CRIME New IIS Exploit

From: Andrew Plato (aplato@private)
Date: Tue Mar 18 2003 - 12:52:02 PST

  • Next message: Alan: "Re: CRIME FW: [Infragard_unsecured] OPERATION LIBERTY SHIELD"

    Here is some data from ISS about this bug. The bug was used to hack some
    Army web servers, according to this story:
    http://www.computerworld.com/securitytopics/security/hacking/story/0,108
    01,79478,00.html?nas=AM-79478
    
    MICROSOFT IIS WEBDAV REMOTE COMPROMISE VULNERABILITY
    
    OVERVIEW
    A serious vulnerability exists within the Web-based Distributed
    Authoring and Versioning (WebDAV) component of Microsoft Internet
    Information Services (IIS) Web server. WebDAV extensions are used by
    administrators to manage and edit Web content remotely.
    
    HOW BIG IS THE RISK?
    This vulnerability is currently being exploited in the wild, and X-Force
    has verified the existence of a functional exploit tool. This
    vulnerability is in itself very serious, but the existence of robust
    exploits in the wild dictates that fixes or temporary workarounds should
    be applied immediately.
    
    WHAT IS THE VULNERABILITY?
    Exploitation of this vulnerability will yield local SYSTEM privileges on
    vulnerable IIS servers. This can potentially lead to the disclosure of
    confidential information contained on compromised Web servers. This
    vulnerability could easily be used to compromise IIS servers in an
    automated fashion, or as part of a self-propagating worm. Since the
    vulnerability is in an underlying library function and not within the
    IIS server itself, it is conceivable that other portions of the IIS
    server or completely unrelated services might also be affected.
    
    WHAT SYSTEMS ARE AT RISK?
      IIS 5.0 on Windows 2000 up to and including Service Pack 3
      Not affected: IIS installations on Windows XP, Windows Server 2003
    
    ___________________________________
    Andrew Plato, CISSP
    President / Principal Consultant
    Anitian Corporation
    
    Enterprise Security &
    Infrastructure Solutions
     
    503-644-5656 Office
    503-644-8574 Fax
    503-201-0821 Mobile
    www.anitian.com 
    ___________________________________
    



    This archive was generated by hypermail 2b30 : Tue Mar 18 2003 - 13:37:31 PST