Critical vulnerability in Internet Information Server v. 5
Security Information Week 12, 2003
Introduction
This week several security organizations reported a newly discovered vulnerability in Microsoft's Internet Information Server version 5.0. This is the version of IIS which is included - and by default installed - in Windows 2000.
Microsoft has rated this vulnerability as Critical. Several other security organizations have sent out special alerts.
The issue
The problem is that there is an unchecked buffer in a particular component of Windows 2000. This component can be called using WebDAV, an extension of the http (web) protocol that allows autorized users to add and change content on the web server.
By exploiting this vulnerability a malicious user could take virtually any action on the compromized server. This includes much more serious action than changing the web content, as she may be able to do virtually anything because she can get Local System access.
Microsoft has issued a patch for the vulnerability (see link at the end of this Security Information). Note in particular that even though you have disabled IIS on the computer you are vulnerable as the exploitable file still resides on your system!
Potential implications
In addition to the fact that servers that are vulnerable can be completely compromized, there is another dangerous issue involved in an attack of this type.
One and a half year ago a new Internet worm was discovered to lots of media attention - CodeRed. This worm arrived as an http request to vulnerable web servers and were not present as a file on the server, only as a memory process.
One may assume that it is possible to create a similar malicious program by exploiting this newly discovered security issue. Program code that exploits the vulnerability has already been available on the Internet.
A special problem
As mentioned Microsoft has issued a patch for this issue (see link below) as well as published instructions on how to proceed for those who for some reason are unable to use the patch.
However, shortly after the patch was issued, several reports were posted indicating that there were problems with applying the patch on certain systems, as this resulted in a startup error after the patch was applied.
Microsoft has investigated the problem and states that this problem will occur if some separate patched issued after Windows 2000 ServicePack, 2 but before ServicePack 3 were applied on the system. Beware that your system is in the correct state to apply the patch before doing so.
Useful links
- Microsoft's Security Bulletin MS03/007
- Microsoft Knowledge Base Article - 815021
- Microsoft's IIS Lockdown Tool (enables turning off unneeded features in IIS - very useful!)
- NTBugtraq's NTDLL Attack FAQ
- CERT® Advisory CA-2003-09
Per Olav Førland
