On the eve of war in Iraq, researchers were particularly troubled that the first and possibly only target so far was a computer in the .mil (US military) domain. According to security researcher Russ Cooper, an Army web site was compromised using the exploit.
The vulnerability is an unchecked buffer in a WebDAV-handling component of Internet Information Service, the web server part of Windows 2000. Anybody who can send a specially malformed HTTP request to an IIS server can exploit it.
An attacker who successfully exploited this vulnerability could gain complete control over an affected web server, Microsoft said in a security bulletin. This would give the attacker the ability to take any desired action on the server.
Unlike countless other security advisories issued by software companies, particularly Microsoft, over the last couple of years, this latest hole is concerning because it was discovered by the bad guys first. No one knows how long they have known about the hole, or how many servers have been compromised.
TruSecure Corp’s Russ Cooper, who maintains the NTBugtraq mailing list, said he was informed by a US Army source last Tuesday that one of its IIS server had been compromised, and was being used to build a map of the network it was on.
The Army tried to notify Microsoft via a heavily used bug report web form on Tuesday, Cooper said, but it was not until a personal call to Microsoft staff was made Wednesday that the company started to work on the patch, which was made available this week.
Microsoft has received isolated reports that this vulnerability is being actively exploited and urges all Windows 2000 customers to apply this patch as soon as possible, a Microsoft spokesperson said. While he refused to name the compromised customer, the spokesperson confirmed that the call was received Wednesday last week.
It goes without saying that the organizations that issued alerts this week – TruSecure, Microsoft, ISS X-Force, and the CERT Coordination Center among them – advised Windows 2000 users to install the patch, or implement one of the workarounds that Microsoft recommends, such as disabling IIS or WebDAV on affected servers.
This vulnerability could easily be used to compromise IIS servers in an automated fashion, or as part of a self-propagating worm, Internet Security Systems Inc’s X-Force said in an alert issued this week.
I believe in the next seven to ten days we will see a worm based on this exploit, Cooper told ComputerWire, possibly written by the Army attacker. But in 12 months, fifty percent of IIS boxes out there still won’t be patched, he added.
According to Cooper’s Army sources, somewhere on the compromised Windows server the phrase Welcome to the unicorn beachhead was found, evidently left by the hackers. Unicorn, Cooper said, does not correspond to the name of a known hacker group.
Unicorn was, however, the prerelease codename for a predecessor technology of WebDAV. The phrase beachhead, coupled with the network mapping activity, suggested the hacker intended to do further damage to the network.
But the target server was, Cooper said, of very low sensitivity, and not connected to sensitive networks. It was rather a perception attack on the credibility of the military to secure its systems, as a result of some doofus little web server sitting in a barracks somewhere.
And with the US poised on the brink of a war in which perception is perhaps more key than ever before, the attack is all the more provocative.
Source: Computerwire
