What is ISAPI Extension? ISAPI working & ISAPI DLL Buffer Overflows

ISAPI Extension

An ISAPI extension is a dynamic link library (.dll) that uses ISAPI to provide a set of web functions above and beyond those natively provided by IIS. ISAPI is developed to provide advantage over the shortcomings of Common Gateway Interface, CGI. An ISAPI extension is a regular DLL file that exposes three special functions that are called by the calling process (i.e., IIS) and therefore, will be loaded to memory only once, irrespective of how many clients are going to use it at the same time.

Working

Once the concerned ISAPI DLL is loaded into memory, a worker thread starts running to manage the extension. The first function to be called is the entry point DLLMain function. On completion, the server makes a call to GetExtensionVersion function to perform two tasks - to exchange version information and to get a short text description of the extension. The server then calls the HttpExtensionProc function passing a copy of the ECB's pointer to start the actual ISAPI extension. This function makes writing data back to the client possible.

ISAPI DLL Buffer Overflows

As part of its installation process, IIS installs several ISAPI extensions -- .dlls that provide extended functionality. Among these is idq.dll, which is a component of Index Server (known in Windows 2000 as Indexing Service) and provides support for administrative scripts (.ida files) and Internet Data Queries (.idq files).

Recently, buffer overrun security vulnerability was detected because idq.dll contained an unchecked buffer in a section of code that handled input URLs. An attacker who could establish a web session with a server on which idq.dll was installed could conduct a buffer overrun attack and execute code on the web server. Idq.dll runs in the System context, therefore exploiting the vulnerability would give the attacker complete control of the server and allow him to take any desired action on it.

Exploitation of the buffer overflow involves sending an overlong variable to idq.dll, as shown in the following example, where [buffer] is equivalent to approximately 240 bytes:

GET / null.ida? [buffer] =X HTTP/1.1

Host: [arbitrary_value]

The buffer overrun occurs before any indexing functionality is requested. As a result, even though idq.dll is a component of Index Server/Indexing Service, the service would not need to be running in order for an attacker to exploit the vulnerability. As long as the script mapping for .idq or .ida files were present and the attacker were able to establish a web session, he could exploit the vulnerability.

An attacker who successfully exploited this vulnerability could gain complete control over an affected web server. This would give the attacker the ability to take any desired action on the server, including changing web pages, reformatting the hard drive or adding new users to the local administrators group.

Exploits

Perhaps the most prolific exploits that took advantage of the buffer overflow vulnerability are the code red and nimda worm. These worms are discussed in detail in the module on viruses. A worm is a generic term for a piece of code that replicates itself on a network. Recently, worms have been seen to exploit some popular remote security flaw to infect systems, take control of the victim, and causes damage before setting about launching new attacks against further victims

IPP Printer Overflow

• There is a buffer overflow in IIS within the ISAPI filter that handles .printer files (c:\winnt\system32\msw3prt.dll) that provides support for the Internet Printing Protocol (IPP)
• IPP enables the web-based control of various aspects of networked printers.
• The vulnerability arises when a buffer of approximately 420 bytes is sent within the HTTP host.
  GET /NULL.printer HTTP/1.0 HOST: [buffer]

Internet Printing Protocol

Windows 2000 introduced native support for the Internet Printing Protocol (IPP), an industry - standard protocol for submitting and controlling print jobs over HTTP. The protocol is implemented in Windows 2000 via an ISAPI extension that is installed by default as part of Windows 2000 but which can only be accessed via IIS 5.0.

Vulnerability There was a buffer overrun vulnerability that resulted because the ISAPI extension contained an unchecked buffer in a section of code that handled input parameters. This could enable a remote attacker to conduct a buffer overrun attack and cause code of his choice to run on the server. Such code would run in the Local System security context. This would give the attacker complete control of the server, and would enable him to take virtually any action he chose.

The attacker could exploit the vulnerability against any server with which he could conduct a web session. No other services would need to be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be open.

Windows 2000 Internet printing ISAPI extension contains msw3prt.dll, which handles user requests. Security vulnerability, discovered by Riley Hassell from eEye, in msw2prt.dll, does not correctly perform input validation checking allowing an attacker to overflow a buffer and run any program in the SYSTEM context.

Due to the unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .print request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. A remote command shell is trivial for the attacker to execute and destructive for the web site because it allows the attacker complete control over the web server. If a web server would stop responding in a buffer overflow condition and Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack. This however makes it easier for remote attacks to execute code against Windows 2000 IIS 5.0 web servers. If Web-based Printing has been configured with a group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overridden by the group policy settings.

---Regards,

Amarjit Singh