Preface: IIS .printer overflowLogo -Internet Security Systems

IIS .printer overflow
advICE :Intrusions : 2002607
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

An attack was detected against the Microsoft .printer ISAPI filter.

Details

The "msw3prt.dll" is an extension installed by default on Microsoft IIS 5.0 (the web-server included with Windows 2000 servers). This ISAPI extension provides support for the Internet Printing Protocol (IPP) standard.

A buffer-overflow bug was discovered in this extension.

Affected Systems

All versions of Microsoft IIS and PWS software, including the following patches: Windows 2000 PS2, Windows NT SP5

Defense

The .printer extension cannot be disabled. Therefore, the only defense is to patch the server.

Trigger

Two conditions must be true for this alert to trigger. First, the file extension must be ".printer"; secondly, a long HTTP "Host:" field must be included. The HTTP field with binary alert will also trigger for some known exploits.

Previous versions of the sensor triggered just on the HTTP HOST: field overflow. This signature was added to more clearly identify the attack.

 more information
MS Bulletin: MS01-023   Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server
 
q296576   Unchecked Buffer in ISAPI Extension Could Compromise Internet Information Services 5.0
 
BugtraqID: 2674   Microsoft Windows 2000 IIS 5.0 IPP ISAPI 'Host:' Buffer Overflow Vulnerability
 
http://www.pwg.org/ipp/  
Web-site dedicated to the developement of the Internet Printing Protocol (IPP).  
ISS Advisory 75   Remote IIS ISAPI Printer Extension Buffer Overflow
 
CVE-2001-0241  
  
 
Version appeared: 2.5
Privacy Policy |  Copyright Info