cbcvebase.
CVE-1999-0874
published 1999-06-16

CVE-1999-0874: Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions.

PriorityP350critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
78.10%
99.5th percentile
Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftinternet_information_server
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

urlGET /[overflow_buffer].htr HTTP/1.0
urlGET /[overflow_buffer].htr HTTP/1.0
filename.htr
filename.stm
filename.idc
filenameISM.DLL
commandGET /AAAA...[~600+ bytes]....htr HTTP/1.0
commandget http://$ARGV[0]/('a' x $i).htr for $i 2500..3500
  • Detect HTTP GET requests to IIS with extremely long path segments (>593 bytes) ending in .htr, .stm, or .idc — characteristic of the buffer overflow trigger.
  • Alert on HTTP GET requests where the URI contains 593+ repeated characters followed by .htr — matches known exploit offset for NT4 SP3/SP4.
  • Look for HTTP requests to .htr files with alphanumeric-only payloads of ~2048 bytes in the URI path — the Metasploit module uses alpha-numeric encoding with no NOP sled.
  • Flag HTTP GET requests where the URI path length exceeds 2500 characters and ends with .htr — the Perl PoC iterates from 2500 to 3500 bytes.
  • Detect the return address 0x77f8f0 (NTDLL.DLL jmp gadget) embedded at byte offset 598 within the HTTP request buffer — used by the Greg Hoglund exploit variant.
  • ·The exploit offset varies by NT4 service pack level: SP3 and SP4 use offset 593, SP5 uses offset 589. Return addresses also differ per SP.
  • ·Payload bad characters exclude all bytes outside alphanumeric range (0x00–0x2f, 0x3a–0x40, 0x5b–0x60, 0x7b–0xff) due to ISM.DLL input filtering.
  • ·Using EXITFUNC=seh allows the server to continue processing requests but causes issues terminating a bind shell; EXITFUNC=thread causes a server crash on bind shell exit.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.