Slashdot Mirror
WebDAV Buffer Overflow Attack Compromises IIS 5.0
rf0 writes "Well CERT is reporting a new overflow attack for IIS 5.0. Microsoft has released a bulletin. Better download those patches and fix another security hole." According to this CNET story, Microsoft says that this is already being exploited, at the very least since last Wednesday.
If you listened to the Gartner Group, you stopped using IIS last year.
If you didn't, well, get with the program!
Eventually MSFT will have to deliver your "mission critical" ASP runtime for Apache, and the world will be a better place because of it.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
All of these "patch" issues should be listed and sent to management with a recommediation of switching to a more secure *nix alterntive. When will the truth beat out the Microsoft ad machine?
Slashdot is not the place you want to read about things like this, if you really need / want to be on the ball. You need to subscribe to bugtraq and nanog. You'd be surprised... it's like knowing the future!
Now, I'm no anti-any OS, I like them all, but what about the latest Sendmail vuln? Or even the one in older versions of BIND? Isn't it true to say that ALL OSes are equally as vulnerable? During the brief time I was on the Redhat Network, I got at least two or three updates a day telling me the sky was about to fall in if I didn't patch my server soon.
I treat all servers fairly, regardless of background, age or reliability :-)
It says near the bottom that IIS systems with URL scan which is part of the lockdown utility are not affected by this.
/.'s don't like microsoft and thats sad because microsoft is the driving company behind many many jobs. The arrival of windows pushed the last boom. No questions about that. Unix had been around for 20 yrs and no boom. Windows and the net and look at how things accelerated..why..because ma/pa people use windows..not *nix. Just the facts.
Why would you run a IIS server without using the lockdown utility??
We (large corporation) have been using IIS servers and without a problem. With Lockdown/urlscan there are no problems at all. The logs show people trying to get in but being rejected.
I think this story is a bit overblown. It appears that most
cheers
John
The exploit has been in the wild since last Wednesday. Microsoft has known about it since that time. Five days to a patch is really good for Microsoft but, the last Apache bug was fixed on the day of discovery, long before any exploits appeared.
.. cut ...
...
...
Four things that make WebDav's so
cool
And don't forget to add
WebDAV like SOAP makes it real easy
for developers to sneak your data
thru pesky firewalls using Port 80.
That-a-Way, we can all share all our
Corp Documents with the WFW ( Whole
Effing World )
-- kjh
From MSNBC article:
"IT'S UNKNOWN WHAT Army computer was attacked, how significant a target it was, or what the intruder's intentions were."
Who said it was a critical system? Critical systems weren't even connected to the internet where I was. Or it could be an inside job?
dd
Perhaps, but IIS runs within kernel space, which is why a remote exploit is always a big deal. Apache may be a bit slower, but runs in user space and thus a remote exploit is less dangerous. So you're right, all OSes/apps aren't equally as vulnerable, but IIS is pretty fucking vulnerable.
Some admins run unpatched machines because they're more scared of what damage the patch will do than the security hole...
All seven of them? All long fixed? Page not updated since January 23, 2003? I'd LOVE to send them that. Comparing that to the long and varied string of IIS compromises/failures/destruction would be enough to get even the pointiest headed boss to make the switch. Good idea. Thanks!
Your first three paragraphs were quite good and interesting.
Your fourth is full of idiocy.
I think this story is a bit overblown. Umm, not at all. It is quite a serious incident.
It appears that most /.'s don't like microsoft
Tell me, is this the first time you noticed that? Not much analytical thought going on upstairs, is there?and thats sad because microsoft is the driving company behind many many jobs They suck a very disproportionate chunk of money out of the market, they are in a position where innovation is much too risky, they are in such a controlling position that they are even greatly profitable against the trend of the rest of the market. The IBM PC pushed the boom. DOS and Windows have ridden the wave and placed Microsoft in the position of punishing any software company and they keep expanding -- that becomes too successful in the name of feeding their monstrous appetite. DOS and Windows sucked for many years, but were small and people ignored the control that was being given such an unworthy producer.
They drive their own jobs with lots of marketing and billions to spend on research, which would be much better used in a large market of competing thriving software vendors, like we had before Microsoft used monopolistic business models to destroy them all. If you become successful, Microsoft is guaranteed to take it away from you. That is successful for Microsoft and creation of Microsoft jobs, but far from good for America or the world.
The arrival of windows pushed the last boom. No questions about that. Unix had been around for 20 yrs and no boom. Windows and the net and look at how things accelerated..why..because ma/pa people use windows..not *nix. Just the facts.
You mentioned facts? The boom came on the backs of now-defunct companies who pioneered their fields, such as word processing, networking, compilers, OO Languages, etc. none of which was pioneered by Microsoft. But Microsoft was good at using software ownership to take these things away from their innovators. And now you have come full circle to why many developers are congregated here and do not always hold Microsoft in high regard.
But you knew that, didn't you? Perhaps you are AC because your large company is Microsoft?
The problem doesn't lie in my dislike of reading licenses, it lies in risking not having the option to read them in the first place.
I have nothing against software licenses...Sometimes their implementation is questionable, and more often than not taken for granted by the majority of users, but I see them as a valid way for the writer of the software to place restrictions on its use.
I can, and do, license my stuff under the GPL, LGPL, or BSD license, as the case warrents.
What's this Submit thingy do?
And all the others that are not Microsoft products?
The sendmail security issue certainly did make the front page.
The fact is that the Samba problem is unlikely to be exploitable remotely because Samba is generally not exposed to the Internet. In the case of the MySQL issue, it requires a man-in-the-middle attack to pull off arbitrary code execution. Many protocols are vulnerable to this sort of attack - it is also a type of attack that is very hard to pull off.
Moderators => please mod parent down. The guy is a jackass.
It is a concrete fact that that no MacOS based webserver has ever been hacked into in the history of the internet.
The MacOS running WebStar and other webservers as has never been exploited or defaced, and are are unbreakable based on historical evidence.
Okay, this is ludicrous. I ran Webster and other macintosh web servers in the 94-96 time range for a significant test prep company in NYC. They are just as insecure as any other web servers. The insecurity comes from the CGIs, not the static content. But who cares...programmer level or system level insecurity has the same result.
The claim is false - i've done this myself to prove a point.
Why is is hack proof? These reasons :
1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for process to process communication that is heavily typed and "pipe-less"
Sure, Pre-OSX Macs have no CLI really, but does it make a difference if you can disable, DoS or take control of the system, even? Sure, they are configuration mistakes. You can make those with Apache/*nix or IIS/win32 too. I've seen Timbuktu installed with no firewalling and simple plaintext password protection of the most trivial kind. I've seen CGIs that allow system control of various sorts, put in place by the same type of people who love the ease of use of macintoshes. Security?
2> No Root user. All Mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stuff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.
Sure, all Macintosh programming is done carefully as a result.
By your estimation, access controls are a complete waste. I'm sorry, this doesn't hold much water. I could use the same argument to state that Wintel boxes are better web servers. We all know how that pans out.
If all Macintosh programming was so excellent, those Type 1 errors where you have no choice but to restart would be a thing of the past, right? I still see them. Though I have to admit the car crash sound is better than a blue screen.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The Mac avoids C strings historically in most of all of its OS. In fact even its ROMs originally used Pascal strings. As you know Pascal strings (length prefixed) are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator.
Pascal strings have a single length byte and can't handle anything longer than 255 characters. Many http requests are going to be longer than that. Obviously, Webster and other Mac web servers aren't using those for everything, though admittedly the system calls require them in many cases. Your argument about this preventing buffer overflows is not very convincing as a result.
#4 must be a new feature because you could do just about anything cgi-wise with a macintosh in my days of futzing with them. Swiss cheese.
#5 - Applescript. Many CGIs used to use those as a control interface and obviously resource protections don't apply. They probably still do...
#6 - I fail to see how the Mac's zoned memory structure is any more protective than the hardware segmented memory protection of Intel (see Type 1 errors above), stack return addresses be damned. I'd be interested in any proof of this.
That is why the US Army gave up on MS IIS and got a Mac for a web server.
Not at this bas
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Incompetent sysadmins still are the weakest link.
I don't agree with that. Microsoft itself can't keep up with the patch schedules; its servers regularly get hacked. Who has more resources than Microsoft? Nobody.
The fact is that if you are running a mission critical server you must test before deploying a patch. That takes time and money that the IT group has in short supply these days.
Then there is the issue of Microsoft's marketting - they sell IIS as the easy to use 'zero maintenance' lowest TCO choice. False advertising in this case.
Sure, another MS exploit. Seems to be one almost every week, and it sucks.
/. chose to post this article, but reject an article I submitted yesterday about a very serious security hole in Opera - Opera describe it as "extremely critical".
/. displaying an unfair bias?
What I do find interesting is that
I'm not griping about having my story rejected, I've had many rejected and a few accepted, and that's the way things are, no problem. What I am questioning is the editorial bias. Here we are at a website which probably has one of the highest concentration of Opera users of any website in the world, and they chose to not post a negative story about "the good guys" (which has exploits in the wild) but did choose to post a negative story about "the bad guys".
Just more of
Read reviews of shopping cart software
While this makes the front page so we can all have our obligatory cracks at Microsoft, a similar (and just as important!) remote root exploit in Samba was just fixed today.
NO CARRIER
Because otherwise it wouldn't be "integrated" into the OS and therefore might be an illegal attempt to use an existing monopoly to propagate another one (see IE for further details). Although it looks like IIS is too late and Apache has already won the day for open source.
Sounds like WebDAV allows an out-of-spec NTDLL kernel API call to occur as a result of an incoming web request from IIS.
Sounds like yet another result of not having a completely well defined API and/or not adhering to it...
Anything between the big-bad-intetnet and operating system internals should check all parameter values and data it passes on to the OS.
Basically, there could be another bug in another dll of windows that WebDAV may someday call, and the same security hole is open again. Especially worrysome since a single software install/update could place a new DLL in place that contains the bug...
--- Hindsight is 20/20, but walking backwards is not the answer.
Just change the user the service runs under.