Signature Detail

HTTP: IIS .printer ISAPI Buffer Overflow

This signature detects attempts to execute a known vulnerability against Microsoft IIS 5.0 .printer ISAPI extension. Attackers can send a malicious HTTP printer request that might cause a buffer overflow, consequently allowing them to execute arbitrary code or take control of the affected system.

Extended Description

Windows 2000 Internet printing ISAPI extension contains msw3prt.dll which handles user requests. Due to an unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .printer request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack. * If Web-based Printing has been configured in group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overridden by the group policy settings.

Affected Products

• Microsoft IIS 5.0

References

• BugTraq: 2674
• CERT: CA-2001-10
• CVE: CVE-2001-0241
• URL: http://archives.neohapsis.com/archives/bugtraq/2001-05/0006.html