SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
(Vendor Releases Fix) Re: Microsoft Internet Information Server IIS 5.0 for Windows 2000 Lets Remote Users Execute Arbitrary Code on the Server and Gain Control of the Server
SecurityTracker Alert ID:  1001465
SecurityTracker URL:  http://securitytracker.com/id/1001465
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 1 2001
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Microsoft Windows 2000 Internet Information Services 5.0, Microsoft Windows 2000 Internet Information Services 5.0 + Service Pack 1
Description:   eEye Digital Security reported a vulnerability in the Windows 2000 version of Internet Information Server 5.0. The security hole lets remote users execute arbitrary code on the server in the "system" context, which could allow the remote user to obtain system level access on the server.

The vulnerability exists in a Microsoft extension to the Internet Services Application Programming Interface (ISAPI) that is intended to provide Windows 2000 with support the Internet Printing Protocol. The DLL (msw3prt.dll) reportedly contains a buffer overflow.

The vulnerability can reportedly be triggered when a buffer of aproximately 420 bytes is sent within the HTTP Host: header for a .printer ISAPI request.

An example HTTP request that can send code that will overwrite the EIP is:
GET /NULL.printer HTTP/1.0
Host: [buffer]

eEye has developed a demonstration exploit script, which is to be posted to their web site shortly (http://eeye.com/).

The following software is affected:

Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Impact:   A remote user could cause the IIS web server to execute arbitrary code in the "system" context, which could allow the remote user to obtain system level access on the server (i.e., take complete control of the server).
Solution:   The vendor has released a fix and strongly recommends that all customers with affected servers apply the patch. See the Vendor URL for patch information.
Vendor URL:  www.microsoft.com/technet/security/bulletin/ms01-023.asp (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
May 1 2001 Microsoft Internet Information Server IIS 5.0 for Windows 2000 Lets Remote Users Execute Arbitrary Code on the Server and Gain Control of the Server


 Source Message Contents
Date:  Tue, 1 May 2001 08:50:05 -0700
Subject:  Microsoft Security Bulletin MS01-023


The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Unchecked Buffer in ISAPI Extension Could Enable 
            Compromise of IIS 5.0 Server
Date:       01 May 2001
Software:   Windows 2000 Server
            Windows 2000 Advanced Server
            Windows 2000 Datacenter Server
Impact:     Run code of attacker's choice, in Local System context
Bulletin:   MS01-023

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-023.asp.
- ----------------------------------------------------------------------

Issue:
======
Windows 2000 introduced native support for the Internet Printing 
Protocol (IPP), an industry-standard protocol for submitting and 
controlling print jobs over HTTP. The protocol is implemented in 
Windows 2000 via an ISAPI extension that is installed by default on
all 
Windows 2000 servers but which can only be accessed via IIS 5.0. 

A security vulnerability results because the ISAPI extension contains
an unchecked buffer in a section of code that handles input
parameters. 
This could enable a remote attacker to conduct a buffer overrun
attack 
and cause code of her choice to run on the server. Such code would
run 
in the Local System security context. This would give the attacker 
complete control of the server, and would enable her to take
virtually 
any action she chose. 

The attacker could exploit the vulnerability against any server with 
which she could conduct a web session. No other services would need
to 
be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be
open. Clearly, this is a very serious vulnerability, and Microsoft 
strongly recommends that all IIS 5.0 administrators install the patch
immediately. Alternatively, customers who cannot install the patch
can 
protect their systems by removing the mapping for Internet Printing 
ISAPI extension. 

Mitigating Factors:
====================
 - Servers on which the mapping for the Internet Printing 
   ISAPI extension has been removed are not at risk from 
   this vulnerability. The process for removing the mapping 
   is discussed in the IIS 5.0 Security Checklist
   (http://www.microsoft.com/technet/security/iis5chk.asp).
   The High Security template provided in the checklist 
   (http://www.microsoft.com/technet/security/tools.asp)
   removes the mapping, as does the Windows 2000 Internet 
   Security Tool unless the user explicitly chose to retain 
   Internet Printing. 
 - The attacker's ability to extend her control from a 
   compromised web server to other machines would be heavily 
   dependent on the specific configuration of the network. 
   Best practices recommend that the network architecture reflect 
   the position of special risk occupied by network-edge machines 
   like web servers and use measures like DMZs and limited domain 
   memberships to isolate such machines from the rest of the 
   network. Taking such measures would impede an attacker's ability 
   to broaden the scope of the compromise. 

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin
   http://www.microsoft.com/technet/security/bulletin/ms01-023.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - eEye Digital Security (http://www.eeye.com) 

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED 
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL 
MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS 
OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. 
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
NOT 
APPLY.



-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOu7bLY0ZSRQxA/UrAQEFmwgAkJdg5zjeSBKYEwHQfTfInmbYZwuo7vUw
aUHymz56q1YPDaKhrcH5Z5LIP2aAzcjcSsxgEblkAA+1ZnIhfcP/myVf8o0qIr7N
0rlOBHZX5k+qjsQJKrxYdbt98mJ/+EFCs7OETV6X/uPehyPcfqlSZPBqIHOF52le
kVwkvXXu+lxOgPemQ4LFW5GdFyHS7j0iKfBINM+Pcr1jm4ZxKN66bjs1bz+n9vps
Fm5TaE+yjVvIIstixYd+w39uQNsWi45MpH+ja9PYC1EWvlx0vEh4Cc3YtfNUxO4b
AcIM7jFnsjbi2uIseDUHLq/Vk11K3McktZ+FEwpq4EwzbTfs2ubRBg==
=ZlkV
-----END PGP SIGNATURE-----

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

For  more  information on  the  Microsoft  Security Notification  Service
please  visit  http://www.microsoft.com/technet/security/notify.asp.  For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC