Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Дырка в IIS 5 (Internet Printing Protocol buffer overflow)

  Updated Information: Internet Printing ISAPI Buffer Overrun

  How to remove .printer mapping (WAS RE: Permanently remove IIS printer mapping)

   Advisory CA-2001-10

  Windows 2000 .printer remote overflow proof of concept exploit

From:MICROSOFT <secure_(at)_microsoft.com>
Date:03.05.2001
Subject:Security Bulletin MS01-023

- ----------------------------------------------------------------------
Title:      Unchecked Buffer in ISAPI Extension Could Enable
           Compromise of IIS 5.0 Server
Date:       01 May 2001
Software:   Windows 2000 Server
           Windows 2000 Advanced Server
           Windows 2000 Datacenter Server
Impact:     Run code of attacker's choice, in Local System context
Bulletin:   MS01-023

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-023.asp.
- ----------------------------------------------------------------------

Issue:
======
Windows 2000 introduced native support for the Internet Printing
Protocol (IPP), an industry-standard protocol for submitting and
controlling print jobs over HTTP. The protocol is implemented in
Windows 2000 via an ISAPI extension that is installed by default on
all
Windows 2000 servers but which can only be accessed via IIS 5.0.

A security vulnerability results because the ISAPI extension contains
an unchecked buffer in a section of code that handles input
parameters.
This could enable a remote attacker to conduct a buffer overrun
attack
and cause code of her choice to run on the server. Such code would
run
in the Local System security context. This would give the attacker
complete control of the server, and would enable her to take
virtually
any action she chose.

The attacker could exploit the vulnerability against any server with
which she could conduct a web session. No other services would need
to
be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be
open. Clearly, this is a very serious vulnerability, and Microsoft
strongly recommends that all IIS 5.0 administrators install the patch
immediately. Alternatively, customers who cannot install the patch
can
protect their systems by removing the mapping for Internet Printing
ISAPI extension.

Mitigating Factors:
====================
- Servers on which the mapping for the Internet Printing
  ISAPI extension has been removed are not at risk from
  this vulnerability. The process for removing the mapping
  is discussed in the IIS 5.0 Security Checklist
  (http://www.microsoft.com/technet/security/iis5chk.asp).
  The High Security template provided in the checklist
  (http://www.microsoft.com/technet/security/tools.asp)
  removes the mapping, as does the Windows 2000 Internet
  Security Tool unless the user explicitly chose to retain
  Internet Printing.
- The attacker's ability to extend her control from a
  compromised web server to other machines would be heavily
  dependent on the specific configuration of the network.
  Best practices recommend that the network architecture reflect
  the position of special risk occupied by network-edge machines
  like web servers and use measures like DMZs and limited domain
  memberships to isolate such machines from the rest of the
  network. Taking such measures would impede an attacker's ability
  to broaden the scope of the compromise.

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
  Security Bulletin
  http://www.microsoft.com/technet/security/bulletin/ms01-023.asp
  for information on obtaining this patch.

Acknowledgment:
===============
- eEye Digital Security (http://www.eeye.com)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod