Internet Printing Protocol (IPP) enables remote users to submit various print related
jobs over the internet via the HTTP protocol (.print).
An unchecked buffer exists in the Internet printing ISAPI extension in Windows 2000 that
handles user requests (C:\WINNT\System32\msw3prt.dll). The Internet Printing Protocol
(IPP) depends on msw3prt.dll for functionality.
A host running Windows 2000 with IIS 5.0 is susceptible to the execution of arbitrary
code via an unchecked buffer in msw3prt.dll. If a HTTP .print request containing approx
420 bytes in the 'Host:' field is sent to the target, IIS will experience a
buffer overflow and allow the execution of arbitrary code. Unfortunately, the Internet
printing ISAPI extension runs in the LOCAL SYSTEM context; therefore, the attacker can
specify arbitrary code to be run at SYSTEM privileges.
Typically a web server would stop responding in a buffer overflow condition; however,
once Windows 2000 detects an unresponsive web server it automatically performs a restart.
Therefore, the administrator will be unaware of this attack.
Successful exploitation of this vulnerability could lead to complete compromise of the target host.
If Web-based Printing has been configured in group policy, attempts to disable or unmap
the affected extension via Internet Services Manager will be overridden by the group policy settings.