Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access)
Release Date: May 01, 2001
Severity: High (Remote SYSTEM level code execution)
Systems Affected: Microsoft Windows 2000 Internet Information Services 5.0 Microsoft Windows 2000 Internet Information Services 5.0 + Service Pack 1
Description: A wise man once said, "When a single exploit is released, it's a good hack. When you are the first to hack each successive version of a product run on millions of computers all over the internet, you create a dynasty."
It seems sometimes the greatest discoveries are the ones that are the hardest to share with the world. Its not about a lack of wanting to tell everyone but a lack of not knowing exactly how to put it so that peoples jaws do not drop so fast that their head snaps back as they realize just how fragile our world is becoming as we slowly push society into the digital world people only dreamed about years ago. A world in which everything is being connected and little is being done to shore up the large looming gaps that are in existance in todays networked systems.
And without further ado... eEye Digital Security Presents, "Remote SYSTEM level Access to any default Windows 2000 IIS 5.0 web server."
The Discovery: This bug was first discovered while Riley Hassel, of eEye Digital Security, was updating Retina's CHAM (Common Hacking Attack Methods) techonology to look for unknown vulnerabilities within some of the new features that Windows 2000 IIS 5.0 provides. One of the features that was added to be audited by CHAM was the .printer ISAPI filter extension. Once the .printer ISAPI filter was added to the list of ISAPI's to audit, as well as various aspects of the new Web DAV functionality within IIS, the latest Retina development code was let loose against a test server in our lab. Within a matter of minutes a debugger kicked in on inetinfo.exe because of a "buffer overflow error."
The Explanation: It turns out the latest development code of Retina was able to find a buffer overflow within the .printer ISAPI filter (C:\WINNT\System32\msw3prt.dll) which provides Windows 2000 with support for the Internet Printing Protocol (IPP) which allows for the web based control of various aspects of networked printers.
The vulnerability arises when a buffer of aprox. 420 bytes is sent within the HTTP Host: header for a .printer ISAPI request.
Example: GET /NULL.printer HTTP/1.0 Host: [buffer]
Where [buffer] is aprox. 420 characters.
At this point an attacker has sucessfully caused a buffer overflow within IIS and has overwritten EIP. Now normally the web server would stop responding once you have "buffer overflowed" it. However, Windows 2000 will automatically restart the web server if it notices that the web server has crashed. While the feature is nice to help create a longer period of "up time" it is actually a feature that makes it easier for remote attacks to execute code against Windows 2000 IIS 5.0 web servers.
As we stated earlier our overflow is able to overwrite the EIP register with whatever we want. That basically means we can overwrite EIP with a location in memory that jumps to our "exploit" code, in memory, and then executes our code with SYSTEM level access.
The Exploit: Ryan Permeh, resident shellcode ninja, of eEye Digital Security has created an example exploit to be used as a "proof of concept." Our proof of concept exploit will, when run against an IIS 5 web server, create a text document on the remote server with instructions directing readers to a webpage on eeye.com that has information on how to patch the system so that the web server is no longer vulnerable to this flaw. This exploit is to only be considered a proof of concept exploit and any one with Windows 2000 should install the Microsoft supplied patch ASAP.
Check back to our website later today as we posted a link to our proof of concept code.
We would like to note that eEye Digital Security did provide Microsoft with a working example exploit that when ran against a web server would, in a matter of a few seconds, bind a cmd.exe command prompt to a port on a remote IIS 5.0 web server so that a remote attacker could then execute commands with SYSTEM level access and therefore have full control of the vulnerable machine.
The Log: Actually there is no log because this vulnerability, like most IIS buffer overflows, does not go logged. That means some of the largest web servers on the Internet running Windows 2000 are vulnerable to this attack and when exploited, there will be no IIS log anywhere that records the attack.
The Fallout: As with our first remote SYSTEM level exploit for IIS 4.0 2 years ago, the fallout from this second IIS remote overflow is also rather large. Once again it does not matter what kind of security systems you have in place, Firewalls, IDS's, etc.. because all of those systems can be bypassed and your web server CAN be broken into via this vulnerability. To quote our last advisory "Even a server that's locked in a guarded room behind a Cisco Pix can be broken into with this hole. This is a reminder to all software vendors that testing for common security holes in your software is a must. Demand more from your software vendors." There are millions of Windows 2000 web servers on the Internet right now that are wide open to this vulnerability.
The Magic: About two weeks ago eEye Digital Security released, SecureIIS which stops both known and unknown IIS web server vulnerabilities. Our SecureIIS code base from about 4 weeks ago actually stopped this latest IIS 5.0 buffer overflow vulnerability without actually knowing anything about it. It is this power to stop both known and unknown vulnerabilities that sets SecureIIS apart from every other security product in the market. Visit http://www.eeye.com/SecureIIS to learn more about this ground breaking product.
Vendor Status: We would like to thank Microsoft for working hard with us to create a patch for this vulnerability. You can download the Microsoft supplied patch from: http://www.microsoft.com/technet/security/bulletin/ms01-023.asp Also eEye Digital Security recommends removing the .printer ISAPI filter from your web server if it does not provide your web server with any needed functionality.
Credit: Discovery, Riley Hassel Exploit, Ryan Permeh
Online Advisory: We suggest checking back to this url over the next few days as we update the information within it. http://www.eeye.com/html/Research/Advisories/AD20010501.html
Related Links: Retina - The Network Security Scanner. http://www.eeye.com/Retina
SecureIIS - HTTP Application Firewall. http://www.eeye.com/SecureIIS
Greetings: ADM, KAM, Lamagra, Zen-parse, Barns, Angelina Jolie, Roland Postle, Attrition.
Copyright (c) 1998-2001 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission.
Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Feedback Please send suggestions, updates, and comments to:
eEye Digital Security http://www.eEye.com info@eEye.com