CVE-2001-0545

Vulnerability

CVE-2001-0545 is a denial of service vulnerability in Microsoft Internet Information Server (IIS) 4.0. The flaw exists when URL redirection is enabled. A remote attacker can send a malformed request that specifies a content length different from the actual length of the request, causing the IIS service to crash. This vulnerability affects IIS 4.0 only; IIS 5.0 is not affected by this specific issue [1].

Exploitation

An attacker does not need authentication or any special network position; the request can be sent remotely over HTTP. The attacker crafts an HTTP request where the Content-Length header value does not match the actual body length. When the request is processed by IIS 4.0 with URL redirection enabled, the mismatch triggers a fault in the service, causing it to fail. Notably, the "Code Red" worm generated traffic that could inadvertently exploit this vulnerability, disrupting IIS 4.0 machines that were not even susceptible to the worm's infection [1].

Impact

Successful exploitation results in a denial of service: the IIS 4.0 service crashes. By default, IIS 4.0 may be configured to restart automatically, but repeated attacks can cause sustained disruption. The attacker does not gain code execution, data access, or privilege escalation; the impact is limited to service availability [1].

Mitigation

Microsoft released a cumulative security patch in Security Bulletin MS01-044 on August 15, 2001, which addresses this vulnerability along with several others. Administrators should apply the patch to all IIS 4.0 servers. No workaround is documented; the only mitigation is to install the update. IIS 4.0 is no longer supported, so upgrading to a supported version is also recommended [1].