Forwarded From: blueskyt_private Msoft Bug Opens Site Secrets by Michael Stutz and James Glave 12:30pm 2.Jul.98.PDT Microsoft is scrambling to patch a significant security hole that can leave a Web site's sensitive information, such as database logins, passwords, and trade secrets, exposed to malicious users. The exploit, or bug, known as the "$DATA bug" grants virtually any casual Web user access to the source code used in Microsoft's Active Server Page (ASP) protocol applications running on Microsoft's Internet Information Servers. Many corporate Web sites are currently vulnerable, including Nasdaq, CompuServe, MSNBC, and, of course, Microsoft (MSFT) -- which has promised a fix by the end of Thursday. "You can really get trade secrets," said Ed Laczynski, an applications developer with a major investment bank and member of an ASP developer mailing list where the bug first surfaced several days ago. "Anyone can go into Microsoft's code and redo it, it is almost like [getting the highest level of] access to all of a site's back end," Laczynski said. ASP is a technology that allows webmasters running Microsoft's IIS Web servers to create content "on the fly," by accessing various databases and running programs on the server that actually assemble pages. Such ASP code is normally hidden from the end user, who only sees the completed Web site page. But the hidden ASP code can contain sensitive information such as "connection strings" that tell the server how and where to log in to a nonpublic database. The bug exposes this sensitive information. All an end user needs to do is append the text '::$DATA' to the end of the address of any ASP Web site. That allows a malicious individual to download a copy of the server application itself, complete with the embedded logins and passwords. "Most of the time, you have [sections of code] that have all of the connection strings -- the strings that contain the user name, IP address, password, and database information," said Laczynski. In January, Microsoft issued a patch for a similar IIS security hole that exposed the source code and certain system settings of files on Windows NT-based Web servers. Paul Ashton, a UK-based security consultant and employee of Eigen Solutions, discovered the new hole and made the news public late Tuesday. "Some time ago, I mentally noted the fact that '::$DATA' can be tacked on to a filename to access it as an alternative name for the same thing," Ashton said in an email to Wired News. "To me, it was an exploit waiting to happen. When the latest ASP vulnerability was announced, it reminded me of this point." Russ Cooper, moderator of the NT BugTraq security mailing list, said he discussed it with Microsoft several days ago. "To the best of my knowledge, there is no other exploitable parameter that you could put there," Cooper said. "The problem is in the way that IIS interprets the URL. It passes it directly to the file system, and the file system responds. The problem is that it doesn't interpret it as something that needs to be executed, but as something to be displayed." Though there is reportedly speculation on ASP developer mailing lists that the bug is a "back door" that was accidentally or intentionally left in by Microsoft, a security manager at the company categorically denies this. "There is absolutely no thinking about this being a back door," said Karan Khanna, a product manager on the Windows NT security team. "It is a bug in handling the alternate data stream of IIS." Khanna said that the bug was unlikely to reveal sensitive information stored in server databases, such as credit-card numbers. "If you have a site that is an ecommerce site, then typically you would have precautions, you would hide credit card information behind a three-level architecture. This is just a database access [problem]," he said. Khanna said that Microsoft was first notified of the problem by NTBugTraq's Cooper two days ago, and that the company has been working on a patch. He said the patch should be posted to the Microsoft Security Advisor site by the end of Thursday. Until the patch is posted, the short-term solution is to disable "read access" on ASP files. Cooper says that the exploit is serious, because there are so many sites using IIS that currently do not have read access removed from their ASPs -- or other executable files that might contain user ID and password information. "If you've got read permission on the file, then you can see the contents of the file," said Cooper. "It's the same as saying that you can see the source code of how the Web site was generated," Cooper said. "If you go to an [IIS-powered] Web site and you see something that's really innovative, being able to download that source code is the same as giving away your secret of how you programmed it." Laczynski said that he has developed ASP Web sites for major banking firms, consulting firms, and a health-care information provider. "We developed an ASP application that certain hospitals [used as a] trends reporting tool," he said. Another ASP developer, who lives in the Czech Republic, played down the bug, calling it more of an irritant than a crisis. "This kind of problem is nettlesome for us to say the least," said Douglas Arellanes, director of Inicia, a Prague database development firm, in an email. "If your code includes database connections, those database passwords are visible. Now you're supposed to put those into a separate file, usually called global.asa, but if they're not there, then that's when the problems can result," said Arellanes. "It's possibly critical, because you need to have write access to a directory to do anything with the passwords," Arellanes said. "And it means either a few hours of work to change all our passwords around, or possibly more work to convert all the sites to use this global.asa method." -o- Subscribe: mail majordomot_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:52 PDT