Home | Site Map | Search | Contacts
About Us
Report Incidents
Incident Statistics
Security FAQS

Search NISER
  NISER > Alerts > MyCERT Advisories & Summaries > MA-025.052001: Unchecked Buffer in ISAPI Extension Enables Remote Compromise of IIS 5.0

MA-025.052001: Unchecked Buffer in ISAPI Extension Enables Remote Compromise of IIS 5.0
Original Issue Date: 21st May 2001


    1.1 Overview

    This new vulnerability exists in IIS 5.0 running on Windows 2000 servers in which allows a malicious intruders to run arbitrary code on the victim server. This code will allow them to gain complete administrative control of the machine.

    The vulnerability was first discovered by eEye Digital Security and rectified by Microsoft as an extremely serious vulnerability.

    With the launched of Windows 2000, Microsoft has introduced a native ISAP support for Internet Printing Protocol (IPP). This protocol is an industry-standard protocol for submitting and controlling print jobs over HTTP, and it is installed by default as part of Windows 2000 in which can only be accessed via IIS 5.0.

    This vulnerability exists because the ISAPI extension contains an unchecked buffer in a section of code that handles input parameters. This could enable a remote attacker to conduct a buffer overrun attack and cause code of her choice to run on the server. Such code would run in the Local System security context. This would give the attacker complete control of the server, and would enable her to take virtually any action she chose. The attacker could exploit the vulnerability against any server with which she could conduct a web session. No other services would need to be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be open. Clearly, this is a very serious vulnerability, and Microsoft strongly recommends that all IIS 5.0 administrators install the patch immediately.

    Microsoft has released the details of the vulnerability in its bulletin here:

    The attacker�s code would, for all practical purposes, be part of the Internet Printing ISAPI extension; it would run in the same context. This is because the Internet Printing ISAPI extension runs in the security context of the Local System, which is the operating system itself.

    1.2 Affected

    • Windows 2000 Professional
    • Windows 2000 Server
    • Windows 2000 Advanced Server
    • Windows 2000 Datacenter Server

    Note: The vulnerability is only exposed if IIS 5.0 is running.

    1.3 Cause

    The vulnerability results because it is possible to construct an URL that would cause IIS to navigate to any desired folder on the logical drive that contains the web folder structure, and access files in it.

    1.4 Scope

    This vulnerability would enable a malicious user to cause code of his choice to execute on an affected web server. The specific code he could run would be limited by the specific server configuration, but in most cases, it would be possible for the malicious user to execute any code that a user logged into the server interactively could run. This would give him the ability to install and run code, add, change or delete files or web pages, or take other actions. This is a serious vulnerability, and Microsoft recommends that all customers using IIS 4.0 or 5.0 take action immediately to protect their systems.

    A patch that was released in August 2000 for a different vulnerability provides complete protection against this vulnerability as well, and customers who have installed it do not need to take any additional action. Also, it is important to understand that the privileges gained via this vulnerability would be those of a locally logged-on user, and not those of the administrator. This means that if an administrator had previously restricted the privileges of non-administrative users on a system, this vulnerability would pose significantly less risk to it.


    2.1 Serious level

    This is an extremely serious vulnerability, and we strongly encourage all users to immediately apply the patch. An attacker could use this vulnerability to gain complete control of an affected web server. Worse, the vulnerability could be exploited from the Internet in most cases.

    For instance, in working with Microsoft on this issue, eEye Digital Security, the company that discovered the vulnerability, demonstrated a scenario in which it could be used to open a command prompt on an affected web server. Through such a scenario, an attacker on the Internet could execute any desired command on the server.

    2.2 Protecting the server scope of vulnerability

    This is buffer overrun vulnerability. While buffer overrun vulnerabilities typically are serious, this one poses an even greater threat than usual, for two reasons:

    • Under default conditions, an attacker on the Internet could exploit it.
    • It could enable an attacker to gain complete control over an affected web server. This would enable her to take any desired action, including installing and running programs; reconfiguring the server; adding, changing or deleting files and web pages; or taking other actions.

    2.3 How the attackers do the exploit?

    By sending a special malformed Internet Printing request to an affected web server, an attacker could exploit the buffer overrun and change the functionality of the Internet Printing ISAPI extension. This would enable her to take any desired action on the server.

    2.4 without patching

    The best way to protect your web server is to install the patch. However, if you can�t do this for some reason, you also can protect your server by disabling Internet Printing. Follow the instruction in IIS 5.0 Security Checklist on how to do so. The checklist is located here:



    More information on the vulnerability is published at Microsoft bulletin:

    4.1 http://www.securityportal.com/topnews/weekly/microsoft20001023.html

    4.2 and the CERT� Coordination Center (CERT/CC):

Disclaimers and copyright information
Last Update April 19, 2001