Vulnerabilities > CVE-2001-0241 - Buffer Overflow vulnerability in Microsoft IIS 5.0 .printer ISAPI Extension

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

microsoft

critical

nessus

exploit available

metasploit

NVD

Published: 2001-06-27

Updated: 2019-04-30

Summary

Buffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via a long print request that is passed to the extension through IIS 5.0.

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows 2000 *	1

Exploit-Db

description	Microsoft IIS 5.0 .printer ISAPI Extension Buffer Overflow Vulnerability (2). CVE-2001-0241. Remote exploit for windows platform
id	EDB-ID:20816
last seen	2016-02-02
modified	2001-05-01
published	2001-05-01
reporter	dark spyrit
source	https://www.exploit-db.com/download/20816/
title	Microsoft IIS 5.0 - .printer ISAPI Extension Buffer Overflow Vulnerability 2

description	Microsoft IIS 5.0 Printer Host Header Overflow. CVE-2001-0241. Remote exploit for windows platform
id	EDB-ID:16469
last seen	2016-02-01
modified	2010-04-30
published	2010-04-30
reporter	metasploit
source	https://www.exploit-db.com/download/16469/
title	Microsoft IIS 5.0 Printer Host Header Overflow

description	MS Windows 2000 sp1/sp2 isapi .printer Extension Overflow Exploit. CVE-2001-0241. Remote exploit for windows platform
id	EDB-ID:266
last seen	2016-01-31
modified	2001-05-07
published	2001-05-07
reporter	Ryan Permeh
source	https://www.exploit-db.com/download/266/
title	Microsoft Windows 2000 SP1/SP2 - isapi .printer Extension Overflow Exploit

description	Microsoft IIS 5.0 .printer ISAPI Extension Buffer Overflow Vulnerability (1). CVE-2001-0241. Remote exploit for windows platform
id	EDB-ID:20815
last seen	2016-02-02
modified	2001-05-01
published	2001-05-01
reporter	storm
source	https://www.exploit-db.com/download/20815/
title	Microsoft IIS 5.0 - .printer ISAPI Extension Buffer Overflow Vulnerability 1

description	Microsoft IIS 5.0 .printer ISAPI Extension Buffer Overflow Vulnerability (4). CVE-2001-0241. Remote exploit for windows platform
id	EDB-ID:20818
last seen	2016-02-02
modified	2001-05-01
published	2001-05-01
reporter	Cyrus The Great
source	https://www.exploit-db.com/download/20818/
title	Microsoft IIS 5.0 - .printer ISAPI Extension Buffer Overflow Vulnerability 4

description	Microsoft IIS 5.0 .printer ISAPI Extension Buffer Overflow Vulnerability (3). CVE-2001-0241. Remote exploit for windows platform
id	EDB-ID:20817
last seen	2016-02-02
modified	2005-02-02
published	2005-02-02
reporter	styx
source	https://www.exploit-db.com/download/20817/
title	Microsoft IIS 5.0 - .printer ISAPI Extension Buffer Overflow Vulnerability 3

description	MS Windows 2000 sp1/sp2 isapi .printer Extension Overflow Exploit (2). CVE-2001-0241. Remote exploit for windows platform
id	EDB-ID:268
last seen	2016-01-31
modified	2001-05-08
published	2001-05-08
reporter	dark spyrit
source	https://www.exploit-db.com/download/268/
title	Microsoft Windows 2000 SP1/SP2 - isapi .printer Extension Overflow Exploit 2

Metasploit

description	This exploits a buffer overflow in the request processor of the Internet Printing Protocol ISAPI module in IIS. This module works against Windows 2000 service pack 0 and 1. If the service stops responding after a successful compromise, run the exploit a couple more times to completely kill the hung process.
id	MSF:EXPLOIT/WINDOWS/IIS/MS01_023_PRINTER
last seen	2020-01-15
modified	2018-09-15
published	2005-12-25
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0241 https://seclists.org/lists/bugtraq/2001/May/0005.html
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/iis/ms01_023_printer.rb
title	MS01-023 Microsoft IIS 5.0 Printer Host Header Overflow

Nessus

NASL family	Web Servers
NASL id	IIS5_PRINTER.NASL
description	The remote version of the IIS web server contains a bug which might be used by an attacker to execute arbitrary code on the remote system. To exploit this vulnerability, an attacker would need to send a malicious HTTP/1.1 request to the remote host.
last seen	2020-06-01
modified	2020-06-02
plugin id	10657
published	2001-05-01
reporter	This script is Copyright (C) 2001-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/10657
title	MS01-023: Microsoft IIS 5.0 Malformed HTTP Printer Request Header Remote Buffer Overflow (953155) (uncredentialed check)
code	# # (C) Tenable Network Security, Inc. # # Initial version written by John Lampe include("compat.inc"); if (description) { script_id(10657); script_version("1.48"); script_cvs_date("Date: 2018/11/15 20:50:25"); script_cve_id("CVE-2001-0241"); script_bugtraq_id(2674); script_xref(name:"CERT", value:"516648"); script_xref(name:"CERT-CC", value:"CA-2001-10"); script_xref(name:"MSFT", value:"MS01-023"); script_xref(name:"MSKB", value:"296576"); script_name(english:"MS01-023: Microsoft IIS 5.0 Malformed HTTP Printer Request Header Remote Buffer Overflow (953155) (uncredentialed check)"); script_summary(english:"Makes sure that MS01-023 is installed on the remote host"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host thru IIS."); script_set_attribute(attribute:"description", value: "The remote version of the IIS web server contains a bug which might be used by an attacker to execute arbitrary code on the remote system. To exploit this vulnerability, an attacker would need to send a malicious HTTP/1.1 request to the remote host."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-023"); script_set_attribute(attribute:"solution", value:"Microsoft has released a patch for Windows 2000."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS01-023 Microsoft IIS 5.0 Printer Host Header Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?faa4ec33"); script_set_attribute(attribute:"vuln_publication_date", value:"2001/05/01"); script_set_attribute(attribute:"patch_publication_date", value:"2001/05/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2001/05/01"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis"); script_end_attributes(); script_category(ACT_ATTACK); script_dependencie("find_service1.nasl", "http_version.nasl", "www_fingerprinting_hmap.nasl"); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc."); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); if (report_paranoia < 2) { server_name = http_server_header(port:port); if (server_name) { if ("Microsoft-IIS" >!< server_name) audit(AUDIT_WRONG_WEB_SERVER, "IIS", port); if ("Microsoft-IIS/5.0" >!< server_name) audit(AUDIT_NOT_LISTEN, "IIS 5.0", port); } else { sig = get_kb_item("www/hmap/" + port + "/description"); if (!sig) exit(0, "The web server listening on port "+port+" was not fingerprinted."); else { if ("IIS" >!< sig) audit(AUDIT_WRONG_WEB_SERVER, "IIS", port); else if ("IIS/5.0" >!< sig) audit(AUDIT_NOT_LISTEN, "IIS 5.0", port); } } } req = 'GET /NULL.printer HTTP/1.1\r\nHost: ' + crap(257) + '\r\n\r\n'; w = http_send_recv_buf(port:port, data:req); if (w[0] =~ "HTTP/[0-9.]+ 500 13") security_hole(port); else audit(AUDIT_LISTEN_NOT_VULN, "IIS 5.0", port);

Oval

accepted

2011-05-16T04:00:15.997-04:00

class

vulnerability

contributors

name Christine Walzer
organization The MITRE Corporation
name Ingrid Skoog
organization The MITRE Corporation
name Shane Shaffer
organization G2, Inc.
name Sudhir Gandhe
organization Telos
name Shane Shaffer
organization G2, Inc.

description

Buffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via a long print request that is passed to the extension through IIS 5.0.

family

windows

oval:org.mitre.oval:def:1068

status

accepted

submitted

2004-05-12T12:00:00.000-04:00

title

Windows 2000 Internet Printing ISAPI Extension Buffer Overflow

version

Packetstorm

data source	https://packetstormsecurity.com/files/download/82923/ms01_023_printer.rb.txt
id	PACKETSTORM:82923
last seen	2016-12-05
published	2009-10-30
reporter	H D Moore
source	https://packetstormsecurity.com/files/82923/Microsoft-IIS-5.0-Printer-Host-Header-Overflow.html
title	Microsoft IIS 5.0 Printer Host Header Overflow

Saint

bid	2674
description	Microsoft IIS 5.0 printer ISAPI extension buffer overflow
id	web_server_iis_iis,web_server_iis_iisx
osvdb	3323
title	iis_printer_isapi
type	remote

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Nessus

Oval

Packetstorm

Saint

References