Another day, another security hole. But for once, Microsoft blocked this Microsoft NT 4.0/Internet Information Server 4.0 hole before the attackers gained entry.
The latest problem stemmed from the way IIS 4.0 handles HTTP 1.1's chunk transfer encoding. Chunk transfer, despite the awkwardness implied by its name, speeds up Web transactions. It does so by making it possible for Web browsers to dynamically load up images without storing them in a temporary file beforehand.
This technique also can be used with POST and PUT operations, where the server pulls in information from a browser. Unfortunately, in IIS 4.0 this chunked data is handled by putting it into a buffer with no upper size limit. Thus, a hacker can feed IIS 4.0 servers gigantic wads of useless data until the buffer space takes over all available memory for the buffer. Subsequently, the server crashes or stops working altogether.
Unlike the situation with classic buffer security problems, in the case of IIS 4.0, data can't overrun the buffer, so malicious visitors can run programs or make changes on your boxes. This attack mode, for what scant comfort it brings, is purely a Denial of Service (DoS) assault, and not a cracker tool.
The problem behind the problem is that NT 4.0 allows IIS 4.0 to take over system memory without OS memory controls in place. Microsoft representatives claim that this is not a problem for IIS 5.0 on Windows 2000.
For today's NT 4.0/IIS 4.0 administrators, Microsoft has released a patch that prevents Internet servers using Windows NT with IIS 4.0 from becoming targets. This much-have patch -- for both Intel and Alpha versions of NT 4.0 -- can be found at Microsoft's page on the problem.
See also the Denial of Service roundup.