Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server<BR>Originally posted: May 01, 2001<BR> <BR>Summary<BR>Who should read this bulletin: All web server administrators using Microsoft® Windows® 2000 <BR> <BR>Impact of vulnerability: Run code of attacker’s choice in system context. <BR> <BR>Recommendation: Microsoft strongly urges all IIS 5.0 server administrators to install the patch immediately. <BR> <BR>Affected Software: <BR> <BR>Microsoft Windows 2000 Professional <BR>Microsoft Windows 2000 Server <BR>Microsoft Windows 2000 Advanced Server <BR>Microsoft Windows 2000 Datacenter Server <BR>Note: The vulnerability is only exposed if IIS 5.0 is running. <BR> <P> Technical details<BR>Technical description: <BR>Windows 2000 introduced native support for the Internet Printing Protocol (IPP), an industry-standard protocol for submitting and controlling print jobs over HTTP. The protocol is implemented in Windows 2000 via an ISAPI extension that is installed by default as part of Windows 2000 but which can only be accessed via IIS 5.0. <BR>A security vulnerability results because the ISAPI extension contains an unchecked buffer in a section of code that handles input parameters. This could enable a remote attacker to conduct a buffer overrun attack and cause code of her choice to run on the server. Such code would run in the Local System security context. This would give the attacker complete control of the server, and would enable her to take virtually any action she chose. <BR> <BR>The attacker could exploit the vulnerability against any server with which she could conduct a web session. No other services would need to be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be open. Clearly, this is a very serious vulnerability, and Microsoft strongly recommends that all IIS 5.0 administrators install the patch immediately. <BR> <BR>Customers who cannot install the patch can protect their systems by removing the mapping for the Internet Printing ISAPI extension. However, it is important to understand that if Web Printing is enabled via Group Policy, this would override the settings made in the Internet Services Manager. As the FAQ discusses in more detail, customers who have enabled Web Printing via Group Policy should disable it first, then unmap the Internet Printing ISAPI extension. <BR> <BR>Mitigating factors: <BR> <BR>Servers on which the mapping for the Internet Printing ISAPI extension has been removed are not at risk from this vulnerability. The process for removing the mapping is discussed in the IIS 5.0 Security Checklist. The High Security template provided in the checklist removes the mapping, as does the Windows 2000 Internet Security Tool unless the user explicitly chose to retain Internet Printing. <BR>The attacker’s ability to extend her control from a compromised web server to other machines would be heavily dependent on the specific configuration of the network. Best practices recommend that the network architecture reflect the position of special risk occupied by network-edge machines like web servers and use measures like DMZs and limited domain memberships to isolate such machines from the rest of the network. Taking such measures would impede an attacker’s ability to broaden the scope of the compromise. <BR>Vulnerability identifier: CAN-2001-0241 <BR> <BR>Tested Versions:<BR>Microsoft tested Windows 2000 to assess whether it is affected by this vulnerability. The feature at issue in this vulnerability was not present in any previous version of Windows, or in any version of Windows NT®.<BR> <P> Frequently asked questions <BR>What’s the scope of this vulnerability?<BR> <BR>This is a buffer overrun vulnerability. While buffer overrun vulnerabilities typically are serious, this one poses an even greater threat than usual, for two reasons: <BR>Under default conditions, it could be exploited by an attacker on the Internet. <BR>It could enable an attacker to gain complete control over an affected web server. This would enable her to take any desired action, including installing and running programs; reconfiguring the server; adding, changing or deleting files and web pages; or taking other actions. <BR>This is an extremely serious vulnerability, and Microsoft recommends that all IIS 5.0 web server administrators apply the patch immediately. IIS 4.0 servers are not affected by the vulnerability. <BR> <BR>What causes the vulnerability?<BR> <BR>The vulnerability results because the Internet Printing ISAPI extension in Windows 2000 contains an unchecked buffer. By sending a specially constructed request to the extension, an attacker could cause code to run in the Local System context. <BR>What’s an ISAPI extension?<BR> <BR>ISAPI (Internet Services Application Programming Interface) is a technology that enables web developers to extend the functionality of their web servers by writing custom code that provides new services for a web server. The custom code can either be implemented in an ISAPI filter, if the new functionality provides a low-level service, or an ISAPI extension, if the new functionality provides a high-level service. In this case, the affected code is an ISAPI extension. <BR>What’s the ISAPI extension at issue here?<BR> <BR>The affected ISAPI extension is one that implements the Internet Printing Protocol (IPP), an industry standard defined in RFCs 2910 and 2911. IPP provides a way to request printing services and learn the status of print jobs across the Internet via HTTP. For instance, using IPP, a traveling user could send a print job across the Internet, to be printed on a printer on his corporate network. He also could find out whether the print request had completed without error. <BR>Windows 2000 introduces native support for Internet Printing. The Windows 2000 implementation enables users to print directly to an URL, and to view information about print jobs via their browsers. Support for Internet Printing is enabled by default in Windows 2000. <BR> <BR>What’s wrong with the Internet Printing ISAPI extension in Windows 2000?<BR> <BR>The extension has an unchecked buffer in a part of the code that processes users’ print requests. If a specially malformed print request were sent to it, a buffer overrun would result. <BR>What’s a buffer overrun?<BR> <BR>Let’s start by discussing what a buffer is. A buffer is an area of memory within a program that’s used to store data of some kind – for instance, information on the program’s status, intermediate computational results, or input parameters. Before placing any data into a buffer, the program should always verify that the buffer is large enough to accommodate all of the data. Otherwise, the data can overrun the buffer and overwrite neighboring data, having the effect of modifying the program while it’s running. <BR>If the data that overruns the buffer is random data, it won’t be valid program code, and the program will fail when it tries to execute the random data. On the other hand, if the data is valid program code, the program will execute the new code and perform some new function – one chosen by whoever supplied the data. <BR> <BR>How could an attacker exploit this vulnerability?<BR> <BR>By sending a specially malformed Internet Printing request to an affected web server, an attacker could exploit the buffer overrun and change the functionality of the Internet Printing ISAPI extension. This would enable her to take any desired action on the server. <BR>How serious is this vulnerability?<BR> <BR>This is an extremely serious vulnerability, and we strongly encourage all users to immediately apply the patch. An attacker could use this vulnerability to gain complete control of an affected web server. Worse, the vulnerability could be exploited from the Internet in most cases. <BR>For instance, in working with Microsoft on this issue, eEye Digital Security, the company that discovered the vulnerability, demonstrated a scenario in which it could be used to open a command prompt on an affected web server. Through such a scenario, an attacker on the Internet could execute any desired command on the server. <BR> <BR>Why does the vulnerability allow the attacker to gain such high privileges?<BR> <BR>The Internet Printing ISAPI extension runs in the security context of the Local System – the operating system itself. Because the attacker’s code would, for all practical purposes, be part of the Internet Printing ISAPI extension, it would run in the same context. <BR>What would gaining Local System privileges on the web server enable the attacker to do?<BR> <BR>It would give the attacker complete control of the server. She could load and execute any program she chose on the machine; add, change or delete any data on it, including web pages; execute system commands on it; reconfigure it; add new users or delete existing ones; reformat the hard drive; or take any other action she chose. <BR>Would a firewall prevent the attacker from exploiting the vulnerability?<BR> <BR>It’s very important to fully understand the protection that a firewall could – and could not – provide. Internet Printing operates over HTTP or HTTPS, as part of a web session. As a result, if an attacker could start a web session with an affected server, she could exploit the vulnerability. The key question with regard to a firewall is whether it would prevent a web session or not. <BR>If a firewall were configured to block HTTP and HTTPS requests, an Internet-based attacker could not exploit the vulnerability on a server behind it, because she would be unable to start a web session. On the other hand, if the firewall allowed web sessions, the servers behind it would be vulnerable – even if the firewall blocked all other ports and services. <BR> <BR>Could an attacker use this vulnerability to compromise an entire domain?<BR> <BR>Best practices would help limit the scope of the compromise. Because of their exposed position, web servers – especially public ones – are always special targets for attack, and the network design should reflect this fact. Indeed, one of the network architect’s principal objectives should be to ensure that the network design limits what could be done using a compromised web server. Two practices in particular that should be followed are: <BR>Web servers should be isolated within a DMZ. This not only separates the servers from the Internet, but also separates them from the rest of the network. <BR>If possible, web servers should be configured as stand-alone machines. If it’s absolutely necessary to make them part of a domain, the domain should only encompass machines that reside on the DMZ. Web servers should never be members of the larger network’s domain. <BR>Even if these precautions have been followed, however, it is important not to underestimate the damage that could be done via this vulnerability. Even if the network design denied the attacker an easy means of using normal system operations to extend her control, she could nevertheless use the compromised server as a launching point from which she could try to attack additional machines via other known vulnerabilities. <BR> <BR>You said that buffer overruns can also be used to cause the affected software to fail. Is that the case here as well?<BR> <BR>If the attacker chose not to provide a printing request that would cause code to run as part of the ISAPI extension, she might instead provide a request that overran the buffer with random data. However, this couldn’t be used to conduct an effective denial of service attack, as the IIS 5.0 service automatically restarts itself after a failure. <BR>Is the Internet Printing ISAPI extension part of Window 2000 or part of IIS 5.0?<BR> <BR>It’s a component of Windows 2000, and installs by default. However, because requests to it can only be levied via HTTP or HTTPS, the vulnerability can only be exploited if IIS 5.0 were enabled. <BR>I used the IIS 5.0 Security Checklist when I deployed my server, and I followed its recommendation to remove all unneeded ISAPI mappings. Am I vulnerable?<P>If the mapping for the Internet Printing ISAPI extension has been removed, internet printing requests cannot be levied, and the vulnerability cannot be exploited. As a result, if you followed the checklist’s recommendations and removed the mapping for the Internet Printing ISAPI, you are not affected by this vulnerability. <BR>I used the Security Template provided in the IIS 5.0 Security Checklist. Am I vulnerable?<P>The security template (hisecweb.inf) provided in the checklist removes the mapping for the Internet Printing ISAPI extension, so if you applied it you are not affected by the vulnerability. <BR>I used the Windows 2000 Internet Server Security tool to configure my web server. Would that help protect me against the vulnerability?<P>Yes. The tool includes a questionnaire regarding the services you need to provide via the web server. Unless you specifically indicated that you wanted to retain Internet Printing, the tool disables the mapping for the Internet Printing ISAPI extension. <BR>Does this vulnerability affect IIS 4.0 web servers?<P>No. Support for internet printing was introduced in Windows 2000. It isn’t present in Windows NT 4.0, so the vulnerability doesn’t affect IIS 4.0 servers. <BR>What does the patch do?<P>The patch eliminates the vulnerability by instituting proper input checking in the ISAPI extension. <BR>I don’t want to install the patch. Is there any other way to protect my web server?<P>The best way to protect your web server is to install the patch. However, if you can’t do this for some reason, you also can protect your server by removing the mapping for the Internet Printing ISAPI extension, if you haven’t already done so. As discussed in the IIS 5.0 security checklist, the procedure for doing this is: <BR>Open Internet Services Manager <BR>Right-click the Web server, and choose Properties from the context menu <BR>Choose Master Properties <BR>Select WWW Service | Edit | HomeDirectory | Configuration <BR>Remove the entry for “.printer“ <BR>I removed the mapping for the Internet Printing ISAPI extension, but it's still there. Why is this happening?<P>Two factors control whether the Internet Printing ISAPI extension is mapped and enabled: the settings in the Internet Services Manager, and group policy. By default, Internet printing isn't configured in either domain or local group policy. However, if Internet printing has been configured in group policy -- either to enable or disable it -- the group policy settings will override those made via the Internet Services Manager. <BR>To disable Internet printing in group policy, follow these steps: <P>Launch the Microsoft Management Console and load the snap-in for Group Policy <BR>Select Computer Configuration, then Administrative Templates, then Printers. <BR>Check the setting for Web-based Printing. By default, it is not configured. If it is enabled, disable it. <BR>Alternatively, you can disable it by setting the following registry value to a DWORD value of 0x1: <BR>HKLM\Software\Policies\Microsoft\Windows NT\Printers\DisableWebPrinting <BR> <P>I'm not sure whether the Internet Printing ISAPI extension is enabled on my system. How can I tell?<BR> <BR>The only way to reliably determine whether the Internet Printing ISAPI extension is enabled is to log onto the server and use the Internet Services Manager. (See the previous Q&A for specific instructions). Sending a print request to the server is not a reliable way to determine whether it's enabled.<BR> <P>Patch availability<BR>Download locations for this patch <BR>Microsoft Windows 2000 Professional, Windows 2000 Server and Windows 2000 Advanced Server: <A HREF="http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321" TARGET=_blank>http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321</A> <BR>Microsoft Windows 2000 Datacenter Server:<BR>Patches for Windows 2000 Datacenter Server are hardware-specific and available from the original equipment manufacturer.