Slashdot Mirror
Remote 'Root' Exploit in IIS 5.0
eEye Digital Security
was doing some testing that apparently Microsoft hadn't done on its own webserver (IIS 5.0) running on its latest OS (Windows 2000, all versions). "Within a matter of minutes," they say, "a debugger kicked in on inetinfo.exe because of a 'buffer overflow error'" -- and two weeks later, we got simultaneous announcements from Microsoft and eEye. This is a remote SYSTEM-level exploit in a popular webserver, in the wild, i.e., Danger Will Robinson. eEye says about a million servers will need to be patched;
it may be more.
Go see
Microsoft's writeup and patch.
See also
eEye's droll and informative writeup,
which, now that an exploit is confirmed to be in the wild today, has added some source code.
This could enable a remote attacker to conduct a buffer overrun attack and cause code of her choice to run on the server. Such code would run in the Local System security context. This would give the attacker complete control of the server, and would enable her to take virtually any action she chose.
Only females can exploit this hole!*
*Not to be taken out of context
actually, it's not quite so easy. i wrote the exploit, and inititally looked at creating a fix as the initial exploit and ran into the following problems: 1. deleting the file: if you delete the printer dll, it is replaced by the copy in dllcache. if you delete the one in dllcace, it gets replaced by the original. if you delete both at the same time, it then asks for the original install media. self healing files are cool until they reintroduce the problems. 2. removing the extension: there isn't a really easy way to deal with the metabase(the registry like structure used in dealing with iis) using asm 3. size: writing an exploit with around 400 bytes, taking into effect that you have to load addresses and data and have some boot strap code, not to mention that you have to split your code into 2 segments because the buffer overflows right in the middle. if anyone has questions as to why, or how, let me know. i'd be more than happy to explain both to serious inquiries. ryan permeh, ryan@eeye.com
That's a local (not remote) root exploit in a not-commonly-installed tool.
That's a remote unprivileged-user (not root) exploit in a not-commonly-installed application.
That's a local (not remote) non-root exploit in a not-commonly-installed application.
That's, um, a DoS against Novell Border Manager.
I know it's fun and easy to bash Slashdot for being anti-Microsoft, especially when we report security news, but we don't ignore open-source problems and we only report vulnerabilities which are of pressing and widespread concern.
Jamie McCarthy
Jamie McCarthy
jamie.mccarthy.vg
What if it's crawling or limping, as would be more likely than "running?"
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
The vast majority of security vulnerabilities are buffer overflows. This latest vulnerability extends this status quo. There are technologies out there that prevent this, however, almost all of these technologies slow down the system in some way or another. Examples include languages that allow dynamically sized arrays and other preventative measures.
CPU speed is growing such that it would appear that we could take a speed hit for increased security. Is it coming down to the fact that various organizations would rather market a fast webserver at the expense of a secure one? The $64,000 question is why the industry has not moved towards safer technologies that prevent these security holes.
Not that Microsoft is incredibly innovative on the security front, but they're hardly the only culprit. Many others rely on unsafe languages and techniques that allow these vulnerabilities to leak through.
When will it end? Is there any incentive to end?
As many people have pointed out, anyone reasonably experienced, and any "real" website, isn't vulnerable to this if they followed the best practice of deleting all app mappings that aren't in use. It's like the blank SQL sa password all over again. Easy to get worked up about, pretty much a nonissue for anyone who even halfway knows what they're doing.
Right. And millions of stolen credit card numbers as a result is only proof of stupid admins, not stupid software.
Software has an obligation to setup secure by default, and insecure by the expressed will of the admin. Apparently with IIS and/or MSSQL this little bit of advice is forgotten.
You can go on and on about how anyone who bothered to read the docs would not setup the server in a vulnerable way, but this ignores an INCREDIBLY important aspect of human nature. That default computer usage should be reasonable is assumed by default. 80+% of all web users NEVER change their home page. In a simliar vein, most web admins simply use the default install, irrespective of the potential holes pr default passwords.
The default install has to work securely, plain and simple. For IIS or MSSQL, there are obvious reasons that your customers' business is not safe if you used the default install.
"However, this couldn't be used to conduct an effective denial of service attack, as the IIS 5.0 service automatically restarts itself after a failure. " If it takes me like one packet to shutdown the service(Hence the restart). I can generate lets say 4 packets per minute? (I really do have a better connection but) If I can not keep an IIS server thoroughly enough pissed with a small attack to prevent users Im confused. Not that I would but I just refuse to believe that while IIS is automatically restarting itself users would not be denied service. Oh well two cents. minus a dollar.
I am 31337 or something.
Ok, so there's a major security flaw with Windows 2000 server computers running IIS 5.0 because this ISAPI extension is installed by default. A patch is already available, and for those who don't want to patch (why the hell not?), they can simply remove the extension.
Yes, this seems to be a really nasty hole, but it doesn't appear as if it's been exploited (yet, of course). Microsoft did release a patch and didn't try to play down its importance (so it seems to me). Those of us in the *nix community have had our share of root exploits in various daemons, so they crop up in even our most favorite software.
There is no reason to be blindly insulting MS or promoting the secureness of Open Source programs. Large, complex programs are subject to buffer overruns.
If you have a Win 2000 server or know someone that does, just get the patch. Simple as that.
"The universe seems neither benign nor hostile, merely indifferent." --Carl Sagan
Let Microsoft take you away from all that. With our new RemoteRoot feature for IIS on Windows2000, users can log in as root from remote sites without all the muckety muck.
Forgot your password? No problem. RemoteRoot makes getting in easy.
Microsoft has partnered with the company responsible for Zero Click technology to bring you this wonderful new feature. You can read more about it on their web site.
The MS writeup clearly states "Note: The vulnerability is only exposed if IIS 5.0 is running."
So in effect, if the admin who setup the webserver is in ANY way competent, he should have already been over the checklist and applied the template, both of which discuss removing this extension. If he's lazy and only used the SecTool, that would still do the job.
-------
-- russ
"You want people to think logically? ACK! Turn in your UID, you traitor!"
Natural != (nontoxic || beneficial)
IIS is also far easier to install and maintain, it uses Microsoft's standard MMC console admin interface..Of course, there's two sides to the ease-of-admin issue (many will argue it invites security risk due to low-clue admins being able to do the job, half-assedly).
Probably the most important feature, though, is Active Server Pages functionality. The ability to write parsed HTML code in any of the languages supported by Microsoft's Active Scripting (JScript, VBScript, Perl, Python, etc), with the added bonus of access to pre-built COM objects.
It is quite nice. Personally, I prefer PHP for most web-app development..but the wide variety of language choice and the COM integration are pretty cool if you don't mind locking your box to Microsoft technology.