Collaboration

Lock IT Down: IPP vulnerability can bring down an IIS 5.0 server

A vulnerability with 11S 5.0


Ahh...the luxury of being able to transmit print jobs over the Internet! The Internet Printing Protocol (IPP) can save a lot of time and money by letting users manage print jobs at remote locations over the Internet via HTTP commands. In fact, it’s such a useful feature that Windows 2000 Server installations enable the IPP Internet Services Application Programming Interface (ISAPI) extension by default. Unfortunately, it turns out that the IPP ISAPI extension has an unchecked buffer that can let anyone on the Internet take over the server.

For the latest updates on the patch and this vulnerability, see the Microsoft Security Bulletin MS01-023.

Threat level—extreme
System penetration through this vulnerability could lead to full compromise of the Windows 2000 Server connected to the Internet and possibly to other systems connected to it, depending on how the network is configured. Your entire network may be compromised or the damage might be isolated only to the Win2K Server running Internet Printing Protocol.

An attacker making use of this vulnerability could take control of any Win2K Server with Internet Information Services installed (the default setting). If port 80 (HTTP) or port 443 (HTTPSecure) is open, the server is vulnerable. The major exception to this is if the administrator has removed IIS or the IPP ISAPI extension. (We discuss these options below).

A firewall won’t protect against this buffer overrun unless it was configured to prevent all HTTP and HTTPS traffic. Essentially, if the firewall permits Web traffic, it provides no protection against this vulnerability.

Applicability
This problem applies to all installations of Windows 2000 Server, Advanced Server, and Datacenter Server unless you have specifically disabled the IPP ISAPI extension or not installed IIS.

No earlier version of Windows NT contained this feature, so there is no vulnerability outside the listed Windows 2000 Server versions. The vulnerability applies only to IIS 5.0; IIS 4.0 is not vulnerable.

Fix
Microsoft strongly recommends that all IIS 5.0 Server administrators immediately download and install this patch. The other option is to follow Microsoft’s high security recommendations for IIS installations and remove the IPP ISAPI extension, as explained in the ”Secure Internet Information Services 5 Checklist,” posted June 2000.

Administrators concerned over installing patches (or those who can’t install this patch) can simply remove the IPP capability instead, if it isn’t in use on their system.

IPP is a standard protocol for managing print jobs over HTTP networks. It’s an industry standard as defined in RFCs 2910 and 2911. With Xerox’s interest in printing and copying, it shouldn’t be a surprise that you will find Xerox heavily involved in IPP’s development. IPP itself isn’t compromised with the IIS flaw; this is strictly a problem with the way some Microsoft servers handle IPP requests. Once the patch is installed to repair the buffer problem, your IPP services should not cause any other vulnerabilities.

The only good news related to this vulnerability is that it requires a certain amount of skill to exploit it by inserting executable code. For example, merely overloading the buffer with random data won’t cause a denial of service attack because the server would simply restart.

Are you running IPP on your IIS Web servers?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.

 

Editor's Picks

Free Newsletters, In your Inbox