IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ADVISORY 01-011

"Buffer Overflow Vulnerability in Microsoft's Internet Information Services (IIS) 5.0"
May 02, 2001

The NIPC agrees with Microsoft's assessment that the threat level of the above vulnerability is high. Microsoft has issued Microsoft Security Bulletin MS01-023 regarding an unchecked buffer in an Internet Service Application Program Interface (ISAPI) extension that could allow the compromise of an IIS 5.0 web server. The bulletin can be found at:

http://www.microsoft.com/technet/security/bulletin/MS01-023.asp

This vulnerability affects versions of IIS 5.0 running on: Windows 2000 Server, Windows 2000 Advanced Server, and Windows 2000 Datacenter Server. Microsoft has developed a patch which can be downloaded via the bulletin. Microsoft strongly recommends that all IIS 5.0 administrators mitigate the vulnerability immediately by applying the patch or by using the workaround procedure documented in the Frequently Asked Questions (FAQ) section of the bulletin.

The NIPC is issuing this advisory to confirm the significance of this vulnerability and to let systems administrators know that hackers could exploit this vulnerability and gain system level access. This would allow an attacker the ability to take any action desired, such as installing malicious code, running programs, reconfiguring, adding, changing, or deleting files. Based on the nature of the potential harm (local system account compromise), the traditional ease with which buffer overflows are accomplished, and the NIPC's assessment that there is a strong likelihood that this vulnerability may be exploited against the large number of Windows 2000 servers running IIS 5.0, the NIPC considers this to be a high threat level and is issuing this advisory in advance of any reported victims. The NIPC emphasizes the recommendation that all computer network system administrators consider applying the patch or workaround.

As further detailed in Microsoft's bulletin, the buffer overflow vulnerability exists in an ISAPI extension used for Internet printing. The ISAPI filter does inadequate "bounds checking" in a section of code that handles input parameters. This could enable a remote attacker to conduct a buffer overrun attack which could lead to system local access. This vulnerability allows remote access to an account with local system privileges, which would permit exploitation over the Internet, and is described by Microsoft as "extremely serious."

Recipients of this advisory are encouraged to report computer crime to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate authorities. Incidents may be reported online at http://www.nipc.gov/incident/cirr.htm

The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov