HOLE
re...@ecn.ab.ca
A once-obscure Microsoft Web server security problem is back with a
vengeance, allowing crackers to easily pry open some of the Web's biggest
sites. When the bug first surfaced last summer, it proved very difficult
to exploit. But a mere six lines of demonstration code makes the problem
much more pressing, security groups warned. "At least 50 percent of the
IIS sites we looked at are affected," said Greg Gonzalez, who discovered a
new and simpler way to exploit the hole. Gonzalez reported the problem to
Microsoft in June, immediately after identifying the vulnerability while
trying to secure his own servers.
See also: Another Privacy Hole in IE 5.0?
Last July, Microsoft discovered that several of the default services in
its Windows NT Internet Information Server could be exploited, giving
anyone access to databases connected to that server. Microsoft advised
customers to reconfigure their systems to avoid those functions. But on
Monday, MSNBC reported that the vulnerability places many of the Net's
largest sites, such as Nasdaq and Compaq, at potential risk. The
problematic function is called Data Factory, a piece of software that
allows users to request data from backend databases through a Web
connection. Data Factory is part of a set of services called Microsoft
Data Access Components that are included in the default installation of
IIS, said Scott Culp, Microsoft security product manager for Windows NT.
Culp said that only version 1.5 of MDAC is vulnerable to attack, but added
that users who upgraded from version 1.5 without a fresh install of the
components would also be at risk. Culp recommended that users upgrade from
that version, and install the program clean, not use the upgrade. Last
month, Gonzalez, the vice president of Web services at Information
Technologies Enterprises, discovered a way to exploit the hole in the
default settings of Windows NT IIS. Gonzalez said the exploit could be
conducted with a minimum of six lines of Visual Basic code. Microsoft
re-released its advisory Monday, recommending that customers secure their
Web servers immediately. But while the first advisory stated that crackers
needed a username and password to exploit the hole, the latest advisory
doesn't mention passwords at all. This omission implies that the exploit
may not even require a password, said Weld Pond, member of the
Boston-based security collective, The L0pht. "[Microsoft] doesn't really
highlight that they had it wrong the first time," Pond said. "Someone's
figured out how to [exploit this hole] with anonymous access, without a
username and password." Culp denied that the omission had significance,
adding that details about anonymous access are still provided in an
extensive FAQ that accompanies the security advisory. Sites running
Windows NT, IIS, where IIS is in "default mode" with all the original
settings turned on, are susceptible to the exploit. The exploit also
requires that Web servers run Microsoft's Access database. The details of
the exploit are being kept secret until sites have had a chance to upgrade
their site security, said Russ Cooper, moderator of the NTBugTraq mailing
list. "I'm trying to hold back the details," Cooper said. "Otherwise, it
will become a script kiddie tool, there's no doubt about that." Cooper
said that the security hole is so easy to exploit that people with little
technical knowledge would have no problem cracking an affected site.
"Anybody that knows anything about programming in Visual Basic can figure
out what it is," Cooper said.
--
Graham-John Bullers
moderator of alt.2600.moderated
email : re...@freenet.edmonton.ab.ca | ab...@freenet.toronto.on.ca