View Source



The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>"Code Red" Worm Crashes IIS 4.0 Servers with URL Redirection Enabled</h2>

Release Date: August 16, 2001<br/>
<a name="affected">
<h3>Systems Affected</h3>
<ul>
<li>Microsoft Windows NT 4.0 running Internet Information Server (IIS) 4.0 with URL Redirection enabled</li>
</ul>
<a name="overview">
<h2>I. Overview</h2>
<p>The CERT/CC has received numerous reports of Windows NT 4.0 IIS 4.0
servers patched according to <a href="http://www.microsoft.com/technet/security/bulletin/MS01-033.asp">Microsoft
Security Bulletin MS01-033</a> crashing when scanned by the "Code Red" worm.

<h2>II. Description</h2>
<p>
A vulnerability in Microsoft IIS 4.0 allows an attacker to crash an IIS
4.0 server by sending a crafted URL if the server is configured to use URL redirection (URL
redirection is not enabled by default). This vulnerability is
exercised by the "Code Red" worm, but it is distinct from the vulnerability described in <a href="http://www.cert.org/advisories/CA-2001-13.html">CA-2001-13</a>
that allows the worm to compromise systems. IIS 4.0 servers configured
to use URL redirection and patched according to <a href="http://www.microsoft.com/technet/security/bulletin/MS01-033.asp">Microsoft
Security Bulletin MS01-033</a> are no longer vulnerable to compromise
by the "Code Red" worm, but they may crash due to this new
vulnerability.

<p>For more information, please see

<dl>
<dd><a href="http://www.kb.cert.org/vuls/id/544555">CERT Vulnerability Note VU#544555 - Microsoft Internet Information Server 4.0 (IIS) vulnerable to DoS when URL redirecting is enabled</a>
</dd></dl>
<dl>
<dd><a href="http://www.microsoft.com//technet/security/bulletin/MS01-044.asp">Microsoft Security Bulletin MS01-044</a>
</dd></dl>
<h2>III. Impact</h2>
<p>"Code Red" scanning activity can result in a denial-of-service attack against a Windows NT 4.0 IIS 4.0 server with URL redirection enabled.

<h2>IV. Solutions</h2>
<p>Apply the patch from <a href="http://www.microsoft.com//technet/security/bulletin/MS01-044.asp">Microsoft Security Bulletin MS01-044</a>.

<dl>
<dd><a href="http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32061">http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32061</a>
</dd></dl>
<h2>V. Reporting</h2>
<p>The CERT/CC is interested in receiving reports of this activity.
If machines under your administrative control are affected by this activity, please
send mail to <a href="mailto:cert@cert.org?Subject=IN-2001-10">cert@cert.org</a>.</p>
<p>
<hr noshade="" width="100%"/>
<b>Author(s)</b>: Brian B. King<br/>
<!--#include virtual="/include/footer_nocopyright.html" -->
<p>Copyright 2001 Carnegie Mellon University.</p>
</p></p></p></p></p></p></a></a>