Preface: IIS .printer overflowLogo -Internet Security Systems

IIS .printer overflow

advICE :Intrusions : 2002607
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?

An attack was detected against the Microsoft .printer ISAPI filter.


The "msw3prt.dll" is an extension installed by default on Microsoft IIS 5.0 (the web-server included with Windows 2000 servers). This ISAPI extension provides support for the Internet Printing Protocol (IPP) standard.

A buffer-overflow bug was discovered in this extension.

Affected Systems

All versions of Microsoft IIS and PWS software, including the following patches: Windows 2000 PS2, Windows NT SP5


The .printer extension cannot be disabled. Therefore, the only defense is to patch the server.


Two conditions must be true for this alert to trigger. First, the file extension must be ".printer"; secondly, a long HTTP "Host:" field must be included. The HTTP field with binary alert will also trigger for some known exploits.

Previous versions of the sensor triggered just on the HTTP HOST: field overflow. This signature was added to more clearly identify the attack.

 more information
MS Bulletin: MS01-023   Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server
q296576   Unchecked Buffer in ISAPI Extension Could Compromise Internet Information Services 5.0
BugtraqID: 2674   Microsoft Windows 2000 IIS 5.0 IPP ISAPI 'Host:' Buffer Overflow Vulnerability  
Web-site dedicated to the developement of the Internet Printing Protocol (IPP).  
ISS Advisory 75   Remote IIS ISAPI Printer Extension Buffer Overflow
Version appeared: 2.5 

Privacy Policy |  Copyright Info