SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
(CIAC Issues Bulletin) Re: Microsoft Internet Information Server IIS 5.0 for Windows 2000 Lets Remote Users Execute Arbitrary Code on the Server and Gain Control of the Server
SecurityTracker Alert ID:  1001476
SecurityTracker URL:  http://securitytracker.com/id/1001476
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 3 2001
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Microsoft Windows 2000 Internet Information Services 5.0, Microsoft Windows 2000 Internet Information Services 5.0 + Service Pack 1
Description:   eEye Digital Security reported a vulnerability in the Windows 2000 version of Internet Information Server 5.0. The security hole lets remote users execute arbitrary code on the server in the "system" context, which could allow the remote user to obtain system level access on the server.

The vulnerability exists in a Microsoft extension to the Internet Services Application Programming Interface (ISAPI) that is intended to provide Windows 2000 with support the Internet Printing Protocol. The DLL (msw3prt.dll) reportedly contains a buffer overflow.

The vulnerability can reportedly be triggered when a buffer of aproximately 420 bytes is sent within the HTTP Host: header for a .printer ISAPI request.

An example HTTP request that can send code that will overwrite the EIP is:
GET /NULL.printer HTTP/1.0
Host: [buffer]

eEye has developed a demonstration exploit script, which is to be posted to their web site shortly (http://eeye.com/).

The following software is affected:

Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server

Impact:   A remote user could cause the IIS web server to execute arbitrary code in the "system" context, which could allow the remote user to obtain system level access on the server (i.e., take complete control of the server).
Solution:   The vendor has released a fix and strongly recommends that all customers with affected servers apply the patch. See the Vendor URL for patch information.
Vendor URL:  www.microsoft.com/technet/security/bulletin/ms01-023.asp (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
May 1 2001 Microsoft Internet Information Server IIS 5.0 for Windows 2000 Lets Remote Users Execute Arbitrary Code on the Server and Gain Control of the Server



 Source Message Contents

Subject:  CIAC Bulletin L-078 Microsoft Unchecked Buffer in ISAPI Extension


[ For Public Release ]
-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

             Unchecked Buffer in ISAPI Extension of IIS 5.0 Server

May 2, 2001 21:00 GMT                                             Number L-078
______________________________________________________________________________
PROBLEM:       The Microsoft IIS 5.0 web server running on Windows 2000 has a
               buffer overflow vulnerabilty which will give an attacker
               complete control of the server.
PLATFORM:      Microsoft IIS 5.0 running on Windows 2000
DAMAGE:        A remote attacker can conduct a buffer overrun attack and cause
               code of their choice to run on the server. Such code would run
               in the Local System security context giving the attacker
               complete control of the server, and would enable them to take
               virtually any action they chose.
SOLUTION:      Apply the patch as shown in Microsoft Security Bulletin
               MS01-023.
               http://www.microsoft.com/technet/security/bulletin/MS01-023.asp
______________________________________________________________________________
VULNERABILITY  The risk is HIGH, remote system level code execution
ASSESSMENT:
______________________________________________________________________________

   [***** Start Microsoft Security Bulletin *****]

http://www.ciac.org/ciac/bulletins/l-078.shtml

   [***** End Microsoft Security Bulletin *****]   

-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBOvGG57nzJzdsy3QZAQGlkAP/WZ1GPSvNdKwV/lDmLLcOMk732fCgJ0+s
OkWMuZ3oQfQsYUbQbBW1+sSK3PUOWrc+BKbD6ENdYru5o3ptctKye1OEGvwpKZ4X
y92H8FVzGBk0a/Cl3nihHBU0I6LPtpDBiEHpdlc9NrRUE0Rx2fh6IOgtRJFNb1gg
UvSgTxnf/9k=
=Hkdc
-----END PGP SIGNATURE-----

-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+
This message was posted through the FIRST mailing list server.  If you
wish to unsubscribe from this mailing list, send the message body of
"unsubscribe first-info" to first-majordomo@FIRST.ORG
-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC