Rule:  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .printer access"; uricontent:".printer"; nocase; flags:A+; reference:cve,CAN-2001-0241; reference:arachnids,533; classtype:web-application-activity; sid:971; rev:1;) 

--
Sid: 971

--

Summary: Someone has attempted to compromise a web server running IIS 5.0 by exploiting the ".printer" bug.

--
Impact: Possible system compromise.  The ".printer" vulnerability may result in remote system level access to an IIS 5.0 server.

--
Detailed Information:  With the increasing pervasion of the Internet, vendors are adding features into their software to support the networked world.  Microsoft's initial implementation of one such feature were the ".printer" extensions on IIS 5.0 which shipped with Windows 2000.

A bug exsisted in the initial release that could result in remote system level access to the web server.  A patch has been released that fixes this bug.

--
Attack Scenarios:  A hacker could use this vulnerability to get a remote, system level command prompt on the server.

--
Ease of Attack:  Very easy.  Automated tools exist to exploit this vulnerability, one such was posted on the bugtraq mailing list.

--
False Positives:  There are legitimate uses of the ".printer" feature, though it is unknown how widely it is used.  You should know if this feature is implemented on your web servers.

--
False Negatives:

--
Corrective Action:  Install latest patches from the vendor, or disable the ".printer" extensions using the IIS administration tool.

--
Contributors:

--
Additional References:
Vendor Security Bulletin: MS01-023
Bugtraq Archive: url,http://www.securityfocus.com/archive/1/181937
