| VID |
12016 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The IIS version 5.0 is vulnerable to a buffer overflow in the handling of ISAPI (Internet Services Application Programming Interface) extensions.
The IPP(Internet Printing Protocol) is a protocol implemented in IIS5 as an ISAPI extension for submitting and controlling print jobs over HTTP. It is installed by default as part of Windows 2000 but which can only be accessed via IIS 5.0. A security vulnerability results because the ISAPI extension contains an unchecked buffer in a section of code that handles input parameters. This vulnerability arises when a buffer of aprox. 420 bytes is sent within the HTTP Host: header for a .printer ISAPI request as the follow :
GET /NULL.printer HTTP/1.1
Host: AAAAAAAAA....[A*420]....AAAAAAAAAAAAA
A remote attacker causes a buffer overflow within IIS and causes code of her choice to run on the server via this vulnerability. Now normally the web server would stop responding once you have "buffer overflowed" it. However, Windows 2000 will automatically restart the web server if it notices that the web server has crashed.
See the following site for more details about a buffer overflow problem:
http://www.eeye.com/html/Research/Advisories/AD20010501.html
* Platforms Affected:
Microsoft IIS 5.0
Windows 2000 Any version
* References:
http://www.securityfocus.com/bid/2674
http://www.iss.net/security_center/static/6485.php |
| Recommendation |
If it's not needed, unmap the Internet Printing ISAPI (.printer) extension in the Internet Services Manager.
To unmap the Internet Printing ISAPI extension:
1. Open Internet Services Manager.
2. Right-click the Web server, and choose Properties from the context menu.
3. Master Properties
4. Select WWW Service | Edit | HomeDirectory | Configuration, and remove the reference to .printer from the list.
-- OR --
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS01-023, http://www.microsoft.com/technet/security/bulletin/ms01-023.asp |
| Related URL |
CVE-2001-0241 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
