Recently Eeye, a small US security team, announced that some of its members had discovered a new bug in Microsoft's Internet Information Server software.
Using about 500 lines of assembler code they managed to generate a 'buffer overflow' on a remote IIS webserver. Exploiting this situation, they could attach any command or program to it and have it executed without any problem, as if they had full administrator permission to the system.
At this time, the script is circulating the Internet as a new hacker toy. It allows anyone with half a brain and an Internet connection to manipulate almost any IIS server on the Net: gaining full administrator access to install Trojan horses, edit files or just for the hack of it enter a destructive format c:\ drive.
On a technical level, the bug works like this: As a visitor to a Web site, you normally send a so-called 'web request' to a server. You type any URL and request thereby a particular file (name.extension). A standard IIS checks all requests on certain file types, using the extension to identify them. One of the possible extensions is '.htr', which is used to allow users to change their NT password. Normally your webserver and firewall are configured to accept these kinds of requests, so they let them through without asking further questions.
The problem is about the limited processing capacity that is reserved for these actions. A web request usually is not a piece of Latin prose, with a length of more than 10 lines or 1000 characters. At least, that's what the programmers must have thought when they coded IIS. When you try to send a request to a webserver, which looks like 'GET /' followed by exactly 1140 A's, the machines buffer reaches its limits. The webserver crashes, creating a perfect 'denial of service' situation.
But there's more: Any additional arbitrary codes that are transferred with the request, are suddenly entered into the processing memory and executed. The incoming web request is at the same time transmitted to several DLL library files. Somewhere in this process, the limit of the reserved buffer memory is exceeded (buffer overflow). The remaining alphanumerics are simply written into the processing memory of the machine, which gives these data the status of a command, which is processed with administrator privileges.
Using this technique, you can for example attach a program to the magical code and execute it. Eeye tried sending Netcat - a kind of telnet server - which installed itself with astonishing ease. Once installed, this allowed free telnet access to the NT server for just about anyone. This included the possibility for a perfect stranger to reach the command prompt and to have any command executed. The Eeye people concluded that they had full administrator privileges. Someone with a dirty mind could do a lot of 'creative' things with the machine.
The first reports on Bugtraq conclude that all tested versions of the IIS 4.0 are vulnerable. System operators who did their duty and installed the Microsoft Servicepacks, should also know that their systems are not safe for this problem. NT's with the Service Packs 3, 4 and 5 are suffering the problem. All this would not be too dramatic, if it were not for the fact that the bugexploit is so easy to duplicate. It only takes you three small files to download from the Eeye Web site, one command to type on the Dos prompt and you're inside. You don't need to be a highly skilled hacker to exploit this bug .
Things get even worse. It doesn't really help to put a firewall in front of your webserver. Normally this puts a filter on the incoming and outgoing traffic, using the file type or eventually the address of the source or destination machine. For a public webserver, it is simply necessary to allow this traffic from outside. A firewall could not stop this type of attack without closing the access to the webserver for everybody. What eventually could help, is the installation of an application firewall, which effectively checks the content of all web requests and, for example, blocks all .htr extensions. A way to do this is using a so-called HTTP accelerator, such as the Squid package.
In VNU's lab
After we read the Eeye announcement, we tried to duplicate the bug in our lab on the available NT servers. All NT servers in the lab have the latest service packs installed and normally are configured in a safe way. But on all machines the buffer overflow occurred on the first attempt, bringing the webserver down. We didn't even need five minutes to obtain complete administrator access from a remote machine, simply using the sacred Iishack.exe program. Once you understand how the bug works, is equally easy to write a short program in an efficient scripting language like Perl, which brings the webserver down but leaves the NT server perfectly operational.
Even more surprising was that we couldn't find any trace in the log files of our attack. Once the webserver crashes it does not log anything. This leaves a system administrator totally blind over what happened to his webserver. There is no way for him to know what or who hit him. We also tried an attack on two fully operational IIS webservers on the Internet with the permission of the administrator. In both cases, the webserver went down and we obtained full access to the NT machine.
Scale of the problem
Pointing out the precise dimensions of a security problem is always a difficult task. Last year, the VNU BA Testlabs broke the news about some serious configuration problems in the Lotus Domino webserver. We developed a scanner that searched the entire Internet for Domino servers and tested if they effectively had a security problem. Afterwards, this was reported to all concerned administrators. We obtained a very precise statistics about the scale of the problem.
In this case this is impossible. Testing a machine, just to check if it's vulnerable, would implicate the risk of blocking the server and bringing it down. We cannot just simulate the buffer overflow situation without interfering with the system. It is not our intention to bring a remote webserver down just to prove it is vulnerable to a security bug.
But we can picture the global scale of the problem. In the last two years, the webserver market shifted towards an expanded use of NT and the IIS. Notwithstanding the fact that the freeware Apache is still far more used than the Microsoft product, IIS controls 22 per cent of the worldwide market. Netcraft's webserver survey estimates the number of IIS users worldwide at about 1.3 million machines that are potentially vulnerable due to this bug. Netcraft also pointed out that 40,345 UK websites are running the buggy IIS software.
There are quite a number of well known British and international companies that rely on IIS for their webservers. IT companies such as Intel (http://www.intel.co.uk) , Dell (http://www.dell.co.uk) or less high tech companies such as the Scotland national site (http://www.scotland.co.uk), could face potential attacks if they do not fix their servers in time.
Another recent evolution makes the problem even worse: Administrator increasingly uses Web based administrating software to manage their servers. This implicates installing webserver software on ordinary NT machines, which are only for private, administrative use. The consequence is that even internal machines that are normally used for file and print serving are vulnerable to this type of Web based attack.
What does Microsoft say?
Eeye reported the bug to Microsoft on 8 June, with the explicit question to solve the problem as quickly as possible. It took Microsoft exactly a week to react and to compose a Security Bulletin, which still did not contain more information than the Eeye report. Didn't they realise that this is a very serious problem? On 15 June, the censorship committee in Redmond decided to recognise the problem and to publish the advisory from Eeye.
Microsoft included some of its own comments, a nice example of Orwellian Double Speak. The bulletin depicts the problem as the possibility of a Denial of Service attack, which possibly makes your server shut down. The cryptic message that under certain conditions a remote program could be executed on the server is not a lie, but a serious underestimation of the problem. The IIS administrators however, have to deal with the truth.
At the same time, Microsoft started shooting the piano player. They told everybody that wanted to listen to them that, "security companies with a sense of responsibility don't develop software that can be used to harm innocent users."
True, but they are just trying to get rid of the responsibility, including possible claims from users. At the same time it does not seem the company considers it enough of a priority to inform their own customers swiftly and correctly.
What precautions can be taken
If you are administrating an NT annex webserver, your machine is probably suffering the problem. The bug is reported for all existing copies of the 4.0 version of IIS. This is the most recent and widely used IIS version. Unless you pull out the power, your server is a possible target to any would be hacker at this very moment. It is advised to take action as soon as possible. The bug fix that is proposed by Eeye and Microsoft, is to switch off the possibility of script mapping to .htr-scripts on your webserver. You exclude the entire .htr functionality, which could be a problem because it is used to allow remote web or ftp users to change their passwords.
You should go through the following steps:
1. Start the "Internet Service Manager"
2. Choose "Internet Information Server"
3. Right click to select "Properties"
4. Select the "WWW Service", followed by "edit"
5. Go to "Home Directory" and click on "Configuration"
6. Look for the ".HTR" extension and "remove"
Microsoft has not yet released a more fundamental bug patch, which resolves the 'buffer overflow' problem. This may take them a while, since it's a complicated technical matter. Another solution to protect your webserver against this type of attack is to use intelligent software packages, which can detect for example .htr extensions or ::$DATA (an older IIS bug). A suspected request could be refused or eventually be bounced towards another Web page.
The most radical solution is of course to abandon your IIS and replace it by another NT or even Unix webserver such as Lotus Domino, Netscape, or Apache.
Update: Microsoft on Monday 21 June, shortly after this report was completed, said it had produced a patch for the problem, although details are still being finalised.
To contact the author, email [email protected]
To comment on this story email [email protected]
So-called ghost galaxies aren't necessarily small but can be difficult to detect due to their very low star power
Ironically, solar panels installed in the colder north are the most affected by hot spots
The Mars Opportunity rover captured the images on its 5,000th day on the Red Planet
The galaxy is losing its hydrogen and the ability to form new stars