[ISN] Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access)

From: Marc Maiffret (marcat_private)
Date: Tue May 01 2001 - 10:49:54 PDT

  • Next message: InfoSec News: "[ISN] U.S.-China cyberwar: Fact or fear-mongering?"

    Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM
    Level Access)
    Release Date:
    May 01, 2001
    High (Remote SYSTEM level code execution)
    Systems Affected:
    Microsoft Windows 2000 Internet Information Services 5.0
    Microsoft Windows 2000 Internet Information Services 5.0 + Service Pack 1
    A wise man once said, "When a single exploit is released, it's a good hack.
    When you are the first to hack each successive version of a product run on
    millions of computers all over the internet, you create a dynasty."
    It seems sometimes the greatest discoveries are the ones that are the
    hardest to share with the world. Its not about a lack of wanting to tell
    everyone but a lack of not knowing exactly how to put it so that peoples
    jaws do not drop so fast that their head snaps back as they realize just how
    fragile our world is becoming as we slowly push society into the digital
    world people only dreamed about years ago. A world in which everything is
    being connected and little is being done to shore up the large looming gaps
    that are in existance in todays networked systems.
    And without further ado... eEye Digital Security Presents, "Remote SYSTEM
    level Access to any default Windows 2000 IIS 5.0 web server."
    The Discovery:
    This bug was first discovered while Riley Hassel, of eEye Digital Security,
    was updating Retina's CHAM (Common Hacking Attack Methods) techonology to
    look for unknown vulnerabilities within some of the new features that
    Windows 2000 IIS 5.0 provides. One of the features that was added to be
    audited by CHAM was the .printer ISAPI filter extension. Once the .printer
    ISAPI filter was added to the list of ISAPI's to audit, as well as various
    aspects of the new Web DAV functionality within IIS, the latest Retina
    development code was let loose against a test server in our lab. Within a
    matter of minutes a debugger kicked in on inetinfo.exe because of a "buffer
    overflow error."
    The Explanation:
    It turns out the latest development code of Retina was able to find a buffer
    overflow within the .printer ISAPI filter (C:\WINNT\System32\msw3prt.dll)
    which provides Windows 2000 with support for the Internet Printing Protocol
    (IPP) which allows for the web based control of various aspects of networked
    The vulnerability arises when a buffer of aprox. 420 bytes is sent within
    the HTTP Host: header for a .printer ISAPI request.
    GET /NULL.printer HTTP/1.0
    Host: [buffer]
    Where [buffer] is aprox. 420 characters.
    At this point an attacker has sucessfully caused a buffer overflow within
    IIS and has overwritten EIP. Now normally the web server would stop
    responding once you have "buffer overflowed" it. However, Windows 2000 will
    automatically restart the web server if it notices that the web server has
    crashed. While the feature is nice to help create a longer period of "up
    time" it is actually a feature that makes it easier for remote attacks to
    execute code against Windows 2000 IIS 5.0 web servers.
    As we stated earlier our overflow is able to overwrite the EIP register with
    whatever we want. That basically means we can overwrite EIP with a location
    in memory that jumps to our "exploit" code, in memory, and then executes our
    code with SYSTEM level access.
    The Exploit:
    Ryan Permeh, resident shellcode ninja, of eEye Digital Security has created
    an example exploit to be used as a "proof of concept." Our proof of concept
    exploit will, when run against an IIS 5 web server, create a text document
    on the remote server with instructions directing readers to a webpage on
    eeye.com that has information on how to patch the system so that the web
    server is no longer vulnerable to this flaw. This exploit is to only be
    considered a proof of concept exploit and any one with Windows 2000 should
    install the Microsoft supplied patch ASAP.
    Check back to our website later today as we posted a link to our proof of
    concept code.
    We would like to note that eEye Digital Security did provide Microsoft with
    a working example exploit that when ran against a web server would, in a
    matter of a few seconds, bind a cmd.exe command prompt to a port on a remote
    IIS 5.0 web server so that a remote attacker could then execute commands
    with SYSTEM level access and therefore have full control of the vulnerable
    The Log:
    Actually there is no log because this vulnerability, like most IIS buffer
    overflows, does not go logged. That means some of the largest web servers on
    the Internet running Windows 2000 are vulnerable to this attack and when
    exploited, there will be no IIS log anywhere that records the attack.
    The Fallout:
    As with our first remote SYSTEM level exploit for IIS 4.0 2 years ago, the
    fallout from this second IIS remote overflow is also rather large. Once
    again it does not matter what kind of security systems you have in place,
    Firewalls, IDS's, etc.. because all of those systems can be bypassed and
    your web server CAN be broken into via this vulnerability. To quote our last
    advisory "Even a server that's locked in a guarded room behind a Cisco Pix
    can be broken into with this hole. This is a reminder to all software
    vendors that testing for common security holes in your software is a must.
    Demand more from your software vendors." There are millions of Windows 2000
    web servers on the Internet right now that are wide open to this
    The Magic:
    About two weeks ago eEye Digital Security released, SecureIIS which stops
    both known and unknown IIS web server vulnerabilities. Our SecureIIS code
    base from about 4 weeks ago actually stopped this latest IIS 5.0 buffer
    overflow vulnerability without actually knowing anything about it. It is
    this power to stop both known and unknown vulnerabilities that sets
    SecureIIS apart from every other security product in the market. Visit
    http://www.eeye.com/SecureIIS to learn more about this ground breaking
    Vendor Status:
    We would like to thank Microsoft for working hard with us to create a patch
    for this vulnerability.
    You can download the Microsoft supplied patch from:
    Also eEye Digital Security recommends removing the .printer ISAPI filter
    from your web server if it does not provide your web server with any
    _needed_ functionality.
    Discovery, Riley Hassel
    Exploit, Ryan Permeh
    Online Advisory:
    We suggest checking back to this url over the next few days as we update the
    information within it.
    Related Links:
    Retina - The Network Security Scanner.
    SecureIIS - HTTP Application Firewall.
    ADM, KAM, Lamagra, Zen-parse, Barns, Angelina Jolie, Roland Postle,
    Copyright (c) 1998-2001 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express consent of
    eEye. If you wish to reprint the whole or any part of this alert in any
    other medium excluding electronic medium, please e-mail alertat_private for
    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There are
    NO warranties with regard to this information. In no event shall the author
    be liable for any damages whatsoever arising out of or in connection with
    the use or spread of this information. Any use of this information is at the
    user's own risk.
    Please send suggestions, updates, and comments to:
    eEye Digital Security
    ISN is hosted by SecurityFocus.com
    To unsubscribe email LISTSERVat_private with a message body of

    This archive was generated by hypermail 2b30 : Wed May 02 2001 - 01:32:41 PDT