IIS 5 Vulnerability
I will be sending this to Philipp for the front page, but I think that others may be like me and just go straight to the forums without going to the front page that often. This is an email that I got from about a new hole found in IIS 5.
I will be sending this to Philipp for the front page, but I think that others may be like me and just go straight to the forums without going to the front page that often. This is an email that I got from www.iisanswers.com about a new hole found in IIS 5. Check it:
------------------------------------------------
Urgent Action required for IIS 5 Administrators
------------------------------------------------
I do not normally send out security bulletins so pardon the interruption.
However, a new and serious IIS 5 vulnerability has been announced by
Microsoft that requires your attention.
First of all, let me say, that this problem is just another in a continuing
series of attacks on anything and everything that IIS can do.
If you will do the following, you will eliminate the need for emergency
response to this and other issues as they continue to be exploited.
Rule: Disable all application mapping that you aren't using!
This new exploit involves a buffer overflow for the .printer isapi
extension. Most of you probably weren't even aware that IIS 5 can print to a
printer over HTTP so you can send a document to a printer using IIS 5. IIS
5, by default, recognizes .printer as an extension just like .asp or .htm.
Not exactly a mind blowing capability, but certainly an exploitable one.
Here's what I do on a lot of servers to keep me from worrying about this and
other as of yet undiscovered problems of this nature.
Goto your Master website properties.
Click Home Directory
Click Configuration - the application mappings will be displayed.
You will see here the subject of many a security problem, .htr files, .idc,
and now .printer.
Ideally, remove all mapping except for those you use.
Since I don't know what my clients will want in the future, I preserve the
entry, but disable the functionality by adding to all extensions an "x_1"
(or something equally odd) except for .asp. So ".idq" becomes ".idqx_1",
".printer" becomes ".printerx_1". This will invalidate script kiddie tool
efforts to exploit these extensions. Now you could exploit the problem if
you could somehow figure out the correct extensions, but no one is going to
try that hard most likely and script kiddies won't have a clue how to
proceed. This is not a "solution" but will buy you time when exploits are
discovered. The solution is to remove the mapping and the associated dll if
possible.
This vulnerability will be included in automated hacking tools immediately,
so get on this. There is a hotfix as well should you prefer to keep this
ability.
---------------------------------
Brett Hill - IISAnswers.com
brett@iisanswers.com
MCSE MCT A+ Net+ CIW-TT
Specializing in IIS training
Just thought this should be shared.
------------------------------------------------
Urgent Action required for IIS 5 Administrators
------------------------------------------------
I do not normally send out security bulletins so pardon the interruption.
However, a new and serious IIS 5 vulnerability has been announced by
Microsoft that requires your attention.
First of all, let me say, that this problem is just another in a continuing
series of attacks on anything and everything that IIS can do.
If you will do the following, you will eliminate the need for emergency
response to this and other issues as they continue to be exploited.
Rule: Disable all application mapping that you aren't using!
This new exploit involves a buffer overflow for the .printer isapi
extension. Most of you probably weren't even aware that IIS 5 can print to a
printer over HTTP so you can send a document to a printer using IIS 5. IIS
5, by default, recognizes .printer as an extension just like .asp or .htm.
Not exactly a mind blowing capability, but certainly an exploitable one.
Here's what I do on a lot of servers to keep me from worrying about this and
other as of yet undiscovered problems of this nature.
Goto your Master website properties.
Click Home Directory
Click Configuration - the application mappings will be displayed.
You will see here the subject of many a security problem, .htr files, .idc,
and now .printer.
Ideally, remove all mapping except for those you use.
Since I don't know what my clients will want in the future, I preserve the
entry, but disable the functionality by adding to all extensions an "x_1"
(or something equally odd) except for .asp. So ".idq" becomes ".idqx_1",
".printer" becomes ".printerx_1". This will invalidate script kiddie tool
efforts to exploit these extensions. Now you could exploit the problem if
you could somehow figure out the correct extensions, but no one is going to
try that hard most likely and script kiddies won't have a clue how to
proceed. This is not a "solution" but will buy you time when exploits are
discovered. The solution is to remove the mapping and the associated dll if
possible.
This vulnerability will be included in automated hacking tools immediately,
so get on this. There is a hotfix as well should you prefer to keep this
ability.
---------------------------------
Brett Hill - IISAnswers.com
brett@iisanswers.com
MCSE MCT A+ Net+ CIW-TT
Specializing in IIS training
Just thought this should be shared.
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
Yes, this patch is critical. I can not remember MS ever wrote this in the recommendation:
"Who should read this bulletin: All web server administrators using Microsoft
Windows 2000
Impact of vulnerability: Run code of attacker’s choice in system context.
Recommendation: Microsoft strongly urges all IIS 5.0 server administrators to install the patch immediately."
Patch and more info:
http://www.microsoft.com/technet/security/bulletin/MS01-023.asp
/Toby
"Who should read this bulletin: All web server administrators using Microsoft
Windows 2000Impact of vulnerability: Run code of attacker’s choice in system context.
Recommendation: Microsoft strongly urges all IIS 5.0 server administrators to install the patch immediately."
Patch and more info:
http://www.microsoft.com/technet/security/bulletin/MS01-023.asp
/Toby
