[ISN] Hacking IIS -- how sweet it is

From: InfoSec News (isnat_private)
Date: Fri Aug 10 2001 - 23:51:26 PDT

  • Next message: InfoSec News: "[ISN] Security Firm Blamed For Code Red Costs"

    http://www.theregister.co.uk/content/4/20960.html
    
    By Thomas C Greene in Washington
    Posted: 10/08/2001 at 19:29 GMT
    
    We've looked over a few recent credit-card database compromises
    brought to our attention by CardCops (formerly AdCops), an
    organization which tries to get the straight dope on e-commerce hacks
    directly from the blackhat community to better inform merchants of
    threats to their systems.
    
    The most recent victims CardCops has seen are on-line perfumery
    StrawberryNet.com; computer retailer mWave.com; and a very large Texas
    ISP called Stic.net, which gave up many thousands of credit card
    details, along with the records of 500 businesses and their FTP
    logins. All of the victims are running IIS 4 or 5 over Win-NT or 2K.
    
    Not surprisingly, Microsoft IIS is quite popular among carders,
    because its got lots and lots of holes, and because its often used by
    people who lack the technical know-how to bung them. It's easy to use,
    which makes it particularly attractive for those who want to break
    into e-commerce on a shoestring, and particularly attractive as well
    for those who just want to break in.
    
    CardCops founder Dan Clements reckons that IIS is in use by roughly
    fifty per cent of e-merchants, but represents over eighty per cent of
    their data compromises.
    
    Under its 'amnesty program,' CardCops seeks information from active
    carders in exchange for a guarantee that they won't be tracked,
    reported or otherwise harassed. The idea is to warn the merchants and
    card issuers when they've been hacked, and to learn which exploits are
    most popular and most successful.
    
    One such submission posted recently caught our eye. It details the
    sheer ease with which one can exploit the IIS folder traversal
    vulnerability (which was also exploited by the sadmind/IIS worm for
    the less-threatening business of defacing servers, as we reported
    here).
    
    Exploiting the folder traversal bug causes IIS to reveal any directory
    on the logical drive that contains the Web directory and gives up
    access to any file in it. It allows the user to escape from the Web
    directory and access files elsewhere on the same drive. If the user
    has his Web directories and system directories on the same drive,
    bingo -- machine owned.
    
    Mind you, MS issued a hotfix for this vulnerability in October of
    2000, and the sadmind/IIS worm ought to have alerted quite a few
    admins that they were open to it, but this seems not to have helped as
    much as one would wish. Furthermore, the simple precaution of placing
    Web directories and system directories on different drives would limit
    the damage, but this also seems to be overlooked more often than not.
    
    According to what we've seen -- a little how-to manual submitted to
    CardCops -- finding a vulnerable IIS machine is pretty much like
    shooting fish in a barrel.
    
    The unique item here is the author's home-made progie, called
    'Microsoft IIS Raper', which quickly scans chosen IP ranges,
    automatically searching for vulnerable IIS machines.
    
    The program also simplifies matters and speeds things up considerably
    by trying to fetch cmd.exe directly via http. Whenever it hits, one
    knows that the folder traversal vulnerability is working as it should.
    After that, one simply installs a Trojan to keep the machine open in
    case it should be patched later, and thus it's owned. (Savvy crackers
    will patch the system fully at this point, to prevent competitors from
    taking it over.)
    
    Patch this
    
    How can it be this easy to exploit a vulnerability that Microsoft
    patched ten months ago, and which a recent worm highlighted to admins
    with numerous page defacements?
    
    "What's going on is that there are just too damn many patches. It's
    simply impossible to keep up. I get weekly summaries of new
    vulnerabilities and patches. One alert service listed 19 new patches
    in a variety of products in the first week of March 2001. That was an
    average week. Some of the listings affected my network, and many of
    them did not. Microsoft Outlook had over a dozen security patches in
    the year 2000. I don't know how the average user can possibly install
    them all; he'd never get anything else done," Counterpane Internet
    Security CTO Bruce Schneier remarks in a recent article.
    
    It's a fair point indeed, though we have hopes that Microsoft will
    soon make it a bit easier.
    
    And as for the recent hacks, CardCops' Clements says that none of the
    businesses or ISPs he's contacted recently, warning that they've been
    hacked, have bothered to reply. However, Stic.net President David
    Robertson told us that he was never contacted, and deems it "highly
    unlikely" that his system had been compromised.
    
    He's lately been "bouncing off the walls," he reports, trying to
    contact AdCops for more information since press time.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Sat Aug 11 2001 - 04:18:15 PDT