[ISN] Msoft Bug Opens Site Secrets

From: mea culpa (jerichot_private)
Date: Sat Jul 04 1998 - 14:34:49 PDT

  • Next message: mea culpa: "[ISN] ICSA employes an undercover hacker spy."

    Forwarded From: blueskyt_private
    
    Msoft Bug Opens Site Secrets
    by Michael Stutz and James Glave 
    
    12:30pm  2.Jul.98.PDT
    
    Microsoft is scrambling to patch a significant security hole that can
    leave a Web site's sensitive information, such as database logins,
    passwords, and trade secrets, exposed to malicious users.
    
    The exploit, or bug, known as the "$DATA bug"  grants virtually any casual
    Web user access to the source code used in Microsoft's Active Server Page
    (ASP) protocol applications running on Microsoft's Internet Information
    Servers.
    
    Many corporate Web sites are currently vulnerable, including Nasdaq,
    CompuServe, MSNBC, and, of course, Microsoft (MSFT) -- which has promised
    a fix by the end of Thursday.
    
    "You can really get trade secrets," said Ed Laczynski, an applications
    developer with a major investment bank and member of an ASP developer
    mailing list where the bug first surfaced several days ago. 
    
    "Anyone can go into Microsoft's code and redo it, it is almost like
    [getting the highest level of] access to all of a site's back end,"
    Laczynski said.
    
    ASP is a technology that allows webmasters running Microsoft's IIS Web
    servers to create content "on the fly," by accessing various databases and
    running programs on the server that actually assemble pages. Such ASP code
    is normally hidden from the end user, who only sees the completed Web site
    page.
    
    But the hidden ASP code can contain sensitive information such as
    "connection strings" that tell the server how and where to log in to a
    nonpublic database.
    
    The bug exposes this sensitive information. All an end user needs to do is
    append the text '::$DATA' to the end of the address of any ASP Web site. 
    That allows a malicious individual to download a copy of the server
    application itself, complete with the embedded logins and passwords.
    
    "Most of the time, you have [sections of code] that have all of the
    connection strings -- the strings that contain the user name, IP address,
    password, and database information," said Laczynski.
    
    In January, Microsoft issued a patch for a similar IIS security hole that
    exposed the source code and certain system settings of files on Windows
    NT-based Web servers.
    
    Paul Ashton, a UK-based security consultant and employee of Eigen
    Solutions, discovered the new hole and made the news public late Tuesday.
    
    "Some time ago, I mentally noted the fact that '::$DATA' can be tacked on
    to a filename to access it as an alternative name for the same thing,"
    Ashton said in an email to Wired News.  "To me, it was an exploit waiting
    to happen. When the latest ASP vulnerability was announced, it reminded me
    of this point." 
    
    Russ Cooper, moderator of the NT BugTraq security mailing list, said he
    discussed it with Microsoft several days ago.
    
    "To the best of my knowledge, there is no other exploitable parameter that
    you could put there,"  Cooper said. "The problem is in the way that IIS
    interprets the URL. It passes it directly to the file system, and the file
    system responds. The problem is that it doesn't interpret it as something
    that needs to be executed, but as something to be displayed."
    
    Though there is reportedly speculation on ASP developer mailing lists that
    the bug is a "back door" that was accidentally or intentionally left in by
    Microsoft, a security manager at the company categorically denies this. 
    
    "There is absolutely no thinking about this being a back door," said Karan
    Khanna, a product manager on the Windows NT security team. "It is a bug in
    handling the alternate data stream of IIS." 
    
    Khanna said that the bug was unlikely to reveal sensitive information
    stored in server databases, such as credit-card numbers.
    
    "If you have a site that is an ecommerce site, then typically you would
    have precautions, you would hide credit card information behind a
    three-level architecture. This is just a database access [problem]," he
    said.
    
    Khanna said that Microsoft was first notified of the problem by
    NTBugTraq's Cooper two days ago, and that the company has been working on
    a patch. He said the patch should be posted to the Microsoft Security
    Advisor site by the end of Thursday. 
    
    Until the patch is posted, the short-term solution is to disable "read
    access" on ASP files.
    
    Cooper says that the exploit is serious, because there are so many sites
    using IIS that currently do not have read access removed from their ASPs
    -- or other executable files that might contain user ID and password
    information.
    
    "If you've got read permission on the file, then you can see the contents
    of the file," said Cooper.
    
    "It's the same as saying that you can see the source code of how the Web
    site was generated,"  Cooper said. "If you go to an [IIS-powered] Web site
    and you see something that's really innovative, being able to download
    that source code is the same as giving away your secret of how you
    programmed it."
    
    Laczynski said that he has developed ASP Web sites for major banking
    firms, consulting firms, and a health-care information provider. "We
    developed an ASP application that certain hospitals [used as a] trends
    reporting tool," he said.
    
    Another ASP developer, who lives in the Czech Republic, played down the
    bug, calling it more of an irritant than a crisis.
    
    "This kind of problem is nettlesome for us to say the least," said Douglas
    Arellanes, director of Inicia, a Prague database development firm, in an
    email.
    
    "If your code includes database connections, those database passwords are
    visible. Now you're supposed to put those into a separate file, usually
    called global.asa, but if they're not there, then that's when the problems
    can result," said Arellanes.
    
    "It's possibly critical, because you need to have write access to a
    directory to do anything with the passwords," Arellanes said. "And it
    means either a few hours of work to change all our passwords around, or
    possibly more work to convert all the sites to use this global.asa
    method." 
    
    
    -o-
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:52 PDT