Title: Unchecked Buffer in ISAPI Extension Could Enable
Compromise of IIS 5.0 Server
Date: 01 May 2001
Software: Windows 2000 Server
Windows 2000 Advanced Server
Windows 2000 Datacenter Server
Impact: Run code of attacker's choice, in Local System context
Bulletin: MS01-023
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-023.asp.
Windows 2000 introduced native support for the Internet Printing
Protocol (IPP), an industry-standard protocol for submitting and
controlling print jobs over HTTP. The protocol is implemented in
Windows 2000 via an ISAPI extension that is installed by default on
all
Windows 2000 servers but which can only be accessed via IIS 5.0.
A security vulnerability results because the ISAPI extension contains
an unchecked buffer in a section of code that handles input
parameters.
This could enable a remote attacker to conduct a buffer overrun
attack
and cause code of her choice to run on the server. Such code would
run
in the Local System security context. This would give the attacker
complete control of the server, and would enable her to take
virtually
any action she chose.
The attacker could exploit the vulnerability against any server with
which she could conduct a web session. No other services would need
to
be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be
open. Clearly, this is a very serious vulnerability, and Microsoft
strongly recommends that all IIS 5.0 administrators install the patch
immediately. Alternatively, customers who cannot install the patch
can
protect their systems by removing the mapping for Internet Printing
ISAPI extension.