This attack could pose a moderate security threat. It does not require immediate action.
This signature detects buffer overflow attempts that exploit the IIS ISAPI Printer extension vulnerability.
The Internet Printing Protocol (IPP) enables remote users to submit various print-related jobs over the Internet, via the HTTP protocol (.printer).
An unchecked buffer exists in the Internet printing ISAPI extension in Windows 2000, which handles user requests (C:\WINNT\System32\msw3prt.dll). The IPP depends on msw3prt.dll for functionality.
A host running Windows 2000 with IIS 5.0 is susceptible to the execution of arbitrary code, via an unchecked buffer in msw3prt.dll. If an HTTP .printer request containing approximately 420 bytes in the "Host:" field is sent to the target, IIS will experience a buffer overflow and allow the execution of arbitrary code.
Unfortunately, the Internet printing ISAPI extension runs in the LOCAL SYSTEM context; therefore, the attacker can specify arbitrary code to be run at SYSTEM privileges.
Typically, a Web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive Web server, it automatically performs a restart. Therefore, the administrator will be unaware of this attack.
Successful exploitation of this vulnerability could lead to a complete compromise of the target host.
Note: If Web-based printing has been configured in the group policy, the group policy settings will override the attempts to disable or unmap the affected extension via the Internet Services Manager.
Microsoft has released a patch that rectifies this issue. Patches for the Windows 2000 Datacenter Server are hardware-specific and available from the original equipment manufacturer.
For Microsoft IIS 5.0:Microsoft Q296576