IIS lowers the drawbridge
A devastating vulnerability in Microsoft's IIS 5.0 web server completely exposes Windows 2000 systems.
A serious flaw in Microsoft’s web server software allows system-level access to any attacker armed with 80 lines of C code, the software vendor has admitted. The exploit was discovered two weeks ago, but publicity withheld until a patch was available.
Security specialists eEye discovered the bug – a buffer overflow in a printer ISAPI – within “a matter of minutes” of starting routine testing on IIS 5.0 running on Windows 2000. The ISAPI adds support for the Internet Printing Protocol (IPP), and although present in all Windows 2000 platforms by default, can be exploited via IIS 5.0
Part of the problem lies with resilience features inside IIS. After the buffer overflow, the web server promptly crashes, but is automatically restarted by Windows 2000, thereby allowing the attack to continue, eEye said.
A Microsoft statement said that “the attacker could exploit the vulnerability against any server with which she could conduct a web session. No other services would need to be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be open. Clearly, this is a very serious vulnerability, and Microsoft strongly recommends that all IIS 5.0 administrators install the patch immediately.”
By overflowing C:WINNTSystem32msw3prt.dll, eEye were able to execute any shell code on the system with full privileges, the equivalent of a “root” exploit on a Unix system.
In short: any web server running IIS 5.0 on Windows 2000 can be completely compromised. No non-standard ports are required, and sample code is already available – the juvenile cracking community must be nearly helpless with glee.
This goes a long way beyond mere website vandalism – a compromised server could be used to penetrate beyond a firewall into a corporate network, attack e-commerce services, install Trojans; just about anything in fact. A recent Netcraft survey (April 2001) claimed installation figures for IIS of 5,916,724. That’s a lot of vulnerable servers, even if only a percentage of those will be IIS 5.0 on Windows 2000.
eEye, which sells security software, notes that its SecureIIS product, which hardens IIS against known and unknown vulnerabilities, successfully prevented this particular attack on an unpatched system.
Given the vast number of attacks that regularly take place against vulnerable NT/IIS servers despite patches having been available for months, it’s likely a fresh onslaught of web attacks will result from this discovery. A scary note eEye makes is that the system log makes no entry for the buffer overflow – the attacker can gain access, compromise the system and leave again, with no traces. After the DDoS (distributed denial of service) attacks last year, my guess is that the first use for this will be to distribute DDoS agents such as Stacheldraht and TFN, as well as server-oriented virus packages such as the Linux worm Ramen, aside from random acts of vandalism and sabotage, of course.
Microsoft’s patch is available here: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321
eEye’s announcement is here: http://www.eeye.com/html/Research/Advisories/