Microsoft IIS 5.0 Bug
Windows 2000 servers vulnerable to attack
ERROR: Random File Unopenable
The file was not found on your file system. This means that it has either not been created or the path you have specified in $trrandom_file is incorrect.
Microsoft IIS 5.0 Opens Security Hole in Windows 2000by Dave Murphy
Microsoft Corp. confirmed today that their webserver, IIS 5.0, opens a security hole in Windows 2000 (W2k) servers. Both W2k Server and W2k Advanced Server are affected by the bug, and an security patch is available from Microsoft. W2k Datacenter Server is hardware specific and security patches may be available from the OEM (Original Equipment Manufacturer).
An ISAPI extension which implements the Internet Printing Protocol (IPP), is at the root of the problem. IPP is a neat feature of W2k that grants permission to submit print jobs via HTTP to another PC connected to the Internet.
The ISAPI extension contains an unchecked buffer which enables a remote attacker to create a buffer overrun. The attacker can then submit code which would run in the Local System security context. By gaining Local System privileges, an attacker can gain complete control over a server, with the ability to load and execute any program; add, change or delete any data, including webpages; execute system commands; reconfigure the system; add new users or delete existing ones; and reformat the hard drive.
Microsoft recognizes the seriousness of this vulnerability and strongly recommends that all IIS 5.0 administrators to install the patch immediately.
Microsoft also confirms that a firewall does not protect the network against intrusion in this case. Internet Printing operates over HTTP or HTTPS as part of a web session. As long as an attacker can start a web session with an affected server, that server is vulnerable.
Call for CommentsWhat do you think? Leave your comments on the message center.
ReferencesMicrosoft Security Bulletin
Previous issues are on our website at http://itrain.org/itinfo/.
International Association of Information Technology Trainers
Copyright © 2001 International Association of Information Technology Trainers, Ltd., All Rights Reserved