Microsoft Says IIS 5.0 Web Servers Vulnerable to Attack

A component of Windows 2000 — installed by default on every Windows 2000 server — creates a serious security vulnerability on any machine running IIS 5.0, Microsoft Corp. revealed Tuesday.

The vulnerability was discovered by Riley Hassel of eEye Digital Security. While working with Microsoft on the issue, eEye was able to use the vulnerability to open a command prompt on an affected server.

Microsoft released a patch for Windows 2000 Server and Windows 2000 Advanced Server Tuesday. The company said Windows 2000 Datacenter Server is hardware specific and patches are available from the original equipment manufacturer.

The flaw lies in an ISAPI extension which implements the Internet Printing Protocol, an industry-standard protocol for submitting and controlling print jobs over HTTP. The extension contains an unchecked buffer which could enable a remote attacker to create a buffer overrun. The attacker could then submit code which would run in the Local System security context. By gaining Local System privileges, an attacker would gain complete control over a server, with the ability to load and execute any program; add, change or delete any data, including Web pages; execute system commands; reconfigure; add new users or delete existing ones; or reformat the hard drive.

“The attacker could exploit the vulnerability against any server with which she could conduct a Web session,” Microsoft said in a security bulletin Tuesday. “No other services would need to be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be open. Clearly this is a very serious vulnerability, and Microsoft strongly recommends that all IIS 5.0 administrators install the patch immediately. Alternatively, customers who cannot install the patch can protect their systems by removing the mapping for Internet Printing ISAPI extension.”

Additionally, a firewall does not necessarily protect the network against intrusion in this case. Internet Printing operates over HTTP or HTTPS as part of a Web session. As long as an attacker can start a Web session with an affected server, that server is vulnerable. Only if a firewall is configured to block HTTP and HTTPS requests will the firewall protect the network against an Internet-based attacker.

The vulnerability can be contained through best practices configuration of the network, like using DMZs and limited domain memberships to isolate special risk network-edge machines like Web servers. Also, using the Security Template provided in the IIS 5.0 Security Checklist removes the extension unless the user explicitly chooses to retain Internet Printing.

The flaw only affects Windows 2000 machines running IIS 5.0. The ISAPI extension is not a part of any other Windows release, including Windows NT and the forthcoming Windows XP.

News Around the Web