|
Date: May 1, 2001
Summary
A security vulnerability exists in Microsoft® IIS 5.0 on
Windows 2000 which could potentially enable a malicious user
to run code of attacker’s choice in system context.
Summary from Securityfocus
Windows 2000 Internet printing ISAPI extension contains
msw3prt.dll which handles user requests. Due to an unchecked
buffer in msw3prt.dll, a maliciously crafted HTTP .print
request containing approx 420 bytes in the 'Host:' field
will allow the execution of arbitrary code.
Typically a web server would stop responding in a buffer
overflow condition; however, once Windows 2000 detects an
unresponsive web server it automatically performs a
restart. Therefore, the administrator will be unaware of
this attack.
* If Web-based Printing has been configured in group
policy, attempts to disable or unmap the affected extension
via Internet Services Manager will be overridden by the
group policy settings.
Issue
Windows 2000 introduced native support for the Internet
Printing Protocol (IPP), an industry-standard protocol for
submitting and controlling print jobs over HTTP. The
protocol is implemented in Windows 2000 via an ISAPI
extension that is installed by default on all Windows 2000
servers but which can only be accessed via IIS 5.0.
A security vulnerability results because the ISAPI
extension contains an unchecked buffer in a section of code
that handles input parameters. This could enable a remote
attacker to conduct a buffer overrun attack and cause code
of her choice to run on the server. Such code would run in
the Local System security context. This would give the
attacker complete control of the server, and would enable
her to take virtually any action she chose.
The attacker could exploit the vulnerability against any
server with which she could conduct a web session. No other
services would need to be available, and only port 80 (HTTP)
or 443 (HTTPS) would need to be open. Clearly, this is a
very serious vulnerability, and Microsoft strongly
recommends that all IIS 5.0 administrators install the patch
immediately. Alternatively, customers who cannot install the
patch can protect their systems by removing the mapping for
Internet Printing ISAPI extension.
Mitigating factors:
Servers on which the mapping for the Internet Printing
ISAPI extension has been removed are not at risk from this
vulnerability. The process for removing the mapping is
discussed in the IIS 5.0 Security Checklist. The High
Security template provided in the checklist removes the
mapping, as does the Windows 2000 Internet Security Tool
unless the user explicitly chose to retain Internet
Printing.
The attacker’s ability to extend her control from a
compromised web server to other machines would be heavily
dependent on the specific configuration of the network. Best
practices recommend that the network architecture reflect
the position of special risk occupied by network-edge
machines like web servers and use measures like DMZs and
limited domain memberships to isolate such machines from the
rest of the network. Taking such measures would impede an
attacker’s ability to broaden the scope of the compromise.
Affected Products
Windows 2000 Server and Advanced Server
Hyperlinks
Patch:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321
Exploit Windows binary, source code and perl port:
iis5hack.zip
Credits
Source: Microsoft Corporate
Buffer Overflow Exploit found by Eeye |