Rapid7 Vulnerability & Exploit Database

Microsoft Windows 2000 IIS 5.0 IPP ISAPI Host: Buffer Overflow Vulnerability

Back to Search

Microsoft Windows 2000 IIS 5.0 IPP ISAPI Host: Buffer Overflow Vulnerability



Internet Printing Protocol (IPP) enables remote users to submit various print related jobs over the internet via the HTTP protocol (.print).

An unchecked buffer exists in the Internet printing ISAPI extension in Windows 2000 that handles user requests (C:\WINNT\System32\msw3prt.dll). The Internet Printing Protocol (IPP) depends on msw3prt.dll for functionality.

A host running Windows 2000 with IIS 5.0 is susceptible to the execution of arbitrary code via an unchecked buffer in msw3prt.dll. If a HTTP .print request containing approx 420 bytes in the 'Host:' field is sent to the target, IIS will experience a buffer overflow and allow the execution of arbitrary code. Unfortunately, the Internet printing ISAPI extension runs in the LOCAL SYSTEM context; therefore, the attacker can specify arbitrary code to be run at SYSTEM privileges.

Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack.

Successful exploitation of this vulnerability could lead to complete compromise of the target host.

If Web-based Printing has been configured in group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overridden by the group policy settings.


  • http-iis-0049

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center