SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
(ISS Issues Advisory) Re: Microsoft Internet Information Server IIS 5.0 for Windows 2000 Lets Remote Users Execute Arbitrary Code on the Server and Gain Control of the Server
SecurityTracker Alert ID:  1001471
SecurityTracker URL:  http://securitytracker.com/id/1001471
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 3 2001
Impact:   Execution of arbitrary code via network, Root access via network

Version(s): Microsoft Windows 2000 Internet Information Services 5.0, Microsoft Windows 2000 Internet Information Services 5.0 + Service Pack 1
Description:   eEye Digital Security reported a vulnerability in the Windows 2000 version of Internet Information Server 5.0. The security hole lets remote users execute arbitrary code on the server in the "system" context, which could allow the remote user to obtain system level access on the server.

The vulnerability exists in a Microsoft extension to the Internet Services Application Programming Interface (ISAPI) that is intended to provide Windows 2000 with support the Internet Printing Protocol. The DLL (msw3prt.dll) reportedly contains a buffer overflow.

The vulnerability can reportedly be triggered when a buffer of aproximately 420 bytes is sent within the HTTP Host: header for a .printer ISAPI request.

An example HTTP request that can send code that will overwrite the EIP is:
GET /NULL.printer HTTP/1.0
Host: [buffer]

eEye has developed a demonstration exploit script, which is to be posted to their web site shortly (http://eeye.com/).

The following software is affected:

Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server

Impact:   A remote user could cause the IIS web server to execute arbitrary code in the "system" context, which could allow the remote user to obtain system level access on the server (i.e., take complete control of the server).
Solution:   The vendor has released a fix and strongly recommends that all customers with affected servers apply the patch. See the Vendor URL for patch information.
Vendor URL:  www.microsoft.com/technet/security/bulletin/ms01-023.asp (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
May 1 2001 Microsoft Internet Information Server IIS 5.0 for Windows 2000 Lets Remote Users Execute Arbitrary Code on the Server and Gain Control of the Server



 Source Message Contents

Subject:  ISSalert: Internet Security Systems Security Alert: Remote IIS ISAPI Printer Extension Buffer Overflow



TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net  Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Alert
May 2, 2001

Remote IIS ISAPI Printer Extension Buffer Overflow

Synopsis:

ISS X-Force is aware of a vulnerability that can be used to attack Microsoft 
Internet Information Server (IIS). This vulnerability may allow an attacker to
compromise a host running a vulnerable version of IIS. The compromise may lead 
to Web page defacement and theft of sensitive or confidential information. In 
addition, this vulnerability can be used in conjunction with other exploits to 
further compromise affected systems.  

Description:

The vulnerable ISAPI printer extension is included with Windows 2000, but it
can be accessed only through IIS 5.0. This functionality is included in default
IIS installations that have not been hardened and introduces the ability to 
submit, cancel, or control print jobs over the web.  

The IIS ISAPI printer extension vulnerability exists due to a buffer overflow 
condition within the ISAPI extension. This vulnerability is particularly 
dangerous because attackers may exploit this condition via default HTTP 
listening ports on port 80 and 443.

After this vulnerability has been exploited, an attacker has the ability to 
execute commands under the "SYSTEM" security context, allowing unrestricted
access to the target machine and all its contents.

Affected Versions:

Microsoft Windows IIS 5.0 running on: 

Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server

Recommendations:

With the release of this exploit information, ISS X-Force urges all 
administrators to move quickly to protect themselves from this vulnerability.
Microsoft has made patches available for this vulnerability. 

For Microsoft Windows 2000 Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321
 
For Microsoft Windows 2000 Datacenter Server:
Patches for Windows 2000 Datacenter Server are hardware-specific and available
from the original equipment manufacturer.

For more information on this vulnerability please refer to the Microsoft 
Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-023.asp

ISS X-Force recommends the application of the available patch immediately.

ISS RealSecure Intrusion Detection customers may use one of the following 
user-defined signatures to detect exploitation attempts. Follow the 
instructions below to apply the user-defined signature to your policy.  

- From the Sensor window:
1. Right-click on the sensor and select 'Properties'.
2. Choose a policy you want to use, and click 'Customize'.
3. Select the 'User Defined Events' tab.
4. Click 'Add' on the right hand side of the dialog box.
5. Create a User Defined Event
6. Type in a name of the event, such as 'IIS ISAPI Printer Extension BO'
7. In the 'Context' field for each event, select 'URL_Data'. In the 'String' 
   field, type the following string if Internet Printing Protocol (IPP)
   is not implemented:
	\.printer$   
   If IPP is implemented, type the following string for the event:
	null\.printer
9. Click 'Save', and then 'Close'.
10. Click 'Apply to Sensor' or 'Apply to Engine', depending on the version of
    RealSecure you are using.


For additional information about this vulnerability, please reference:

http://www.eeye.com/html/Research/Advisories/AD20010501.html

_____

About Internet Security Systems (ISS) 

Internet Security Systems is a leading global provider of security management
solutions for the Internet, protecting digital assets and ensuring safe and 
uninterrupted e-business.  With its industry-leading intrusion detection and 
vulnerability assessment software, remote managed security services, and 
strategic consulting and education offerings, ISS is a trusted security provider
to more than 8,000 customers worldwide including 21 of the 25 largest U.S. 
commercial banks and the top 10 U.S. telecommunications companies.  Founded in
1994, ISS is headquartered in Atlanta, GA, with additional offices throughout 
North America and international operations in Asia, Australia, Europe, Latin 
America and the Middle East.  For more information, visit the Internet Security 
Systems web site at www.iss.net or call 888-901-7477.


Copyright (c) 2001 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in
any other medium excluding electronic medium, please e-mail xforce@iss.net
for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.


X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
as well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOvCDFDRfJiV99eG9AQFwtwQAp+lIhjW5IjEefirtobD39iFVKKtHEu7u
C0dcW3ca6gf0iC2LaxwOzY973SqQqeQUOpm23ZFFg6U6VdytPsvlH7/g/mETEHxk
TQyjNXH3pakHh9w4F2koxtnVn+mEVN52GTEhXeHS7XkXR3jzyOv97c8+/yAqSS8q
5Z5LF0rrA9A=
=LvI2
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC