Tutorial - Vulnerable Web Server (ISAPI)
Vulnerable Web Server (ISAPI)
Impact
Due to an unchecked buffer in an IIS 5.0 DLL, a maliciously crafted HTTP .print
request containing approx 420 bytes in the 'Host:' field will allow the
execution of arbitrary code. It is most commonly found on Windows 2000.
Background
Windows 2000/IIS 5.0 Internet printing ISAPI extension contains msw3prt.dll
which handles user requests. An unchecked buffer in msw3prt.dll, will allow
the execution of arbitrary code. Typically a web server would stop responding
in a buffer overflow condition; however, once Windows 2000 detects an
unresponsive web server it automatically performs a restart. Therefore,
the administrator will be unaware of this attack.
Resolution