Exploit Calls into Question IIS Security

A buffer overrun exploit discovered by the eEye Digital Security Team (www.eeye.com) could allow hackers to execute arbitrary code on remote Windows NT servers. Once again Internet Information Server (IIS) administrators have been delivered a shock to their systems.

The latest IIS exploit renewed calls across the industry for more adequate quality control on the part of Microsoft Corp. But according to Rob Enderle, a senior analyst with Giga Information Group (www.gigaweb.com), the complexity and range of functionality provided by a product like IIS makes it prone to exploits of varying importance, which are likely to reoccur in the future.

"It's a complex product, so yes there will certainly continue to be issues with any of their Web serving products as they gain more functionality. With functionality comes the risk of error," Enderle observes.

As far as Windows NTBugtraq Mailing List’s (www.ntbugtraq.com) moderator Russ Cooper says it's not a question of poor or inadequate quality control on Microsoft's part, but rather a symptomatic problem of a lack of quality assurance (QA) resources industrywide.

"More QA has to be done, but the problem is that there is a dramatic shortage of programmers with this type of expertise in the U.S.," Cooper explains. "Linux supporters, for example, will say they've got 10,000 programmers working on a problem like this, but the reality is that there is a very small subset of the Linux community that is really capable of understanding where and how these problems occur."

According to eEye, the latest buffer overrun exploit was successfully perpetrated on SP4- and SP5-updated NT servers running version 4.0 of IIS. These configurations account for about 90 percent of the Windows NT servers on the Internet.

The vulnerability is due to an unchecked buffer in IIS' ISM.DLL, which, if properly exploited, can result in a denial of service. In this model, a hacker sends a malformed request for an HTR file, which causes the buffer to overflow and results in an IIS crash.

After an attack, the Windows NT Server would not need to be rebooted, but any resident IIS service would need to be restarted. eEye also alluded to a second, more sinister IIS buffer overrun-related exploit. The second threat, more difficult to perpetrate, can occur when a hacker sends a carefully constructed file request that causes arbitrary code to execute on the server by means of a buffer overrun technique.

In a security bulletin distributed on its Microsoft Product Security listserv, Microsoft acknowledged the buffer overrun vulnerability could permit hackers to perpetrate denial-of-service attacks against an IIS server or, under certain conditions, execute arbitrary code on a server. Microsoft provides a temporary workaround that consisted of disabling the script mapping for HTR files -- and indicated that it would make a patch available.

eEye provides an ISAPI Filter fix that patches the HTR hole without removing HTR functionality, crucial for remote administration of IIS environments.

Giga's Enderle notes that this IIS-related exploit comes at a bad time for the software giant. "Right now this is particularly troubling because [Microsoft is] trying to create a high quality image with which to drive Windows 2000 in the marketplace," he explains. "Windows 2000 is being presented as the highest quality product they've ever created, but if they can't execute on other products people simply won't buy that quality message."

Notable IIS-Related Exploits

  • June 1999 -- HTR Buffer Overrun DoS Attack
  • An attacker could send a malformed request for an HTR file that causes the buffer to overflow, resulting in a system crash. The file request also could cause arbitrary code to execute on the server by means of a buffer overrun attack.

    • August 1998 -- Executable Directories in IIS 4.0

    A nonadministrative user could place executable code into a Web site directory, thus enabling him or her to run applications that could compromise the Web server.

    • January 1998 -- Malformed FTP List Request DoS Attack

    Similar to the recent HTR buffer overrun attack, the exploit could result in either a denial of service threat or arbitrary code execution on a remote server by means of a buffer overrun exploit.

    • June 1997 -- IIS Long URL DoS Attack

    Versions 2.0 and 3.0 of IIS on NT 4.0 could be crashed with a URL of specific, but long length: 4k to 8k, variable per server.