Signature Detail

HTTP: IIS Malformed ASN.1 Bit String

This signature detects attempts to exploit vulnerabilities in Microsoft Internet Information Server (IIS). Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000; and XP, contains multiple integer overflows are vulnerable. Attackers can use ASN.1 encoding to overwrite heap data and remotely execute arbitrary code on the target system.

Extended Description

Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.

Affected Products

• Microsoft windows_2000 (:advanced_server)
• Microsoft windows_2000 (:professional)
• Microsoft windows_2000 (:server)
• Microsoft windows_2000 (sp1)
• Microsoft windows_2000 (sp1:advanced_server)
• Microsoft windows_2000 (sp1:professional)
• Microsoft windows_2000 (sp1:server)
• Microsoft windows_2000 (sp2)
• Microsoft windows_2000 (sp2:advanced_server)
• Microsoft windows_2000 (sp2:professional)
• Microsoft windows_2000 (sp2:server)
• Microsoft windows_2000 (sp3)
• Microsoft windows_2000 (sp3:advanced_server)
• Microsoft windows_2000 (sp3:professional)
• Microsoft windows_2000 (sp3:server)
• Microsoft windows_2003_server enterprise
• Microsoft windows_2003_server enterprise (:64-bit)
• Microsoft windows_2003_server enterprise_64-bit
• Microsoft windows_2003_server r2
• Microsoft windows_2003_server r2 (:64-bit)
• Microsoft windows_2003_server r2 (:datacenter_64-bit)
• Microsoft windows_2003_server standard
• Microsoft windows_2003_server standard (:64-bit)
• Microsoft windows_2003_server web
• Microsoft windows_nt 4.0
• Microsoft windows_nt 4.0 (:server)
• Microsoft windows_nt 4.0 (sp1)
• Microsoft windows_nt 4.0 (sp1:server)
• Microsoft windows_nt 4.0 (sp1:terminal_server)
• Microsoft windows_nt 4.0 (sp1:workstation)
• Microsoft windows_nt 4.0 (sp2)
• Microsoft windows_nt 4.0 (sp2:server)
• Microsoft windows_nt 4.0 (sp2:terminal_server)
• Microsoft windows_nt 4.0 (sp2:workstation)
• Microsoft windows_nt 4.0 (sp3)
• Microsoft windows_nt 4.0 (sp3:server)
• Microsoft windows_nt 4.0 (sp3:terminal_server)
• Microsoft windows_nt 4.0 (sp3:workstation)
• Microsoft windows_nt 4.0 (sp4)
• Microsoft windows_nt 4.0 (sp4:server)
• Microsoft windows_nt 4.0 (sp4:terminal_server)
• Microsoft windows_nt 4.0 (sp4:workstation)
• Microsoft windows_nt 4.0 (sp5)
• Microsoft windows_nt 4.0 (sp5:server)
• Microsoft windows_nt 4.0 (sp5:terminal_server)
• Microsoft windows_nt 4.0 (sp5:workstation)
• Microsoft windows_nt 4.0 (sp6)
• Microsoft windows_nt 4.0 (sp6a)
• Microsoft windows_nt 4.0 (sp6a:server)
• Microsoft windows_nt 4.0 (sp6a:workstation)
• Microsoft windows_nt 4.0 (sp6:server)
• Microsoft windows_nt 4.0 (sp6:terminal_server)
• Microsoft windows_nt 4.0 (sp6:workstation)
• Microsoft windows_nt 4.0 (:terminal_server)
• Microsoft windows_nt 4.0 (:workstation)
• Microsoft windows_xp (:64-bit)
• Microsoft windows_xp (gold)
• Microsoft windows_xp (gold:professional)
• Microsoft windows_xp (:home)
• Microsoft windows_xp (sp1)
• Microsoft windows_xp (sp1:64-bit)
• Microsoft windows_xp (sp1:home)

References

• BugTraq: 9633
• CVE: CVE-2003-0818
• URL: http://research.eeye.com/html/advisories/published/AD20040210-2.html
• URL: http://www.microsoft.com/technet/security/bulletin/MS04-007.asp