New IIS exploit could be one of many

Just one week after Microsoft Corp. alerted the public to a serious security vulnerability in a component of its Windows 2000 operating system, a security researcher has posted code to exploit that vulnerability.

The code, or "exploit," was posted yesterday by Rafael Nunez, a senior research scientist at Scientech de Venezuela in Caracas, to two online discussion lists frequented by computer security experts. The actual code was written by a person using the name "kralor," part of a group called Coromputer. Nunez verified and tested the exploit before posting it.

The exploit posted by Nunez could be dangerous, but it's similar to code that was already being developed and circulated among malicious hacker groups online, according to David Litchfield at Next Generation Security Software Ltd. (NGSS) in Sutton, England.

While posting an exploit to public forums such as the Bugtraq mailing list raises the profile of such code, it does not increase the risk of new worms or viruses being developed that target the Microsoft vulnerability, Litchfield said. "Someone who would write a worm for this [vulnerability] would know how to without having exploit code provided," he said.

In fact, having the exploit code available could help "level the playing field" between network administrators and malicious hackers by providing administrators with detailed information about how attacks might be carried out, according to Litchfield.

The vulnerability concerns an unchecked buffer in a core Windows 2000 component called ntdll.dll that is used to handle the World Wide Web Distributed Authoring and Versioning (WebDAV) extensions to HTTP, according to the Microsoft security bulletin MS03-007.

WebDAV allows users to edit and manage files on remote Web servers. The protocol is designed to create interoperable, collaborative applications that facilitate geographically dispersed "virtual" software development teams.

An attacker could use the vulnerability to cause a buffer overflow on the machine running Microsoft's Internet Information Server (IIS), creating a denial-of-service attack against such machines or executing malicious code in the security context of the IIS service, giving a hacker unfettered access to the vulnerable system, Microsoft said.

Microsoft quickly developed and released the patch for Windows 2000 after learning that one of its customers was already being attacked using WebDAV to target the ntdll.dll vulnerability.

However, the vulnerability can be exploited in many ways, with WebDAV just one prominent example, Litchfield said.

He released a paper (download PDF) on Friday announcing that NGSS uncovered new avenues of attack on ntdll.dll in addition to WebDAV. Some of those attacks could use IIS, while others might use other Java-based Web servers, Litchfield said.

Despite Microsoft's security alert regarding possible attacks using WebDAV and IIS and Nunez's publication of exploit code for those particular scenarios, users who are not running IIS or using WebDAV may also be vulnerable, Litchfield said. "It's like the saying 'All roads lead to Rome.' There are lots of paths that lead to this problem, and there will be other things like [the WebDAV exploit]," Litchfield said.

Litchfield encouraged administrators to assess their exposure to the vulnerability in the ntdll.dll component of Windows 2000, then download, test and apply Microsoft's security patch as needed.

Administrators should also keep their eyes open for a more thorough patch for the ntdll.dll problem, following the problems that were reported by some customers who deployed the first patch, according to Litchfield.


Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon