Microsoft Web Server Vulnerable to ISAPI Buffer Overflow

IIS Exposed to Data Flood Damage As the mighty Mississippi recedes from the sandbag levees in Iowa, a serious breach in the dam of that other force of nature, Microsoft, comes to the fore. eEye Digital Security announced on May 1 its discovery of an unchecked buffer in the Internet Printing Protocol (IPP) of IIS version 5.0 for Windows 2000. The buffer overflow in this case exposes the Extended Instruction Pointer (EIP) CPU register, allowing an attacker to compromise the security of Microsoft's premier web server platform. Not Fit to Print IPP is a component of the Internet Server API (ISAPI), an IIS programming interface that enables web pages to run programs (such as databases) on the server. eEye Digital Security associate Riley Hassel, utilizing eEye's Retina

CHAM technology, detected the buffer overflow error in the IPP .printer ISAPI filter. The .printer extension supports the Internet Printing Protocol, an industry-standard protocol that allows for web-based (HTTP) control of networked printers. eEye Digital Security discovered that packing a buffer of approximately 420 bytes within the HTTP header could trigger the buffer overflow and overwrite the EIP register. This would then give an attacker access to protected memory space on the server. Overwriting a CPU register inevitably leads to a crash; however, because Windows 2000 automatically restarts IIS in such cases--in order to maintain web site "uptime"--it thus inadvertently facilitates the planting of "Trojan" code for subsequent execution. Preventing Flood Damage With the necessary information in hand a "properly" executed attack could infiltrate an IIS server with code that would bind system-level commands to a port on the server, allowing the attacker total access to the machine. These types of buffer overflows are not logged, so any IPP-based exploits would not be exposed to casual administrator perusal. And because the attack is buried in an HTTP header--requiring only an open HTTP (80) or HTTPS (443) port for access--traditional firewalls would not protect against it. eEye Digital Security informed Microsoft of the problem prior to publication, and both companies have come up with solutions. eEye, of course, would like you to deploy their SecureIIS Application Firewall, designed specifically to protect against buffer overrun, parser evasion, and directory traversal attacks. The Microsoft patch, described in Microsoft Security Bulletin MS01-023, secures the unchecked buffer. The patch can be downloaded from the Microsoft site. Move to Higher Ground Windows 2000 IIS administrators who cannot install the patch should remove the mapping for Internet Printing ISAPI extension. As described in the Secure Internet Information Services 5 Checklist, this involves removing the .printer entry in the Internet Services Manager. Applying the high security template, hisecweb.inf, removes the mapping, and can be downloaded from the site above. The Checklist should also be consulted for other possible security risks. To paraphrase Microsoft's own comments on the subject, "Unless you have a mission-critical reason to use [an unused script mapping], you should remove [it]."