Microsoft Security Bulletin MS01-023 - Critical
Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server
Published: May 01, 2001 | Updated: June 23, 2003
Originally posted: May 01, 2001
Updated: June 23, 2003
Who should read this bulletin:
All web server administrators using Microsoft® Windows® 2000
Impact of vulnerability:
Run code of attacker's choice in system context.
Microsoft strongly urges all IIS 5.0 server administrators to install the patch immediately.
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
Note: The vulnerability is only exposed if IIS 5.0 is running.
Windows 2000 introduced native support for the Internet Printing Protocol (IPP), an industry-standard protocol for submitting and controlling print jobs over HTTP. The protocol is implemented in Windows 2000 via an ISAPI extension that is installed by default as part of Windows 2000 but which can only be accessed via IIS 5.0.
A security vulnerability results because the ISAPI extension contains an unchecked buffer in a section of code that handles input parameters. This could enable a remote attacker to conduct a buffer overrun attack and cause code of her choice to run on the server. Such code would run in the Local System security context. This would give the attacker complete control of the server, and would enable her to take virtually any action she chose.
The attacker could exploit the vulnerability against any server with which she could conduct a web session. No other services would need to be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be open. Clearly, this is a very serious vulnerability, and Microsoft strongly recommends that all IIS 5.0 administrators install the patch immediately.
Customers who cannot install the patch can protect their systems by disabling Internet Printing. Although this can in theory be done by unmapping the Internet Printing ISAPI extension in the Internet Services Manager, it is important to understand that Group Policy overrides the settings made in the Internet Services Manager. As the FAQ discusses in more detail, the preferred way to disable Internet Printing is via Group Policy.
- Servers on which the mapping for the Internet Printing ISAPI extension has been removed are not at risk from this vulnerability. The process for removing the mapping is discussed in the IIS 5.0 Security Checklist. The High Security template provided in the checklist removes the mapping, as does the Windows 2000 Internet Security Tool unless the user explicitly chose to retain Internet Printing.
- The attacker's ability to extend her control from a compromised web server to other machines would be heavily dependent on the specific configuration of the network. Best practices recommend that the network architecture reflect the position of special risk occupied by network-edge machines like web servers and use measures like DMZs and limited domain memberships to isolate such machines from the rest of the network. Taking such measures would impede an attacker's ability to broaden the scope of the compromise.
Vulnerability identifier: CAN-2001-0241
Microsoft tested Windows 2000 to assess whether it is affected by this vulnerability. The feature at issue in this vulnerability was not present in any previous version of Windows, or in any version of Windows NT®.
What's the scope of this vulnerability?
This is a buffer overrun vulnerability. While buffer overrun vulnerabilities typically are serious, this one poses an even greater threat than usual, for two reasons:
- Under default conditions, it could be exploited by an attacker on the Internet.
- It could enable an attacker to gain complete control over an affected web server. This would enable her to take any desired action, including installing and running programs; reconfiguring the server; adding, changing or deleting files and web pages; or taking other actions.
This is an extremely serious vulnerability, and Microsoft recommends that all IIS 5.0 web server administrators apply the patch immediately. IIS 4.0 servers are not affected by the vulnerability.
What causes the vulnerability?
The vulnerability results because the Internet Printing ISAPI extension in Windows 2000 contains an unchecked buffer. By sending a specially constructed request to the extension, an attacker could cause code to run in the Local System context.
What's an ISAPI extension?
ISAPI (Internet Services Application Programming Interface) is a technology that enables web developers to extend the functionality of their web servers by writing custom code that provides new services for a web server. The custom code can either be implemented in an ISAPI filter, if the new functionality provides a low-level service, or an ISAPI extension, if the new functionality provides a high-level service. In this case, the affected code is an ISAPI extension.
What's the ISAPI extension at issue here?
The affected ISAPI extension is one that implements the Internet Printing Protocol (IPP), an industry standard defined in RFCs 2910 and 2911. IPP provides a way to request printing services and learn the status of print jobs across the Internet via HTTP. For instance, using IPP, a traveling user could send a print job across the Internet, to be printed on a printer on his corporate network. He also could find out whether the print request had completed without error.
Windows 2000 introduces native support for Internet Printing. The Windows 2000 implementation enables users to print directly to an URL, and to view information about print jobs via their browsers. Support for Internet Printing is enabled by default in Windows 2000.
What's wrong with the Internet Printing ISAPI extension in Windows 2000?
The extension has an unchecked buffer in a part of the code that processes users' print requests. If a specially malformed print request were sent to it, a buffer overrun would result.
What's a buffer overrun?
Let's start by discussing what a buffer is. A buffer is an area of memory within a program that's used to store data of some kind - for instance, information on the program's status, intermediate computational results, or input parameters. Before placing any data into a buffer, the program should always verify that the buffer is large enough to accommodate all of the data. Otherwise, the data can overrun the buffer and overwrite neighboring data, having the effect of modifying the program while it's running.
If the data that overruns the buffer is random data, it won't be valid program code, and the program will fail when it tries to execute the random data. On the other hand, if the data is valid program code, the program will execute the new code and perform some new function - one chosen by whoever supplied the data.
How could an attacker exploit this vulnerability?
By sending a specially malformed Internet Printing request to an affected web server, an attacker could exploit the buffer overrun and change the functionality of the Internet Printing ISAPI extension. This would enable her to take any desired action on the server.
How serious is this vulnerability?
This is an extremely serious vulnerability, and we strongly encourage all users to immediately apply the patch. An attacker could use this vulnerability to gain complete control of an affected web server. Worse, the vulnerability could be exploited from the Internet in most cases.
For instance, in working with Microsoft on this issue, eEye Digital Security, the company that discovered the vulnerability, demonstrated a scenario in which it could be used to open a command prompt on an affected web server. Through such a scenario, an attacker on the Internet could execute any desired command on the server.
Why does the vulnerability allow the attacker to gain such high privileges?
The Internet Printing ISAPI extension runs in the security context of the Local System - the operating system itself. Because the attacker's code would, for all practical purposes, be part of the Internet Printing ISAPI extension, it would run in the same context.
What would gaining Local System privileges on the web server enable the attacker to do?
It would give the attacker complete control of the server. She could load and execute any program she chose on the machine; add, change or delete any data on it, including web pages; execute system commands on it; reconfigure it; add new users or delete existing ones; reformat the hard drive; or take any other action she chose.
Would a firewall prevent the attacker from exploiting the vulnerability?
It's very important to fully understand the protection that a firewall could - and could not - provide. Internet Printing operates over HTTP or HTTPS, as part of a web session. As a result, if an attacker could start a web session with an affected server, she could exploit the vulnerability. The key question with regard to a firewall is whether it would prevent a web session or not.
If a firewall were configured to block HTTP and HTTPS requests, an Internet-based attacker could not exploit the vulnerability on a server behind it, because she would be unable to start a web session. On the other hand, if the firewall allowed web sessions, the servers behind it would be vulnerable - even if the firewall blocked all other ports and services.
Could an attacker use this vulnerability to compromise an entire domain?
Best practices would help limit the scope of the compromise. Because of their exposed position, web servers - especially public ones - are always special targets for attack, and the network design should reflect this fact. Indeed, one of the network architect's principal objectives should be to ensure that the network design limits what could be done using a compromised web server. Two practices in particular that should be followed are:
- Web servers should be isolated within a DMZ. This not only separates the servers from the Internet, but also separates them from the rest of the network.
- If possible, web servers should be configured as stand-alone machines. If it's absolutely necessary to make them part of a domain, the domain should only encompass machines that reside on the DMZ. Web servers should never be members of the larger network's domain.
Even if these precautions have been followed, however, it is important not to underestimate the damage that could be done via this vulnerability. Even if the network design denied the attacker an easy means of using normal system operations to extend her control, she could nevertheless use the compromised server as a launching point from which she could try to attack additional machines via other known vulnerabilities.
You said that buffer overruns can also be used to cause the affected software to fail. Is that the case here as well?
If the attacker chose not to provide a printing request that would cause code to run as part of the ISAPI extension, she might instead provide a request that overran the buffer with random data. However, this couldn't be used to conduct an effective denial of service attack, as the IIS 5.0 service automatically restarts itself after a failure.
Is the Internet Printing ISAPI extension part of Window 2000 or part of IIS 5.0?
It's a component of Windows 2000, and installs by default. However, because requests to it can only be levied via HTTP or HTTPS, the vulnerability can only be exploited if IIS 5.0 were enabled.
I used the IIS 5.0 Security Checklist when I deployed my server, and I followed its recommendation to remove all unneeded ISAPI mappings. Am I vulnerable?
If the mapping for the Internet Printing ISAPI extension has been removed, internet printing requests cannot be levied, and the vulnerability cannot be exploited. As a result, if you followed the checklist's recommendations and removed the mapping for the Internet Printing ISAPI, you are not affected by this vulnerability.
I used the Security Template provided in the IIS 5.0 Security Checklist. Am I vulnerable?
The security template (hisecweb.inf) provided in the checklist removes the mapping for the Internet Printing ISAPI extension, so if you applied it you are not affected by the vulnerability.
I used the Windows 2000 Internet Server Security tool to configure my web server. Would that help protect me against the vulnerability?
Yes. The tool includes a questionnaire regarding the services you need to provide via the web server. Unless you specifically indicated that you wanted to retain Internet Printing, the tool disables the mapping for the Internet Printing ISAPI extension.
Does this vulnerability affect IIS 4.0 web servers?
No. Support for internet printing was introduced in Windows 2000. It isn't present in Windows NT 4.0, so the vulnerability doesn't affect IIS 4.0 servers.
What does the patch do?
The patch eliminates the vulnerability by instituting proper input checking in the ISAPI extension.
I don't want to install the patch. Is there any other way to protect my web server?
The best way to protect your web server is to install the patch. However, if you can't do this for some reason, you also can protect your server by disabling Internet Printing. As discussed in the IIS 5.0 security checklist, the procedure for doing this is:
- Launch the Microsoft Management Console and load the snap-in for Group Policy.
- Select Computer Configuration, then Administrative Templates, then Printers.
- Check the setting for Web-based Printing, and ensure that it is set to disabled.
Note: If the server is part of a domain, ensure that Web-based Printing also is disabled in the domain group policy.
You used to recommend that Internet Printing be disabled by unmapping the Internet Printing ISAPI extension in the Internet Services Manager. Why have you changed your recommendation?
We've changed our recommendation for two reasons:
- Group policy can override the settings in the Internet Services Manager, so disabling Internet Printing via group policy provides greater certainty.
- Disabling Internet Printing via the Internet Services Manager can interfere with the operation of Outlook Web Access. Specifically, when you unmap the Internet Printing ISAPI extension via the Internet Services Manager on an Exchange 2000 server, you're prompted whether or not to apply the changes to the child folders, including Exchange, Public, and ExAdmin. If you choose to apply the setting to these child folders, Outlook Web Access will stop functioning until you restart the Exchange System Attendant.
I'm not sure whether Internet Printing is enabled on my system. Can I send a print request to the server and use the results to determine whether it's enabled?
No. The response you'll receive from the server depends on many factors, and as a result sending a print request to a server is not a reliable way to tell whether Internet Printing is enabled. The only way to reliably determine whether it's enabled is to log onto the server and check the group policy settings. (See the previous Q&A for specific instructions).
Download locations for this patch
- Microsoft Windows 2000 Professional, Windows 2000 Server and Windows 2000 Advanced Server:
- Microsoft Windows 2000 Datacenter Server:
Patches for Windows 2000 Datacenter Server are hardware-specific and available from the original equipment manufacturer.
Additional information about this patch
This patch can be installed on systems running Windows 2000 Gold or Service Pack 1
Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 2.
Verifying patch installation:
- To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP1\Q296576.
- To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP1\Q296576\Filelist.
Customers who choose to disable Internet printing rather than install the patch should be aware that group policy can override the settings in the Internet Services Manager. The FAQ provides additional information about this.
Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Microsoft Knowledge Base article Q296576 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (May 01, 2001): Bulletin Created.
- V1.1 (May 03, 2001): Bulletin updated to note that Windows 2000 Professional is affected, and to note that group policy settings for Internet printing, if configured, would override those made via the Internet Services Manager.
- V1.2 (May 09, 2001): FAQ updated to note that applying ISM changes to child folders on an Exchange 2000 machine could disable OWA.
- V1.3 (May 14, 2001): Bulletin and FAQ updated to strengthen recommendation that Group Policy, rather than the ISM, be used to disable Internet Printing.
- V1.4 (June 23, 2003): Updated Windows Update download links.
Built at 2014-04-18T13:49:36Z-07:00