Microsoft KB Archive/296576

= Unchecked buffer in ISAPI extension could compromise Internet Information Services 5.0 =

Article ID: 296576

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q296576



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
Windows 2000 includes native support for Internet Printing Protocol (IPP), an industry-standard protocol for submitting and controlling print jobs over Hypertext Transfer Protocol (HTTP). The protocol is implemented in Windows 2000 by using an Internet Server Application Programming Interface (ISAPI) extension that is installed by default on all Windows 2000-based servers, but which can be accessed only by using IIS 5.0.

A security vulnerability exists because the ISAPI extension contains an unchecked buffer in a section of code that handles input parameters. This could enable a remote attacker to conduct a buffer overrun attack and cause code of his or her choice to run on the server. Such code would run in the Local System security context. This would give the attacker complete control of the server, and would enable him or her to take virtually any action he or she chose.

The attacker could exploit the vulnerability against any server with which he or she could conduct a Web session. No other services would need to be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be open. This is a serious vulnerability, and Microsoft strongly recommends that all Internet Information Services (IIS) 5.0 administrators install this patch immediately.

NOTE: Although the affected component is not part of IIS, this vulnerability is exposed only if IIS 5.0 is running.
 * Servers on which the mapping for the Internet Printing ISAPI extension has been removed are not at risk from this vulnerability. The process for removing the mapping is discussed in the Secure Internet Information Services 5 Checklist document. The High Security template that is provided in the checklist removes the mapping, as does the Windows 2000 Internet Security tool unless the user explicitly chose to retain Internet printing.
 * The attacker's ability to extend his or her control from a compromised Web server to other computers would be heavily dependent on the specific configuration of the network. Best practices recommend that the network architecture reflect the position of special risk occupied by network-edge computers such as Web servers and use measures such as &quot;demilitarized zones&quot; (DMZs) and limited domain memberships to isolate such computers from the rest of the network. Taking such measures would impede an attacker's ability to broaden the scope of the vulnerability.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file. The English version of this fix should have the following file attributes or later:   Date        Time    Version        Size    File name --  04/19/2001  03:25p  5.0.2195.2956  76,560  Msw3prt.dll



WORKAROUND
To work around this behavior and completely disable support for the Internet Printing Protocol (IPP) perform either of the following procedures:  From the Master IIS Properties, click Home Directory tab, click Configuration, click Printer Mapping, click Remove, and then click OK. When you are prompted for the child sites click Select All, click OK, and then restart IIS from Services in Control Panel.

-or-

 Disable Web Printing by setting the following registry key:

MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\Printers\DisableWebPrinting=1



NOTE: This key is not present on Windows 2000 Professional computers. The following files are available for download from the Microsoft Download Center:

English Language Version

Arabic Language Version

Chinese (Simplified) Language Version

Chinese (Traditional) Language Version

Czech Language Version

Danish Language Version

Dutch Language Version

Finnish Language Version

French Language Version

German Language Version

Greek Language Version

Hebrew Language Version

Hungarian Language Version

Italian Language Version

Japanese Language Version

Japanese NEC Language Version

Korean Language Version

Norwegian Language Version

Polish Language Version

Portuguese (Brazilian) Language Version

Portuguese Language Version

Russian Language Version

Spanish Language Version

Swedish Language Version

Turkish Language Version

This download updates the Msw3prt.dll file to the version and size noted in the &quot;Resolution&quot; section.

NOTE: The domain policy object may override local setting and reinsert the registry and metabase mapping.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
For more information about this vulnerability, see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms01-023.mspx

For more information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the following article number to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 hotfixes

Additional query words: security_patch msw3prt dll

Keywords: kbbug kbfix kbqfe kbwin2000presp2fix KB296576

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.