clutch 1 Posted May 2, 2001 I will be sending this to Philipp for the front page, but I think that others may be like me and just go straight to the forums without going to the front page that often. This is an email that I got from www.iisanswers.com about a new hole found in IIS 5. Check it: ------------------------------------------------ Urgent Action required for IIS 5 Administrators ------------------------------------------------ I do not normally send out security bulletins so pardon the interruption. However, a new and serious IIS 5 vulnerability has been announced by Microsoft that requires your attention. First of all, let me say, that this problem is just another in a continuing series of attacks on anything and everything that IIS can do. If you will do the following, you will eliminate the need for emergency response to this and other issues as they continue to be exploited. Rule: Disable all application mapping that you aren't using! This new exploit involves a buffer overflow for the .printer isapi extension. Most of you probably weren't even aware that IIS 5 can print to a printer over HTTP so you can send a document to a printer using IIS 5. IIS 5, by default, recognizes .printer as an extension just like .asp or .htm. Not exactly a mind blowing capability, but certainly an exploitable one. Here's what I do on a lot of servers to keep me from worrying about this and other as of yet undiscovered problems of this nature. Goto your Master website properties. Click Home Directory Click Configuration - the application mappings will be displayed. You will see here the subject of many a security problem, .htr files, .idc, and now .printer. Ideally, remove all mapping except for those you use. Since I don't know what my clients will want in the future, I preserve the entry, but disable the functionality by adding to all extensions an "x_1" (or something equally odd) except for .asp. So ".idq" becomes ".idqx_1", ".printer" becomes ".printerx_1". This will invalidate script kiddie tool efforts to exploit these extensions. Now you could exploit the problem if you could somehow figure out the correct extensions, but no one is going to try that hard most likely and script kiddies won't have a clue how to proceed. This is not a "solution" but will buy you time when exploits are discovered. The solution is to remove the mapping and the associated dll if possible. This vulnerability will be included in automated hacking tools immediately, so get on this. There is a hotfix as well should you prefer to keep this ability. --------------------------------- Brett Hill - IISAnswers.com brett@iisanswers.com MCSE MCT A+ Net+ CIW-TT Specializing in IIS training Just thought this should be shared. Share this post Link to post
Toby 0 Posted May 2, 2001 Yes, this patch is critical. I can not remember MS ever wrote this in the recommendation: "Who should read this bulletin: All web server administrators using Microsoft® Windows® 2000 Impact of vulnerability: Run code of attacker’s choice in system context. Recommendation: Microsoft strongly urges all IIS 5.0 server administrators to install the patch immediately." Patch and more info: http://www.microsoft.com/technet/security/bulletin/MS01-023.asp /Toby Share this post Link to post
