RaySun2Be
Lifer
This may be old news for some of you (and more smug smirks from the *nix folks) but I thought I would spread the word on a new, and serious security hole in IIS 5.0 in Win2K:
*"PATCH NOW," SAYS MICROSOFT
By Shawna McAlearney
Security Wire Digest, VOL. 3, NO. 35, May 3, 2001
Calling it the most serious security flaw it's found to date, Microsoft
Tuesday said that more than a million Web servers running IIS 5.0 are
vulnerable to a buffer overflow exploit that could give an attacker
complete control via the .printer Internet Services Application
Programming Interface (ISAPI) filter extension.
"I need to say right up front, this is a serious vulnerability," says
Scott Culp, a Microsoft Security Response Team program manager.
"Everyone who is using IIS 5.0 needs to apply that patch right
now--today, before they go home--if they haven't done so already. The
proper order is install the patch first, read the bulletin second."
Discovered by eEye Digital Security, the "Unchecked Buffer in ISAPI
Extension Could Enable Compromise of IIS 5.0 Server" vulnerability stems
from a component in Windows 2000 that allows users to print remotely
over the Internet. Unless the Internet printer component is disabled
(it's enabled by default) a single string of carefully crafted text
sent to it can give an attacker full control of a Web server running IIS
5.0. The vulnerability arises when a buffer of approximately 420 bytes
is sent within the HTTP Host: header for a .printer ISAPI request. Web
servers normally stop responding when overflowed; however, Windows
2000 will automatically restart a crashed Web server, making it easier
for remote attackers to execute code. When exploited, there's no IIS
log that records the attack.
"Any Windows 2000 server running IIS 5.0, from the smallest mom-and-pop
shop all the way up to various Fortune 500 companies, is vulnerable to
complete compromise by an attacker," says Marc Maiffret, eEye's chief
hacking officer.
Security experts say it might be the most serious flaw the company has
announced in years. "It's realistic to say that over the next six to 12
months, any large scale compromises that occur will occur as a result of
this vulnerability," says Russ Cooper, editor of NTBugtraq, a Windows
vulnerability listserv. "I would say 98 percent of IIS 5.0 boxes are
vulnerable."
Cooper compared the flaw to the well-known RDS vulnerability found in
1998. "Three years later, credit card numbers are still being stolen as
a result of RDS," he says. "It's reasonable to suggest we will be
talking about this (vulnerability) for several years to come."
After confirming the severity of the vulnerability, Culp says Microsoft
implemented extraordinary steps to mitigate and correct the problem.
These include contacting each Microsoft client, notifying the IT and
financial services information sharing and analysis centers (ISACs), and
suspending production on service pack 2 so the patch could be included
in the release.
Mitigation includes removing the .printer script mapping, applying the
Microsoft patch, utilizing the Secure Internet Information Services
Checklist or applying the High Security Template. Sysadmins who followed
the Microsoft IIS 5 security checklist or applied the Microsoft High
Security Template are protected from this attack.
Patch:
Patch
Bulletin:
Bulletin
Secure Internet Information Services Checklist:
Secure IIS Checklist
Windows 2000 ISS Security Configuration Tool:
Win2K IIS Security Config Tool
Security Tool:
Security Tool
*"PATCH NOW," SAYS MICROSOFT
By Shawna McAlearney
Security Wire Digest, VOL. 3, NO. 35, May 3, 2001
Calling it the most serious security flaw it's found to date, Microsoft
Tuesday said that more than a million Web servers running IIS 5.0 are
vulnerable to a buffer overflow exploit that could give an attacker
complete control via the .printer Internet Services Application
Programming Interface (ISAPI) filter extension.
"I need to say right up front, this is a serious vulnerability," says
Scott Culp, a Microsoft Security Response Team program manager.
"Everyone who is using IIS 5.0 needs to apply that patch right
now--today, before they go home--if they haven't done so already. The
proper order is install the patch first, read the bulletin second."
Discovered by eEye Digital Security, the "Unchecked Buffer in ISAPI
Extension Could Enable Compromise of IIS 5.0 Server" vulnerability stems
from a component in Windows 2000 that allows users to print remotely
over the Internet. Unless the Internet printer component is disabled
(it's enabled by default) a single string of carefully crafted text
sent to it can give an attacker full control of a Web server running IIS
5.0. The vulnerability arises when a buffer of approximately 420 bytes
is sent within the HTTP Host: header for a .printer ISAPI request. Web
servers normally stop responding when overflowed; however, Windows
2000 will automatically restart a crashed Web server, making it easier
for remote attackers to execute code. When exploited, there's no IIS
log that records the attack.
"Any Windows 2000 server running IIS 5.0, from the smallest mom-and-pop
shop all the way up to various Fortune 500 companies, is vulnerable to
complete compromise by an attacker," says Marc Maiffret, eEye's chief
hacking officer.
Security experts say it might be the most serious flaw the company has
announced in years. "It's realistic to say that over the next six to 12
months, any large scale compromises that occur will occur as a result of
this vulnerability," says Russ Cooper, editor of NTBugtraq, a Windows
vulnerability listserv. "I would say 98 percent of IIS 5.0 boxes are
vulnerable."
Cooper compared the flaw to the well-known RDS vulnerability found in
1998. "Three years later, credit card numbers are still being stolen as
a result of RDS," he says. "It's reasonable to suggest we will be
talking about this (vulnerability) for several years to come."
After confirming the severity of the vulnerability, Culp says Microsoft
implemented extraordinary steps to mitigate and correct the problem.
These include contacting each Microsoft client, notifying the IT and
financial services information sharing and analysis centers (ISACs), and
suspending production on service pack 2 so the patch could be included
in the release.
Mitigation includes removing the .printer script mapping, applying the
Microsoft patch, utilizing the Secure Internet Information Services
Checklist or applying the High Security Template. Sysadmins who followed
the Microsoft IIS 5 security checklist or applied the Microsoft High
Security Template are protected from this attack.
Patch:
Patch
Bulletin:
Bulletin
Secure Internet Information Services Checklist:
Secure IIS Checklist
Windows 2000 ISS Security Configuration Tool:
Win2K IIS Security Config Tool
Security Tool:
Security Tool
