[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Big IIS doodoo

One of my friends from NZ is friends with a group eeye.com.  He hangs around
in mulysa and #beavuh on IRC.  Gotta love 'em.

Anyhow, they've discovered quite a hole in IIS which is quite nasty.

They gave MS a chance to write and reply before releasing this:


Full exploit ASM source is available.  My friend says that there will be a
Linux port of the exploit source, not that we have a use for that.

From the page:


We have been debating how to start out this advisory. How do you explain that
90% or so of the Windows NT web servers on the Internet are open to a hole
that lets an attacker execute arbitrary code on the remote web server? So the
story starts...

One of the things that we found out is that IIS did not log any trace of our
attempted hack. We recommend that you pass all server requests to the logging
service before passing it to any ISAPI filters etc...The logging service
should be, as named, an actual service running in a separate memory space so
that when inetinfo goes down intrusion signatures are still logged. 

The Fallout:

Almost 90% of the Windows NT web servers on the Internet are affected by this
hole. Everyone from NASDAQ to the U.S. Army to Microsoft themselves. No, we
did not try it on the above mentioned. But it is easy to verify if a web
server is exploitable without using the exploit. Even a server that's locked
in a guarded room behind a Cisco Pix can be broken into with this hole. This
is a reminder to all software vendors that testing for common security holes
in your software is a must. Demand more from your software vendors.


Remove the extension .HTR from the ISAPI DLL list. Microsoft has just updated
their checklist to include this interim fix.
Apply the patch supplied by Microsoft when available.

Vendor Status:

We contacted Microsoft on June 8th 1999, eEye Digital Security Team provided
all information needed to reproduce the exploit. and how to fix it. Microsoft
security team did confirm the exploit and are releasing a patch for IIS.




Damacus		| damacus@bastion.cnsnet.net ** damacus@statiknet.org
New as of 6/14	| PGP: http://bastion.cnsnet.net/~damacus/damacus-key.asc
		| Administrator, Cimarron Network Services, Inc.
IRC:  (EFnet)	| #statik	http://www.statiknet.org  
nick: damacus	| #dc-stuff	http://www.attrition.org/ (hosted/dc-stuff)
   Failure is not an option. It comes bundled with your Microsoft product.
			      -- Ferenc Mantfeld
       \ /
        X  ASCII Ribbon campaign against HTML E-Mail
       / \

To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.