Major vulnerability in Microsoft Web server software uncovered

eEye Digital Security has discovered a major security vulnerability in Microsoft Windows 2000 IIS 5.0 Web Server software.

The vulnerability is within the code that handles Internet Printing, which is implemented as an ISAPI filter. The Internet Printing ISAPI filter does not do proper ‘bounds checking’ on user inputted buffers and therefore is susceptible to buffer overflow attacks.

Attackers that leverage the vulnerability can gain full access to any server that is running a default installation of Windows 2000 and using Microsoft’s Internet Information Services Web Server software.

Therefore, such an attacker can gain control over the server and take any desired action, including installing and running programs; manipulating Web server databases; adding, changing or deleting files and Web pages; or taking other actions.

The vulnerability impacts servers running IIS 5.0 with Microsoft Windows 2000 Server, Windows 2000 Advanced Server and Windows 2000 Datacenter Server. With the ubiquity of Microsoft’s use on Web servers worldwide, this vulnerability potentially impacts millions of servers and leaves thousands of companies and organizations totally exposed to network intrusion, operational disruption and client proprietary data exposure.

‘This is a very, very serious vulnerability that should be treated with the utmost urgency and priority by network administrators globally,’ said Marc Maiffret, Chief Hacking Officer at eEye Digital Security.

‘Administrators should refer immediately to the advisory and patch being released by Microsoft today.’

eEye alerted Microsoft’s security team immediately upon discovery of the vulnerability and has worked closely with Microsoft on the development of a patch and the expeditious alerting of the issue to administrators worldwide.

In discovering the vulnerability, eEye has also developed an ‘exploit’ that leverages the ISAPI vulnerability. This exploit is a piece of computer code that would be used by an attacker to compromise the server under assault and was developed by eEye to prove that the vulnerability exists and is very serious.

‘The exploit we developed can be pointed at any Windows 2000 IIS 5.0 Web server and within a matter of a few seconds we will have complete SYSTEM level access (command prompt) to that machine at which point we are able to execute any commands we wish,’ said Maiffret. ‘We have shared the exploit with Microsoft to demonstrate the seriousness of our finding. eEye has decided not to release the exploit to the general public given the potential abuse by malicious individuals.

‘After working closely with Microsoft to help them create a patch for this vulnerability, we were assured and we are confident that Microsoft will do everything within its power to help get the word out on this most serious vulnerability.’

eEye discovered the vulnerability while conducting its ongoing research of new network security vulnerabilities.