Title: Microsoft IIS 5.0 .printer ISAPI Extension Buffer Overflow Vulnerability
Severity: CRITICAL
Description:
Internet Printing Protocol (IPP) enables remote users to submit various print related jobs over the internet via the HTTP protocol (.printer).
An unchecked buffer exists in the Internet printing ISAPI extension in Windows 2000 that handles user requests (C:\WINNT\System32\msw3prt.dll). The Internet Printing Protocol (IPP) is dependant on msw3prt.dll for functionality.
A host running Windows 2000 with IIS 5.0 is susceptible to the execution of arbitrary code via an unchecked buffer in msw3prt.dll. If a HTTP .printer request containing approx 420 bytes in the 'Host:' field is sent to the target, IIS will experience a buffer overflow and allow the execution of arbitrary code. Unfortunately, the Internet printing ISAPI extension runs in the LOCAL SYSTEM context; therefore, the attacker can specify arbitrary code to be run at SYSTEM privileges.
Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack.
Successful exploitation of this vulnerability could lead to complete compromise of the target host.
* If Web-based Printing has been configured in group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overridden by the group policy settings.
Affected Products:
- Microsoft IIS 5.0
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
References:
- CORE Security: IIS Printer exploit
- Microsoft: Microsoft Security Bulletin MS01-023
- eEye Digital Security: Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level A
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
