Microsoft IIS 5.0 ISAPI Internet Printing Protocol extension buffer overflow
| iis-isapi-printer-bo (6485) |  High Risk |
Description:
Microsoft Internet Information Server (IIS) is vulnerable to a buffer overflow in the handling of ISAPI (Internet Services Application Programming Interface) extensions. An unchecked buffer exists in the code that handles input parameters for the Internet Printing Protocol (IPP) ISAPI extension. By sending a specially-crafted Internet Printing request to the server, an attacker can overflow a buffer to allow the modification of IPP ISAPI extension functionality. An attacker can use this vulnerability to gain complete control over the affected server.
Consequences:
Gain Privileges
Remedy:
For vulnerability detection:
Enable the following checks in the ISS Protection Platform:
IisIsapiPrinterBo
MS01-023
Enable the following checks in the ISS Protection Platform:
HTTP_IIS_ISAPI_Printer_Overflow
Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 80
For Manual Protection:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS01-023. See References.
References:
- BugTraq Mailing List, Sun May 13 2001 - 08:12:02 CDT: IIS5 .printer exploit ported to perl and win32.
- BugTraq Mailing List, Thu May 03 2001 - 06:08:38 CDT: IIS 5 remote exploit..
- BugTraq Mailing List, Thu May 03 2001 - 07:09:07 CDT: How to remove .printer mapping (WAS RE: Permanently remove IIS pr inter mapping).
- BugTraq Mailing List, Tue May 01 2001 - 15:15:10 CDT: Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access).
- BugTraq Mailing List, Tue May 01 2001 - 20:57:42 CDT: Re: Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access).
- BugTraq Mailing List, Wed May 02 2001 - 22:04:43 CDT: Re: Permanently remove iis printer mapping.
- CERT Advisory CA-2001-10: Buffer Overflow Vulnerability in Microsoft IIS 5.0.
- CIAC Information Bulletin L-078: Microsoft Unchecked Buffer in ISAPI Extension.
- eEye Digital Security Team Alert AD20010501: Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access).
- Internet Security Systems Security Alert #75: Remote IIS ISAPI Printer Extension Buffer Overflow.
- Microsoft Security Bulletin MS01-023: Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server.
- Microsoft Technet: Secure Internet Information Services 5 Checklist.
- National Infrastructure Protection Center Advisory 01-011: "Buffer Overflow Vulnerability in Microsoft's Internet Information Services (IIS) 5.0".
- BID-2674: Microsoft IIS 5.0 .printer ISAPI Extension Buffer Overflow Vulnerability
- CVE-2001-0241: Buffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via a long print request that is passed to the extension through IIS 5.0.
- OSVDB ID: 3323: Microsoft IIS ISAPI .printer Extension Host Header Overflow
- US-CERT VU#516648: Microsoft Windows 2000/Internet Information Server (IIS) 5.0 Internet Printing Protocol (IPP) ISAPI contains buffer overflow (MS01-023)
Platforms Affected:
- Microsoft Internet Information Server 5.0
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
Reported:
May 01, 2001
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net