Rule:

--
Sid:
1618

--
Summary:
This event is generated when an attempt is made to exploit a buffer overflow associated with chunked encoding processing of Active Server Pages (ASP) in Internet Information Services (IIS). 

--
Impact:
Remote Access.  If the exploit is successful, an attacker can gain remote access of the target host. 

--
Detailed Information:
A buffer overflow exists with chunked encoding processing associated with ASP in IIS.  Chunked encoding allows different sized chunks of data to be passed from the web client to the server.  A heap overflow vulnerability exists because of an error in chunked encoding data transfer associated with the Internet Services Application Programming Interface (ISAPI) extension that implements ASP.

--
Affected Systems:

Microsoft IIS 4.0
  Cisco Building Broadband Service Manager 5.0
  Cisco Call Manager 1.0, 2.0, 3.0
  Cisco ICS 7750
  Cisco IP/VC 3540
  Cisco Unity Server 2.0, 2.2, 2.3, 2.4
  Cisco uOne 1.0, 2.0, 3.0, 4.0
  Microsoft BackOffice 4.0, 4.5
  Microsoft Windows NT 4.0 Option Pack

Microsoft IIS 5.0
  Microsoft Windows 2000 Advanced Server, SP1, SP2
  Microsoft Windows 2000 Datacenter Server SP1, SP2
  Microsoft Windows 2000 Professional, SP1, SP2
  Microsoft Windows 2000 Server, SP1, SP2

--
Attack Scenarios:
An attacker can craft a chunked encoded request to exploit the heap overflow.

--
Ease of Attack:
Easy.  Exploit code is freely available.

--
False Positives:
None Known.

--
False Negatives:
None Known.

--
Corrective Action:
Apply the cumulative patch Q319733.


--
Contributors:
Original rule written by Brian Caswell <bmc@sourcefire.com>
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:

CVE
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0079

Bugtraq
http://www.securityfocus.com/bid/4485

Microsoft
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-018.asp

--