the patch as soon as possible.  We apologize for
any inconvenience that this may cause.

Information on the error and what customers should do is available at
http://www.microsoft.com/security/bulletins/ms99-029regression.asp.
However, the main points are:
 - The error does not invalidate the security bulletin.  The
   vulnerability is bona fide, and we will re-release the patch as
   soon as possible.
 - The error could cause an IIS server to hang when the length of
   the IIS log file is an exact multiple of 64KB.
 - Affected servers can be put back in service by restarting IIS with
   a clean log file.
 - We recommend that customers who have not installed the patch delay
   doing so until the corrected version is available.  We recommend
   that customers who have installed the patch do not attempt to
   "back out" the patch, but instead monitor their servers and stay
   alert to the presence of the error.
 - We are developing a corrected version of the patch and will re-release
   it as soon as possible

When the corrected patch is available, we will provide information via
http://www.microsoft.com/security and through the Microsoft Product Security
Notification Service.  Regards,

The Microsoft Product Security Team

  
[  Start Microsoft Bulletin  ]

********************************

Microsoft Security Bulletin (MS99-029)
--------------------------------------

Patch Available for "Malformed HTTP Request Header" Vulnerability

Originally Posted: August 11, 1999

Summary
=======
Microsoft has released a patch that eliminates a vulnerability in web server
products that use Microsoft(r) Internet Information Server 4.0 as their web
engine. The vulnerability could be used to mount denial of service attacks
against the web server. Frequently asked questions regarding this
vulnerability can be found at
http://www.microsoft.com/security/bulletins/MS99-029faq.asp

Issue
=====
If multiple HTTP requests containing specially-malformed headers are sent to
an affected server, IIS may consume all memory on the server. If this
happens, IIS would be unable to service requests until either the clients
that issued the requests were closed, or the IIS service were stopped and
restarted. Once either of these actions have occurred, normal service would
be restored.

Affected Software Versions
==========================
 - Microsoft Internet Information Server 4.0
 - Microsoft Site Server 3.0
 - Microsoft Site Server 3.0, Commerce Edition
 - Microsoft Commerce Internet Server 2.0 and 2.5

Patch Availability
==================
 - X86 version:
   ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes
   /usa/security/hdbrk-fix/x86
 - Alpha version:
   ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes
   /usa/security/hdbrk-fix/alpha

   NOTE: Line breaks have been inserted in the above URLs for readability.

More Information
================
Please see the following references for more information related to this
issue.
 - Microsoft Security Bulletin MS99-029: Frequently Asked Questions,
   http://www.microsoft.com/security/bulletins/MS99-029faq.asp.
 - Microsoft Knowledge Base (KB) article Q238349,
   Specially-Malformed Header in HTTP Request Creates Denial of Service,
   http://support.microsoft.com/support/kb/articles/q238/3/49.asp.
   (Note: It may take 24 hours from the original posting of this bulletin
   for the KB article to be visible.)
 - Microsoft Security Advisor web site,
   http://www.microsoft.com/security/default.asp.

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.

Acknowledgments
===============
Microsoft acknowledges Nobuo Miwa of the LAC SNS team for bringing this
issue to our attention and working with us to alert customers about it.

Revisions
=========
 - August 11, 1999: Bulletin Created.


---------------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.

(c) 1999 Microsoft Corporation. All rights reserved.

   *******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security  Notification  Service.  You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/security/services/bulletin.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.

 
[  End Microsoft Bulletin  ]

CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin.

DOE-CIRC can be contacted at:

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/