What's the scope of this vulnerability?
This is a buffer overrun vulnerability. While buffer overrun vulnerabilities typically are serious, this one poses an even greater threat than usual, for two reasons:
- Under default conditions, it could be exploited by an attacker on the Internet.
- It could enable an attacker to gain complete control over an affected web server. This would enable her to take any desired action, including installing and running programs; reconfiguring the server; adding, changing or deleting files and web pages; or taking other actions.
This is an extremely serious vulnerability, and Microsoft recommends that all IIS 5.0 web server administrators apply the patch immediately. IIS 4.0 servers are not affected by the vulnerability.
What causes the vulnerability?
The vulnerability results because the Internet Printing ISAPI extension in Windows 2000 contains an unchecked buffer. By sending a specially constructed request to the extension, an attacker could cause code to run in the Local System context.
What's an ISAPI extension?
ISAPI (Internet Services Application Programming Interface) is a technology that enables web developers to extend the functionality of their web servers by writing custom code that provides new services for a web server. The custom code can either be implemented in an ISAPI filter, if the new functionality provides a low-level service, or an ISAPI extension, if the new functionality provides a high-level service. In this case, the affected code is an ISAPI extension.
What's the ISAPI extension at issue here?
The affected ISAPI extension is one that implements the Internet Printing Protocol (IPP), an industry standard defined in RFCs 2910 and 2911. IPP provides a way to request printing services and learn the status of print jobs across the Internet via HTTP. For instance, using IPP, a traveling user could send a print job across the Internet, to be printed on a printer on his corporate network. He also could find out whether the print request had completed without error.
Windows 2000 introduces native support for Internet Printing. The Windows 2000 implementation enables users to print directly to an URL, and to view information about print jobs via their browsers. Support for Internet Printing is enabled by default in Windows 2000.
What's wrong with the Internet Printing ISAPI extension in Windows 2000?
The extension has an unchecked buffer in a part of the code that processes users' print requests. If a specially malformed print request were sent to it, a buffer overrun would result.
What's a buffer overrun?
Let's start by discussing what a buffer is. A buffer is an area of memory within a program that's used to store data of some kind - for instance, information on the program's status, intermediate computational results, or input parameters. Before placing any data into a buffer, the program should always verify that the buffer is large enough to accommodate all of the data. Otherwise, the data can overrun the buffer and overwrite neighboring data, having the effect of modifying the program while it's running.
If the data that overruns the buffer is random data, it won't be valid program code, and the program will fail when it tries to execute the random data. On the other hand, if the data is valid program code, the program will execute the new code and perform some new function - one chosen by whoever supplied the data.
How could an attacker exploit this vulnerability?
By sending a specially malformed Internet Printing request to an affected web server, an attacker could exploit the buffer overrun and change the functionality of the Internet Printing ISAPI extension. This would enable her to take any desired action on the server.
How serious is this vulnerability?
This is an extremely serious vulnerability, and we strongly encourage all users to immediately apply the patch. An attacker could use this vulnerability to gain complete control of an affected web server. Worse, the vulnerability could be exploited from the Internet in most cases.
For instance, in working with Microsoft on this issue, eEye Digital Security, the company that discovered the vulnerability, demonstrated a scenario in which it could be used to open a command prompt on an affected web server. Through such a scenario, an attacker on the Internet could execute any desired command on the server.
Why does the vulnerability allow the attacker to gain such high privileges?
The Internet Printing ISAPI extension runs in the security context of the Local System - the operating system itself. Because the attacker's code would, for all practical purposes, be part of the Internet Printing ISAPI extension, it would run in the same context.
What would gaining Local System privileges on the web server enable the attacker to do?
It would give the attacker complete control of the server. She could load and execute any program she chose on the machine; add, change or delete any data on it, including web pages; execute system commands on it; reconfigure it; add new users or delete existing ones; reformat the hard drive; or take any other action she chose.
Would a firewall prevent the attacker from exploiting the vulnerability?
It's very important to fully understand the protection that a firewall could - and could not - provide. Internet Printing operates over HTTP or HTTPS, as part of a web session. As a result, if an attacker could start a web session with an affected server, she could exploit the vulnerability. The key question with regard to a firewall is whether it would prevent a web session or not.
If a firewall were configured to block HTTP and HTTPS requests, an Internet-based attacker could not exploit the vulnerability on a server behind it, because she would be unable to start a web session. On the other hand, if the firewall allowed web sessions, the servers behind it would be vulnerable - even if the firewall blocked all other ports and services.
Could an attacker use this vulnerability to compromise an entire domain?
Best practices would help limit the scope of the compromise. Because of their exposed position, web servers - especially public ones - are always special targets for attack, and the network design should reflect this fact. Indeed, one of the network architect's principal objectives should be to ensure that the network design limits what could be done using a compromised web server. Two practices in particular that should be followed are:
- Web servers should be isolated within a DMZ. This not only separates the servers from the Internet, but also separates them from the rest of the network.
- If possible, web servers should be configured as stand-alone machines. If it's absolutely necessary to make them part of a domain, the domain should only encompass machines that reside on the DMZ. Web servers should never be members of the larger network's domain.
Even if these precautions have been followed, however, it is important not to underestimate the damage that could be done via this vulnerability. Even if the network design denied the attacker an easy means of using normal system operations to extend her control, she could nevertheless use the compromised server as a launching point from which she could try to attack additional machines via other known vulnerabilities.
You said that buffer overruns can also be used to cause the affected software to fail. Is that the case here as well?
If the attacker chose not to provide a printing request that would cause code to run as part of the ISAPI extension, she might instead provide a request that overran the buffer with random data. However, this couldn't be used to conduct an effective denial of service attack, as the IIS 5.0 service automatically restarts itself after a failure.
Is the Internet Printing ISAPI extension part of Window 2000 or part of IIS 5.0?
It's a component of Windows 2000, and installs by default. However, because requests to it can only be levied via HTTP or HTTPS, the vulnerability can only be exploited if IIS 5.0 were enabled.
I used the IIS 5.0 Security Checklist when I deployed my server, and I followed its recommendation to remove all unneeded ISAPI mappings. Am I vulnerable?
If the mapping for the Internet Printing ISAPI extension has been removed, internet printing requests cannot be levied, and the vulnerability cannot be exploited. As a result, if you followed the checklist's recommendations and removed the mapping for the Internet Printing ISAPI, you are not affected by this vulnerability.
I used the Security Template provided in the IIS 5.0 Security Checklist. Am I vulnerable?
The security template (hisecweb.inf) provided in the checklist removes the mapping for the Internet Printing ISAPI extension, so if you applied it you are not affected by the vulnerability.
I used the Windows 2000 Internet Server Security tool to configure my web server. Would that help protect me against the vulnerability?
Yes. The tool includes a questionnaire regarding the services you need to provide via the web server. Unless you specifically indicated that you wanted to retain Internet Printing, the tool disables the mapping for the Internet Printing ISAPI extension.
Does this vulnerability affect IIS 4.0 web servers?
No. Support for internet printing was introduced in Windows 2000. It isn't present in Windows NT 4.0, so the vulnerability doesn't affect IIS 4.0 servers.
What does the patch do?
The patch eliminates the vulnerability by instituting proper input checking in the ISAPI extension.
I don't want to install the patch. Is there any other way to protect my web server?
The best way to protect your web server is to install the patch. However, if you can't do this for some reason, you also can protect your server by disabling Internet Printing. As discussed in the IIS 5.0 security checklist, the procedure for doing this is:
- Launch the Microsoft Management Console and load the snap-in for Group Policy.
- Select Computer Configuration, then Administrative Templates, then Printers.
- Check the setting for Web-based Printing, and ensure that it is set to disabled.
Note: If the server is part of a domain, ensure that Web-based Printing also is disabled in the domain group policy.
You used to recommend that Internet Printing be disabled by unmapping the Internet Printing ISAPI extension in the Internet Services Manager. Why have you changed your recommendation?
We've changed our recommendation for two reasons:
- Group policy can override the settings in the Internet Services Manager, so disabling Internet Printing via group policy provides greater certainty.
- Disabling Internet Printing via the Internet Services Manager can interfere with the operation of Outlook Web Access. Specifically, when you unmap the Internet Printing ISAPI extension via the Internet Services Manager on an Exchange 2000 server, you're prompted whether or not to apply the changes to the child folders, including Exchange, Public, and ExAdmin. If you choose to apply the setting to these child folders, Outlook Web Access will stop functioning until you restart the Exchange System Attendant.
I'm not sure whether Internet Printing is enabled on my system. Can I send a print request to the server and use the results to determine whether it's enabled?
No. The response you'll receive from the server depends on many factors, and as a result sending a print request to a server is not a reliable way to tell whether Internet Printing is enabled. The only way to reliably determine whether it's enabled is to log onto the server and check the group policy settings. (See the previous Q&A for specific instructions).
