Date: 02 May 2001
References: ESB-2001.185
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.178 -- Microsoft Security Bulletin MS01-023
Unchecked Buffer in ISAPI Extension Could Enable
Compromise of IIS 5.0 Server
2 May 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Windows 2000 Server with IIS 5.0
Windows 2000 Advanced Server with IIS 5.0
Windows 2000 Datacenter Server with IIS 5.0
Vendor: Microsoft
Operating System: Windows 2000
Impact: Administrator Compromise
Access Required: Remote
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------
Title: Unchecked Buffer in ISAPI Extension Could Enable
Compromise of IIS 5.0 Server
Date: 01 May 2001
Software: Windows 2000 Server
Windows 2000 Advanced Server
Windows 2000 Datacenter Server
Impact: Run code of attacker's choice, in Local System context
Bulletin: MS01-023
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-023.asp.
- - ----------------------------------------------------------------------
Issue:
======
Windows 2000 introduced native support for the Internet Printing
Protocol (IPP), an industry-standard protocol for submitting and
controlling print jobs over HTTP. The protocol is implemented in
Windows 2000 via an ISAPI extension that is installed by default on
all
Windows 2000 servers but which can only be accessed via IIS 5.0.
A security vulnerability results because the ISAPI extension contains
an unchecked buffer in a section of code that handles input
parameters.
This could enable a remote attacker to conduct a buffer overrun
attack
and cause code of her choice to run on the server. Such code would
run
in the Local System security context. This would give the attacker
complete control of the server, and would enable her to take
virtually
any action she chose.
The attacker could exploit the vulnerability against any server with
which she could conduct a web session. No other services would need
to
be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be
open. Clearly, this is a very serious vulnerability, and Microsoft
strongly recommends that all IIS 5.0 administrators install the patch
immediately. Alternatively, customers who cannot install the patch
can
protect their systems by removing the mapping for Internet Printing
ISAPI extension.
Mitigating Factors:
====================
- Servers on which the mapping for the Internet Printing
ISAPI extension has been removed are not at risk from
this vulnerability. The process for removing the mapping
is discussed in the IIS 5.0 Security Checklist
(http://www.microsoft.com/technet/security/iis5chk.asp).
The High Security template provided in the checklist
(http://www.microsoft.com/technet/security/tools.asp)
removes the mapping, as does the Windows 2000 Internet
Security Tool unless the user explicitly chose to retain
Internet Printing.
- The attacker's ability to extend her control from a
compromised web server to other machines would be heavily
dependent on the specific configuration of the network.
Best practices recommend that the network architecture reflect
the position of special risk occupied by network-edge machines
like web servers and use measures like DMZs and limited domain
memberships to isolate such machines from the rest of the
network. Taking such measures would impede an attacker's ability
to broaden the scope of the compromise.
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms01-023.asp
for information on obtaining this patch.
Acknowledgment:
===============
- eEye Digital Security (http://www.eeye.com)
- - ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL
MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS
OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
NOT
APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBOu7bLY0ZSRQxA/UrAQEFmwgAkJdg5zjeSBKYEwHQfTfInmbYZwuo7vUw
aUHymz56q1YPDaKhrcH5Z5LIP2aAzcjcSsxgEblkAA+1ZnIhfcP/myVf8o0qIr7N
0rlOBHZX5k+qjsQJKrxYdbt98mJ/+EFCs7OETV6X/uPehyPcfqlSZPBqIHOF52le
kVwkvXXu+lxOgPemQ4LFW5GdFyHS7j0iKfBINM+Pcr1jm4ZxKN66bjs1bz+n9vps
Fm5TaE+yjVvIIstixYd+w39uQNsWi45MpH+ja9PYC1EWvlx0vEh4Cc3YtfNUxO4b
AcIM7jFnsjbi2uIseDUHLq/Vk11K3McktZ+FEwpq4EwzbTfs2ubRBg==
=ZlkV
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOu/r4yh9+71yA2DNAQEb7AP/YWvcJHSzv/jDAACvR9y2a1gSEGhoz1wt
wPkzGk4zOphHzU3Qbp/qPYrl1+j/wah6ZAGM9wxEgTAi4DRuJqjsfG1dxfNykFnS
8DWHupjq74eC+e9AkPtlPK/FmJsPrdmUygTy0LpG7EL6sfxr7+3HRbSGsLDC3Du7
oLy5di1Ohj0=
=fmmV
-----END PGP SIGNATURE-----
|