Users login

Create an account »


Users login

Home » Hacking News » Microsoft IIS .htr ISAPI buffer overrun

Microsoft IIS .htr ISAPI buffer overrun

by Nikola Strahija on April 11th, 2002 There is a buffer overrun condition in the isapi extension that handles .htr extensions that could allow an attacker to crash the service and possibly execute arbitrary code on the server.

- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Server 5.0

This vulnerability was discovered by Dave Aitel from @stake and by
Peter Gr√ľndl from KPMG. It was done independently, and both
reported the same two vulnerabilities to the same vendor at around
the same time.

Dave Aitel released an advisory on this issue:

Ism.dll handles files with the extension .htr and a flaw in the
module could allow an attack to disable parts of or all of the
functionality of a website. It is theoretically possibly to
execute code with this overflow, although attempted exploitation
would most likely result in a Denial of Service situation.

The problem is with the modules parameter handling, as declared
variables are subject to a buffer overrun ("/foo.htr?=x").
The number of overflows needed and the result depends on the
internal state of the IIS memory allocations. A determined
attacker could proceed to crash the service, and repeatedly send
the malicious payload as the injection vector would now be
relatively fixed, when the server was rebooted.

Vendor URL:
You can visit the vendors webpage here:

Vendor response:
The vendor was contacted on the 31st of January, 2002. On the 18th
of March we received a private hotfix, which corrected the issue.
On the 10th of April, the vendor released a public bulletin.

Corrective action:
The vendor has released a patched ism.dll, which is included in
the security rollup package MS02-018, available here:

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »