Remote Buffer Overflow Vulnerability in IIS 5

SAN JOSE, Calif., May 4 /PRNewswire/ — This information is distributed by Entercept Security Technologies to alert you of security vulnerabilities and how to prevent/protect against them.

Summary

There is a buffer overflow vulnerability in the Microsoft IIS 5 Web server on Windows 2000 (.printer ISAPI filter extension) that allows remote privileged access to the system. This vulnerability is present by default on all Windows 2000 servers, and exploitable if Microsoft IIS 5 is running on the box. Microsoft has released advisory MS01-023 and a patch to cover this vulnerability, labeling it “extremely serious.” The corresponding Mitre CVE classification number is CAN-2001-0241.

A buffer overflow occurs when a program copies a string from an external buffer to an internal buffer that is too short to hold the copied content. As a result, the memory after the end of the buffer is overwritten. When the internal buffer is located on the machine stack (where return addresses are stored), it is possible to over-write the memory so that the existing return address is overwritten by a new return address pointing to somewhere within the copied content. As a result, part of the copied content is executed with the privileges of the original program, which can be at the administrative or System level.

In this specific case, the IIS 5 ISAPI extension that implements the Internet Printing Protocol (IPP) in Windows 2000 is subject to an unchecked buffer. The vulnerability can be remotely exploited by sending specially-crafted IPP print requests to the server. By way of a buffer overflow in the Host header part of the request, the intruder can transfer arbitrary code to the system stack and have it execute in the security context of the Local System. This amounts to program execution with full administrative privileges, yielding full control of the Web server to the remote hacker: creation, modification or deletion of files, Web site defacement, access to databases and confidential data, access to user names and passwords, installation of backdoors, etc. On May 2nd, a working exploit creating a remote privileged command shell was released, giving hackers a tool to easily break into systems subject to the vulnerability.

Firewalls will not prevent exploits targeting this vulnerability, as they will have Port 80 (HTTP) or Port 443 (HTTPS/SSL) open. Additionally, IIS 5 would not log the exploitation of this vulnerability. Unlike previous IIS versions, the Web Server would automatically restart after the buffer overflow, avoiding a Denial of Service situation, but at the same time making the penetration harder to detect.

Traditional host-based IDS system which track logs could not have detected such an attack, as log files are not generated. Entercept(TM) Security Technologies’ Web Server Edition would have prevented this attack from occurring.

Entercept’s generic protection against buffer overflow exploits would have prevented hackers from using this vulnerability to break into exposed systems. This protection is in place even when an “unknown” or “novel” buffer overflow is discovered, and safeguards against buffer overflow exploits that may surface in the future — without requiring any update. Moreover, Entercept’s IIS shielding technology prevents illegitimate access to resources of the Web server. This additional layer of protection also goes beyond the prevention of specific exploits, making sure that even though a vulnerability was not known to the public, the system would not be compromised.

Solution/Recommendations

Entercept Security Technologies’ customers are protected from this vulnerability via its Web server agents running in “protection” mode — even if they have not installed the Microsoft patch that plugs this specific vulnerability.

Entercept further recommends that companies stay current with their patches, and install Web Server Edition to keep them secure while patches are not yet available or have not been deployed.

About Entercept Security Technologies

Entercept Security Technologies (formerly ClickNet) develops server security products that prevent access to server resources before any unauthorized activity occurs. Entercept provides essential protection beyond the firewall by identifying attacks and instantly taking action to stop hacker attacks before they cause damage. The Web Server Edition, the latest Entercept product, offers unique protection for Web servers as well as applications. Entercept Security Technologies (http://www.entercept.com) is headquartered in San Jose, Calif., and can be reached by calling 408-576-5900, or toll-free at 800-599-3200. Entercept’s European offices can be reached by calling 44-208-387-5500