IIS 5 Vulnerability Could Allow Unauthorized Control of W2K
- By Scott Bekker
is strongly urging customers to patch a dangerous new exploit related to Internet Information Services 5.0 that could allow unauthorized users to control Windows 2000 Servers.
The latest IIS exploit was discovered by security firm eEye Digital
Security, which claims that it used its "Retina" security hardening and
testing tool to successfully find and exploit a buffer overflow in IIS'
.printer ISAPI filter, a crucial component of Windows 2000's support for
the Internet Printing Protocol (IPP).
eEye representatives confirm that the new ISAPI filter vulnerability can
be exploited when an attacker sends a .printer ISAPI request with a
buffer of approximately 420 bytes within an HTTP "Host:" header. In most
cases, a buffer overflow exploit of this type causes a Web server to
simply stop responding, resulting in a successful denial-of-service
Because Windows 2000 automatically restarts IIS in the event of
a failure, however, the potential for harm is much greater: A malicious
attacker could actually write code to a vulnerable system, which code
would then execute once IIS restarts. In some cases, a savvy attacker
could exploit this vulnerability to gain system-level control of a
vulnerable Windows 2000 system.
eEye claims that it actually demonstrated an exploit of this type, which
the company then furnished to Microsoft.
"We would like to note that eEye Digital Security did provide Microsoft
with a working exploit," a bulletin on the company's Web site indicates.
"This exploit, when run against a Web server, will bind a cmd.exe
command prompt to an IIS remote port within seconds. This allows a
remote attacker to execute commands with SYSTEM level access and thereby
have full control over the vulnerable machine."
Microsoft reacted quickly, releasing a security bulletin - MS01-023 -
and providing a patch on its Web site.
For the record, Microsoft's security hardening guidelines have strongly
encouraged systems administrators to disable IPP functionality - even
though IPP support is installed by default with IIS 5.0. In this
respect, the new .printer ISAPI filter vulnerability is not unlike a
similar vulnerability that continues to plague Microsoft's IIS 4.0 Web
server platform. By exploiting a weakness in IIS 4.0's Remote Data Services (RDS),
unauthorized users can execute shell commands on an IIS system as
privileged users; can use Microsoft's Data Access Components to tunnel
SQL or other ODBC data requests through public connections to private
internetworks; and can facilitate unauthorized access to unpublished
files on an IIS system.
Microsoft released a patch for the IIS 4.0 RDS vulnerability almost
three years ago - but many Windows NT systems administrators remain
unaware of the existence of a problem, and this despite a series of
well-publicized attacks in the November 1999 timeframe. Even today, Russ
Cooper, editor of the Windows NT Bugtraq Mailing list, estimates that
RDS is still installed (un-patched) on as many as a quarter of all Windows
NT 4.0 systems running IIS 4.0.
The software giant would like to avoid a repeat of the RDS fiasco, and
says that it has worked to get the message out about the latest
IIS-related vulnerability. In addition to dispatching a newsletter to
more than 130,000 users, Microsoft also contacted it largest customers by as early as Tuesday morning to ensure that they applied the patch. – Stephen Swoyer
Notable IIS-related Exploits
* November 2000 - Web Server File Request Parsing Vulnerability
Enables a malicious user to run operating system commands on IIS 4.0 or
IIS 5.0 Web server platforms. A malicious user could take virtually any
action that an interactively-logged on user could take.
* June 1999 -- .HTR Buffer Overrun DoS Attack in IIS 4.0
An attacker sends a malformed request for an .HTR file that causes the
buffer to overflow, resulting in a system crash. The file request could
also cause arbitrary code to execute on the server by means of a buffer
* August 1998 -- Executable Directories in IIS 4.0
A non-administrative user could place executable code into a Web site
directory and then be able to run applications that could compromise the
* July 1998 - Unauthorized ODBC Access With RDS and IIS 4.0
Unauthorized users could execute shell commands on an IIS system as
privileged users; could use MDAC to tunnel SQL or other ODBC data
requests through public connections to private internetworks; and could
facilitate unauthorized access to unpublished files on an IIS system.
* January 1998 -- Malformed FTP List Request DoS Attack in IIS 4.0
Similar to the recent .HTR buffer overrun attack. Results in either a
denial of service threat or arbitrary code execution on a remote server
by means of a buffer overrun exploit.
* June 1997 -- IIS Long URL DoS Attack
Versions 2.0 and 3.0 of IIS on NT 4.0 could be crashed with a URL of
specific but long length (4k - 8k, variable per server).
Microsoft Confirms DoS Vulnerability in ISA Server 2000
Scott Bekker is editor in chief of Redmond Channel Partner magazine.