Rule: -- Sid: 1618 -- Summary: This event is generated when an attempt is made to exploit a buffer overflow associated with chunked encoding processing of Active Server Pages (ASP) in Internet Information Services (IIS). -- Impact: Remote Access. If the exploit is successful, an attacker can gain remote access of the target host. -- Detailed Information: A buffer overflow exists with chunked encoding processing associated with ASP in IIS. Chunked encoding allows different sized chunks of data to be passed from the web client to the server. A heap overflow vulnerability exists because of an error in chunked encoding data transfer associated with the Internet Services Application Programming Interface (ISAPI) extension that implements ASP. -- Affected Systems: Microsoft IIS 4.0 Cisco Building Broadband Service Manager 5.0 Cisco Call Manager 1.0, 2.0, 3.0 Cisco ICS 7750 Cisco IP/VC 3540 Cisco Unity Server 2.0, 2.2, 2.3, 2.4 Cisco uOne 1.0, 2.0, 3.0, 4.0 Microsoft BackOffice 4.0, 4.5 Microsoft Windows NT 4.0 Option Pack Microsoft IIS 5.0 Microsoft Windows 2000 Advanced Server, SP1, SP2 Microsoft Windows 2000 Datacenter Server SP1, SP2 Microsoft Windows 2000 Professional, SP1, SP2 Microsoft Windows 2000 Server, SP1, SP2 -- Attack Scenarios: An attacker can craft a chunked encoded request to exploit the heap overflow. -- Ease of Attack: Easy. Exploit code is freely available. -- False Positives: None Known. -- False Negatives: None Known. -- Corrective Action: Apply the cumulative patch Q319733. -- Contributors: Original rule written by Brian Caswell <bmc@sourcefire.com> Sourcefire Research Team Judy Novak <judy.novak@sourcefire.com> -- Additional References: CVE http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0079 Bugtraq http://www.securityfocus.com/bid/4485 Microsoft http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-018.asp --