Security 10808 Published by

Thanks to clutch for forwarding me the follow newsletter from IIS Answers:

------------------------------------------------
Urgent Action required for IIS 5 Administrators
------------------------------------------------

I do not normally send out security bulletins so pardon the interruption. However, a new and serious IIS 5 vulnerability has been announced by Microsoft that requires your attention.

First of all, let me say, that this problem is just another in a
continuing series of attacks on anything and everything that IIS can do.

If you will do the following, you will eliminate the need for emergency response to this and other issues as they continue to be exploited.

Rule: Disable all application mapping that you aren´t using!

This new exploit involves a buffer overflow for the .printer isapi
extension. Most of you probably weren´t even aware that IIS 5 can print to a printer over HTTP so you can send a document to a printer using IIS 5. IIS 5, by default, recognizes .printer as an extension just like .asp or .htm. Not exactly a mind blowing capability, but certainly an exploitable one.

Here´s what I do on a lot of servers to keep me from worrying about this and other as of yet undiscovered problems of this nature.

Goto your Master website properties.
Click Home Directory
Click Configuration - the application mappings will be displayed.
You will see here the subject of many a security problem, .htr files,
.idc, and now .printer.
Ideally, remove all mapping except for those you use.
Since I don´t know what my clients will want in the future, I preserve the entry, but disable the functionality by adding to all extensions an "x_1" (or something equally odd) except for .asp. So ".idq" becomes ".idqx_1", ".printer" becomes ".printerx_1". This will invalidate script kiddie tool efforts to exploit these extensions. Now you could exploit the problem if you could somehow figure out the correct extensions, but no one is going to try that hard most likely and script kiddies won´t have a clue how to proceed. This is not a "solution" but will buy you time when exploits are discovered. The solution is to remove the mapping and the associated dll if possible.

This vulnerability will be included in automated hacking tools immediately, so get on this. There is a hotfix as well should you prefer to keep this ability.

---------------------------------
Brett Hill - IISAnswers.com
brett@iisanswers.com (303) 543-7502
MCSE MCT A+ Net+ CIW-TT
Specializing in IIS training