This is mostly an FYI for everyone on this list, as I assume everyone reading emails on this list has already patched themselves if they were vulnerable - running ISS 5. While this issue had been made very well known to those who actually admin servers / networks, there are still those who call themselves "admins" but who: 1) Don't follow security issues and have do idea about this. 2) Are to dumb to not, er too lazy, to apply the patch / secure the machine. 3) Are more worried about their uptime than they are with security. 4) Don't care. 5) ? While we all know this exploit is being used 'in the wild,' I can confirm that it's been used many times to gain access to the vulnerable machines. I work for an ISP in the Internet Security Department and I've seen many cases of people getting hacked via this vulnerability. Mostly this seems to be part of the "Chinese web defacement coalition" against the US. The sites say something like 'F* the US Government' See below for my thoughts... > -----Original Message----- > From: .sozni [mailto:sozniat_private] > Sent: Thursday, May 03, 2001 10:30 PM > > The sad fact is that people will probably end up being protected against > this exploit much faster because of the publicity behind it. There are > plenty of other very serious vulnerabilities that have been overlooked and > left unpatched simply because they didn't get enough press. Overall, I hope so. But, it's still sad that it takes massive press for people to properly admin their machines. I'm sure it doesn't need to be said on this list, but as the somewhat recent FBI press release stated, there are still many servers that have 2 year old vulnerabilities. That is just plain unacceptable. It's really not that hard to apply patches, any idiot can do it. Sure, it takes a more competent person to setup a server properly and make sure the config is sound, from a security standpoint and to make sure they have the correct user permissions in place and appropriate security precautions, etc. But, to simply apply a patch, I bet a monkey can even do that! > In security consulting it is hard to make a sell to prevent intrusions but > once someone is hacked they will pay just about any price to get > secured. I > say give out the exploit and force admins to be held accountable for their > networks. Even if they have to get hacked a few times to learn > their lesson. I can attest to that. This is so true, unfortunately. I think those that have a (well-known) vulnerability that has had a publicly known fix/patch available for over 3 months (personally I think over 72 hours) and have not resolved the issue... they DESERVE to be hacked. And, I am actually happy when they loose LOTS of money because of it. 'These people' are the ones that are the problem. My favorite saying, which likely isn't new to anyone here... and it has a few variations, is: "While you need a license to drive your car on the highway, you don't need a license to have a machine on the information super-highway." ... it's so true that any 'Johnny B Hacked' can put up a server on the Internet. The only 'accountability' for that is their ISP... what they choose to do once they become aware of it. > > > -----Original Message----- > > From: Steve [mailto:steveat_private] > > Sent: Thursday, May 03, 2001 3:29 PM > > To: win2ksecadviceat_private > > Subject: Re: Windows 2000 .printer remote overflow proof of concept > > exploit t > > > > > > > A number of people have put effort into supposedly providing "proof > > > of concept" code or "remote test" code that allows Administrators to > > > determine whether or not their IIS 5.0 box is, or isn't, patched > > > against this .printer buffer overflow. > > > > I prefer to call it "proof of vulnerability". It's out there. I've seen logs indicating the attacker put a "root.exe" file on the IIS5 host and then were able to issue a command to run this file via the overflow. I don't have any more specific information on the contents of the root.exe file or the exact script used, etc. at this time.
This archive was generated by hypermail 2b30 : Fri May 11 2001 - 00:06:01 PDT