WebDAV Buffer Overflow Attack Compromises IIS 5.0

← Back to Stories (view on slashdot.org)

WebDAV Buffer Overflow Attack Compromises IIS 5.0

Posted by timothy on Monday March 17, 2003 @09:50AM from the what-this-old-thing dept.

rf0 writes "Well CERT is reporting a new overflow attack for IIS 5.0. Microsoft has released a bulletin. Better download those patches and fix another security hole." According to this CNET story, Microsoft says that this is already being exploited, at the very least since last Wednesday.

23 of 367 comments (clear)

Min score:

Reason:

Sort:

yup by Anonymous Coward · 2003-03-17 09:52 · Score: 4, Funny

(looks at watch) its monday again... time to go patch my IIS
1. Re:yup by Groo+Wanderer · 2003-03-17 10:57 · Score: 4, Funny
  
  Having to watch over a handfull of IIS machines for several companies, I can say, with some authority, that if you only patch weekly, you are in trouble. MS often releases several critical patches per week, get on the ball.
  
  -Charlie
  
  (This was origionally menat to be sarcasm, but then I wnet to the windows update and looked at the entire patch list, not the rollups. It really is as bad as I was thinking. As that great philosopher Pepe LaPew says, *LeSigh*.)
2. Re:yup by vsprintf · 2003-03-17 13:14 · Score: 3, Funny
  
  Was that really +5 funny?
  
  I've never had mod points.
  
  Those of us who get mod points weekly are easily amused. Try clicking on the "willing to moderate" box. :)
Patch? by Iamthefallen · 2003-03-17 09:53 · Score: 4, Funny

Better download those patches and fix another security hole.
Well duh, "patch my IIS", it's monday isn't it?

--
Wax-Museum Fire Results In Hundreds Of New Danny DeVito Statues
1. Re:Patch? by mrjive · 2003-03-17 09:54 · Score: 5, Funny
  
  More like "every day that ends in -day"
  
  --
  If you can't beat them, arrange to have them beaten. -George Carlin
2. Re:Patch? by shades66 · 2003-03-17 10:38 · Score: 2, Funny
  
  They do appear occasionally it's just that you can't see them for all the Microsoft patches...
  
  --
  ---- There are 10 types of people in the world. Those that understand binary and those that don't
3. Re:Patch? by BorgDrone · 2003-03-17 10:51 · Score: 2, Funny
  
  No, just on days that start with a T
  
  Thursday, Tuesday, Today, Tomorrow.
Another day, another Microsoft bug by RighteousFunby · 2003-03-17 09:54 · Score: 4, Funny

When they get a bug free Windows, they'll have to put some in just so bored /. readers have something to laugh at....

--
If you're happy and you know it read my blog
Bah, the Internet by Captain+Beefheart · 2003-03-17 09:54 · Score: 5, Funny

I don't know why anyone uses it anymore. I'm switching back to Morse Code. Who's with me?
1. Re:Bah, the Internet by Anonvmous+Coward · 2003-03-17 10:18 · Score: 5, Funny
  
  "I don't know why anyone uses it anymore. I'm switching back to Morse Code. Who's with me?"
  
  Shut the ..-. up!
  
  =D
2. Re:Bah, the Internet by charon_on_acheron · 2003-03-17 10:56 · Score: 2, Funny
  
  dotdot
  dotdash dashdash
  dotdash dotdashdotdot dotdashdot dot dotdash dashdotdot dashdotdashdash
  dash dotdotdotdot dot dotdashdot dot
  dotdashdotdashdotdash
3. Re:Bah, the Internet by IIRCAFAIKIANAL · 2003-03-17 11:19 · Score: 2, Funny
  
  I prefer carrier pigeons. Let's implement rfc 1149!
  
  --
  Robots are everywhere, and they eat old people's medicine for fuel.
4. Re:Bah, the Internet by evilviper · 2003-03-17 17:42 · Score: 2, Funny
  
  Oh yeah? Just takes one bird with a slightly long piece of paper to cause a buffer-overflow. Boy will it be fun watching someone input piece of paper after paper until they've input an entire rootkit.
  
  You think internet DDoS attacks are bad, just wait until you have 10,000 Pidegons flying straight for you!
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
OMG! by Anonymous Coward · 2003-03-17 09:56 · Score: 4, Funny

Cue 2,000 microsoft bashing messages...
1. Re:OMG! by NewbieProgrammerMan · 2003-03-17 09:59 · Score: 5, Funny
  
  I hope you don't have a static buffer allocated for those messages, because it'll....ummm...overflow.
  
  --
  [b.belong('us') for b in bases if b.owner() == 'you']
I'd uninstall it but... by OffTheLip · 2003-03-17 09:58 · Score: 5, Funny

I was ready to uninstall IIS when it occured to me that Exchange 2K needs it. I was ready to uninstall Exchange 2K when I realized users would not be able to function. Whew, luckily I came to my senses...
Re:Again... by zzxc · 2003-03-17 09:59 · Score: 5, Funny

>Why is the code that the web server has access to
>change allowed to take over the system?

Because it is "trusted".
Re:This is news? by mmol_6453 · 2003-03-17 10:02 · Score: 5, Funny

Between getting rooted and being automatically subject to license agreements, I'd rather get rooted.

--
What's this Submit thingy do?
CERT can save money... by huhmz · 2003-03-17 10:05 · Score: 4, Funny

If CERT would just move their headquarters to the IIS devs room in redmond, that would probably save a lot of money for CERT. They should be a part of the regular IIS dev team.
Exploited! by DarkHelmet · 2003-03-17 10:11 · Score: 4, Funny

Microsoft says that this is already being exploited, at the very least since last Wednesday.
And I thought that Penguin on the Microsoft home page looked at little out of place.

--
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Re:There are UNEXPLOITABLE web servers - MacOS ! by Anonymous Coward · 2003-03-17 10:27 · Score: 1, Funny

Can't exploit what can't stay up!
This is perfect! by dze · 2003-03-17 10:33 · Score: 2, Funny

I just ran into a problem today on one of our development web servers, trying to get an ASP to run a windows shell script with particular permissions. Anyway, executing arbitrary code in the Local System Context -- this is just the feature that I've been looking for!

--

"Luck is the residue of design" -- Branch Rickey
Clarification on why this patch was different by neoThoth · 2003-03-17 13:57 · Score: 2, Funny

Most discovery to patch timelines go like this:

[researcher finds vulnerability]->[notifys vendor]->[waits impatiently for a month or so]->[vendor releases patch in hotfix or service pack]

This case was completly different and demonstrates a disturbing trend in security research. NO ONE knew about this until it was discovered in the wild. Usually the script kiddies find out about the flaw the same day customers do and then it's an arms race to patch. This time the kids were armed with the exploit before even Microsoft knew about it. The trend of exploits staying secret has started to rear it's ugly head and this is the first major case where it's happened. Don't be suprised if this starts happening more and more. The good news is that MS was able to cough up a patch in a matter of days. The bad is that black hats are obviously keeping secrets about flaws they find.
Gone are the days where each vulnerability found was shouted from the rooftops till someone noticed the researcher. Now they just root servers with unfettered access until someone figures out that it's a new vulnerability. EG they bypass all IDS and in this case most firewalls.
For the record, it seems like this is a simple buffer overflow (when will they learn?) so tools like URLScan and SecureIIS stop these attacks. If your running an IIS server it would be a REALLY good idea to invest into either of these. Since they both stop all forms of buffer overflows (and various other types of attack) they don't require a patch to fend off these types of attacks.