Next message: mea culpa: "[ISN] ICSA employes an undercover hacker spy."
Forwarded From: bluesky�t_private
Msoft Bug Opens Site Secrets
by Michael Stutz and James Glave
12:30pm 2.Jul.98.PDT
Microsoft is scrambling to patch a significant security hole that can
leave a Web site's sensitive information, such as database logins,
passwords, and trade secrets, exposed to malicious users.
The exploit, or bug, known as the "$DATA bug" grants virtually any casual
Web user access to the source code used in Microsoft's Active Server Page
(ASP) protocol applications running on Microsoft's Internet Information
Servers.
Many corporate Web sites are currently vulnerable, including Nasdaq,
CompuServe, MSNBC, and, of course, Microsoft (MSFT) -- which has promised
a fix by the end of Thursday.
"You can really get trade secrets," said Ed Laczynski, an applications
developer with a major investment bank and member of an ASP developer
mailing list where the bug first surfaced several days ago.
"Anyone can go into Microsoft's code and redo it, it is almost like
[getting the highest level of] access to all of a site's back end,"
Laczynski said.
ASP is a technology that allows webmasters running Microsoft's IIS Web
servers to create content "on the fly," by accessing various databases and
running programs on the server that actually assemble pages. Such ASP code
is normally hidden from the end user, who only sees the completed Web site
page.
But the hidden ASP code can contain sensitive information such as
"connection strings" that tell the server how and where to log in to a
nonpublic database.
The bug exposes this sensitive information. All an end user needs to do is
append the text '::$DATA' to the end of the address of any ASP Web site.
That allows a malicious individual to download a copy of the server
application itself, complete with the embedded logins and passwords.
"Most of the time, you have [sections of code] that have all of the
connection strings -- the strings that contain the user name, IP address,
password, and database information," said Laczynski.
In January, Microsoft issued a patch for a similar IIS security hole that
exposed the source code and certain system settings of files on Windows
NT-based Web servers.
Paul Ashton, a UK-based security consultant and employee of Eigen
Solutions, discovered the new hole and made the news public late Tuesday.
"Some time ago, I mentally noted the fact that '::$DATA' can be tacked on
to a filename to access it as an alternative name for the same thing,"
Ashton said in an email to Wired News. "To me, it was an exploit waiting
to happen. When the latest ASP vulnerability was announced, it reminded me
of this point."
Russ Cooper, moderator of the NT BugTraq security mailing list, said he
discussed it with Microsoft several days ago.
"To the best of my knowledge, there is no other exploitable parameter that
you could put there," Cooper said. "The problem is in the way that IIS
interprets the URL. It passes it directly to the file system, and the file
system responds. The problem is that it doesn't interpret it as something
that needs to be executed, but as something to be displayed."
Though there is reportedly speculation on ASP developer mailing lists that
the bug is a "back door" that was accidentally or intentionally left in by
Microsoft, a security manager at the company categorically denies this.
"There is absolutely no thinking about this being a back door," said Karan
Khanna, a product manager on the Windows NT security team. "It is a bug in
handling the alternate data stream of IIS."
Khanna said that the bug was unlikely to reveal sensitive information
stored in server databases, such as credit-card numbers.
"If you have a site that is an ecommerce site, then typically you would
have precautions, you would hide credit card information behind a
three-level architecture. This is just a database access [problem]," he
said.
Khanna said that Microsoft was first notified of the problem by
NTBugTraq's Cooper two days ago, and that the company has been working on
a patch. He said the patch should be posted to the Microsoft Security
Advisor site by the end of Thursday.
Until the patch is posted, the short-term solution is to disable "read
access" on ASP files.
Cooper says that the exploit is serious, because there are so many sites
using IIS that currently do not have read access removed from their ASPs
-- or other executable files that might contain user ID and password
information.
"If you've got read permission on the file, then you can see the contents
of the file," said Cooper.
"It's the same as saying that you can see the source code of how the Web
site was generated," Cooper said. "If you go to an [IIS-powered] Web site
and you see something that's really innovative, being able to download
that source code is the same as giving away your secret of how you
programmed it."
Laczynski said that he has developed ASP Web sites for major banking
firms, consulting firms, and a health-care information provider. "We
developed an ASP application that certain hospitals [used as a] trends
reporting tool," he said.
Another ASP developer, who lives in the Czech Republic, played down the
bug, calling it more of an irritant than a crisis.
"This kind of problem is nettlesome for us to say the least," said Douglas
Arellanes, director of Inicia, a Prague database development firm, in an
email.
"If your code includes database connections, those database passwords are
visible. Now you're supposed to put those into a separate file, usually
called global.asa, but if they're not there, then that's when the problems
can result," said Arellanes.
"It's possibly critical, because you need to have write access to a
directory to do anything with the passwords," Arellanes said. "And it
means either a few hours of work to change all our passwords around, or
possibly more work to convert all the sites to use this global.asa
method."
-o-
Subscribe: mail majordomo�t_private with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30
: Fri Apr 13 2001 - 12:57:52 PDT