News

IIS 5 Vulnerability Could Allow Unauthorized Control of W2K

• By Scott Bekker
• 05/02/2001

The latest IIS exploit was discovered by security firm eEye Digital Security, which claims that it used its "Retina" security hardening and testing tool to successfully find and exploit a buffer overflow in IIS' .printer ISAPI filter, a crucial component of Windows 2000's support for the Internet Printing Protocol (IPP).

eEye representatives confirm that the new ISAPI filter vulnerability can be exploited when an attacker sends a .printer ISAPI request with a buffer of approximately 420 bytes within an HTTP "Host:" header. In most cases, a buffer overflow exploit of this type causes a Web server to simply stop responding, resulting in a successful denial-of-service attack.

Because Windows 2000 automatically restarts IIS in the event of a failure, however, the potential for harm is much greater: A malicious attacker could actually write code to a vulnerable system, which code would then execute once IIS restarts. In some cases, a savvy attacker could exploit this vulnerability to gain system-level control of a vulnerable Windows 2000 system.

eEye claims that it actually demonstrated an exploit of this type, which the company then furnished to Microsoft.

"We would like to note that eEye Digital Security did provide Microsoft with a working exploit," a bulletin on the company's Web site indicates. "This exploit, when run against a Web server, will bind a cmd.exe command prompt to an IIS remote port within seconds. This allows a remote attacker to execute commands with SYSTEM level access and thereby have full control over the vulnerable machine."

Microsoft reacted quickly, releasing a security bulletin - MS01-023 - and providing a patch on its Web site.

For the record, Microsoft's security hardening guidelines have strongly encouraged systems administrators to disable IPP functionality - even though IPP support is installed by default with IIS 5.0. In this respect, the new .printer ISAPI filter vulnerability is not unlike a similar vulnerability that continues to plague Microsoft's IIS 4.0 Web server platform. By exploiting a weakness in IIS 4.0's Remote Data Services (RDS), unauthorized users can execute shell commands on an IIS system as privileged users; can use Microsoft's Data Access Components to tunnel SQL or other ODBC data requests through public connections to private internetworks; and can facilitate unauthorized access to unpublished files on an IIS system.

Microsoft released a patch for the IIS 4.0 RDS vulnerability almost three years ago - but many Windows NT systems administrators remain unaware of the existence of a problem, and this despite a series of well-publicized attacks in the November 1999 timeframe. Even today, Russ Cooper, editor of the Windows NT Bugtraq Mailing list, estimates that RDS is still installed (un-patched) on as many as a quarter of all Windows NT 4.0 systems running IIS 4.0.

The software giant would like to avoid a repeat of the RDS fiasco, and says that it has worked to get the message out about the latest IIS-related vulnerability. In addition to dispatching a newsletter to more than 130,000 users, Microsoft also contacted it largest customers by as early as Tuesday morning to ensure that they applied the patch. – Stephen Swoyer

Notable IIS-related Exploits

* November 2000 - Web Server File Request Parsing Vulnerability

Enables a malicious user to run operating system commands on IIS 4.0 or IIS 5.0 Web server platforms. A malicious user could take virtually any action that an interactively-logged on user could take.

* June 1999 -- .HTR Buffer Overrun DoS Attack in IIS 4.0

An attacker sends a malformed request for an .HTR file that causes the buffer to overflow, resulting in a system crash. The file request could also cause arbitrary code to execute on the server by means of a buffer overrun attack.

* August 1998 -- Executable Directories in IIS 4.0

A non-administrative user could place executable code into a Web site directory and then be able to run applications that could compromise the Web server.

* July 1998 - Unauthorized ODBC Access With RDS and IIS 4.0

Unauthorized users could execute shell commands on an IIS system as privileged users; could use MDAC to tunnel SQL or other ODBC data requests through public connections to private internetworks; and could facilitate unauthorized access to unpublished files on an IIS system.

* January 1998 -- Malformed FTP List Request DoS Attack in IIS 4.0

Similar to the recent .HTR buffer overrun attack. Results in either a denial of service threat or arbitrary code execution on a remote server by means of a buffer overrun exploit.

* June 1997 -- IIS Long URL DoS Attack

Versions 2.0 and 3.0 of IIS on NT 4.0 could be crashed with a URL of specific but long length (4k - 8k, variable per server).

Related Article:
Microsoft Confirms DoS Vulnerability in ISA Server 2000