Home / IIS lowers the drawbridge

IIS lowers the drawbridge

A devastating vulnerability in Microsoft's IIS 5.0 web server completely exposes Windows 2000 systems.

A serious flaw in Microsoft’s web server software allows system-level access to any attacker armed with 80 lines of C code, the software vendor has admitted. The exploit was discovered two weeks ago, but publicity withheld until a patch was available.

Security specialists eEye discovered the bug – a buffer overflow in a printer ISAPI – within “a matter of minutes” of starting routine testing on IIS 5.0 running on Windows 2000. The ISAPI adds support for the Internet Printing Protocol (IPP), and although present in all Windows 2000 platforms by default, can be exploited via IIS 5.0

Part of the problem lies with resilience features inside IIS. After the buffer overflow, the web server promptly crashes, but is automatically restarted by Windows 2000, thereby allowing the attack to continue, eEye said.

A Microsoft statement said that “the attacker could exploit the vulnerability against any server with which she could conduct a web session. No other services would need to be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be open. Clearly, this is a very serious vulnerability, and Microsoft strongly recommends that all IIS 5.0 administrators install the patch immediately.”

By overflowing C:WINNTSystem32msw3prt.dll, eEye were able to execute any shell code on the system with full privileges, the equivalent of a “root” exploit on a Unix system.

In short: any web server running IIS 5.0 on Windows 2000 can be completely compromised. No non-standard ports are required, and sample code is already available – the juvenile cracking community must be nearly helpless with glee.

This goes a long way beyond mere website vandalism – a compromised server could be used to penetrate beyond a firewall into a corporate network, attack e-commerce services, install Trojans; just about anything in fact. A recent Netcraft survey (April 2001) claimed installation figures for IIS of 5,916,724. That’s a lot of vulnerable servers, even if only a percentage of those will be IIS 5.0 on Windows 2000.

eEye, which sells security software, notes that its SecureIIS product, which hardens IIS against known and unknown vulnerabilities, successfully prevented this particular attack on an unpatched system.

Given the vast number of attacks that regularly take place against vulnerable NT/IIS servers despite patches having been available for months, it’s likely a fresh onslaught of web attacks will result from this discovery. A scary note eEye makes is that the system log makes no entry for the buffer overflow – the attacker can gain access, compromise the system and leave again, with no traces. After the DDoS (distributed denial of service) attacks last year, my guess is that the first use for this will be to distribute DDoS agents such as Stacheldraht and TFN, as well as server-oriented virus packages such as the Linux worm Ramen, aside from random acts of vandalism and sabotage, of course.

Microsoft’s patch is available here: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321

eEye’s announcement is here: http://www.eeye.com/html/Research/Advisories/

Follow us to get the most comprehensive technology news in UAE delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.