U.S. Army Web servers hacked

Computerworld - WASHINGTON -- Hackers on March 11 infiltrated an undisclosed number of U.S. Army Web servers, taking advantage of a previously undisclosed buffer-overflow vulnerability in a component of Microsoft Corp.'s Windows 2000 that is used to manage the Web Distributed Authoring And Versioning (WebDAV) protocol.
Security experts are characterizing the incident as a rare example of a "0-day" exploit, referring to an exploit that takes advantage of a vulnerability nobody is aware of and for which there is no available patch. However, Microsoft issued a fix yesterday for the vulnerability (see story). Security vendors are also advising users that there are work-arounds that can be implemented immediately to reduce vulnerability.
WebDAV, which is installed by default with Internet Information Server (IIS) Version 5.0, allows documents to be assigned properties and attributes and enables collaborative creation, editing and searching from remote locations. It also enables documents to be written via HTTP. However, if an attacker is able to run code with local system privileges on a vulnerable system, the attacker could take complete control of the system, including the ability to install programs; view, change or delete data; and create new accounts with full privileges.
According to Symantec Corp., Microsoft IIS is estimated to run on approximately 25% of the Internet's Web servers, which means about 4 million systems could be vulnerable.
"The component that has the overflow vulnerability is a core operating system component, not a flaw in IIS," said Russ Cooper, surgeon general at TruSecure Corp. "It happens that WebDAV is the attack vector."
An Army source notified Cooper on March 11 of the attack. According to the source, administrators noticed that the exploit was conducting network mapping and outputting data on the terminal services port -- Port 3389 -- to an unspecified region but to the same location repeatedly. Cooper said using Port 3389 was likely an attempt by the attacker to stay below the Army's security radar since it's normally used for encrypted traffic that sniffers wouldn't try to decipher.
Cooper said he believes the Army was being deliberately targeted.
Instead of reporting the vulnerability to senior Microsoft managers, the Army reportedly filed a bug report online. Cooper said that may have contributed to critical time being lost in developing a fix. In fact, when Cooper called Microsoft on March 16, the company was unaware of the vulnerability, he said.
Patrick Swan, a spokesman for the Army's CIO, said the Army's information assurance office is currently studying the attack to "assess what it is that happened." He also said that the Air Force Computer Emergency Response Team may have discovered the same vulnerability.
Army sources said a file discovered on the hard drive of one of the compromised servers contained the phrase "welcome to the Unicorn beachhead."
Dee Leiebenstein, group product manager for Symantec Corp.'s DeepSite Threat Management System, said the vulnerability should be a "great concern" to the business community because it provides hackers with the capability to conduct targeted attacks and offers an effective avenue of approach for launching worms. "This is kind of our worst-case scenario," said Leiebenstein. "There is the potential for something much larger."
She recommended that users immediately either disable WebDAV or, if that isn't possible, change the length of the requests that are authorized to come into the Web server. By limiting that length, you're able to reduce risk, she said.