New IIS exploit could be one of many

Code posted takes advantage of vulnerability in Windows 2000 By Paul  Roberts March 25, 2003      Just one week after Microsoft alerted the public to a serious security vulnerability in a component of its Windows 2000 operating system, a security researcher has posted code to exploit that vulnerability.

The code or "exploit" was posted to two online discussion lists frequented by the computer security experts on Monday by Rafael Núñez, a senior research scientist at Scientech de Venezuela in Caracas, Venezuela .

The actual code was written by an individual using the name "kralor," part of a group called Coromputer. Núñez verified and tested the exploit before posting it.

The exploit posted by Núñez could be dangerous, but it is similar to code that was already being developed and circulated among malicious hacker groups online, according to David Litchfield of Next Generation Security Software Ltd. in Sutton, U.K. (NGSS).

While posting an exploit to public forums such as the Bugtraq mailing list raises the profile of such code, it does not increase the risk of new worms or viruses being developed that target the Microsoft vulnerability, Litchfield said.

"Someone who would write a worm for this [vulnerability] would know how to without having exploit code provided," Litchfield said.

In fact, having the exploit code available could help "level the playing field" between network administrators and malicious [or "black hat"] hackers by providing administrators with detailed information about how attacks might be carried out, according to Litchfield.

The vulnerability concerns an unchecked buffer in a core Windows 2000 component called ntdll.dll that is used to handle the World Wide Web Distributed Authoring and Versioning (WebDAV) extensions to HTTP (Hypertext Transfer Protocol), according to the Microsoft Security bulletin MS03-007. (See www.microsoft.com.)

WebDAV allows users to edit and manage files on remote Web servers. The protocol is designed to create interoperable, collaborative applications that facilitate geographically dispersed "virtual" software development teams.

An attacker could use the vulnerability to cause a buffer overflow on the machine running Microsoft's Internet Information Server (IIS), creating a denial of service (DOS) attack against such machines or executing their own malicious code in the security context of the IIS service, giving them unfettered access to the vulnerable system, Microsoft said.

Microsoft quickly developed and released the patch for Windows 2000 after learning that one of its customers was already being attacked using WebDAV to target the ntdll.dll vulnerability.

However, the vulnerability can be exploited in many ways, with WebDAV just one prominent example, Litchfield said.

Litchfield released a paper on Friday announcing that NGSS uncovered new avenues of attack on ntdll.dll in addition to WebDAV. Some of those attacks could use IIS, while others might use other Java-based Web Servers, Litchfield said. (See: www.nextgenss.com.)

Despite Microsoft's security alert regarding possible attacks using WebDAV and IIS and Núñez's publication of exploit code for that particular scenario, users who are not running IIS or using WebDAV may also be vulnerable, Litchfield said.

"It's like the saying 'All roads lead to Rome .' There are lots of paths that lead to this problem and there will be other things like [the WebDAV exploit]," Litchfield said.

Litchfield encouraged administrators to assess their exposure to the vulnerability in the ntdll.dll component of Windows 2000, then download, test, and apply Microsoft's security patch as needed.

Administrators should also keep their eyes open for a more thorough patch for the ntdll.dll problem, following the problems that were reported by some customers who deployed the first patch, according to Litchfield.   Paul Roberts is a Boston-based correspondent for the IDG News Service, an InfoWorld affiliate.