DoubleClick Admits Servers Were Hacked
Page 1 of 1
DoubleClick confirmed Monday that two of its web sites have been penetrated by attackers. The ad-serving giant said no customer data has been accessed or affected by the intrusions, but security experts questioned whether the company was understating the impact of the incident.
According to DoubleClick's chief privacy officer Jules Polonetsky, unidentified attackers exploited a vulnerability in Microsoft's Internet Information Server IIS4 web server on March 19th to place a back-door program on the company's corporate web server at www.doubleclick.net. But the attackers were unable to execute the file, which would have given them system-administrator control of the web server, because the folder it was in did not have script access.
In addition, the attackers used a separate bug in IIS4 to view files on another server, abacusonline.doubleclick.net. Among the files they accessed was the source code of an active server page that contained a username and password. According to Polonetsky, the server is a development machine which doesn't host live customer data, and the login data would only have enabled a user to view the source code to the ASP page.
Patches which closed the security holes were released by Microsoft last year. Polonetsky said DoubleClick was moving swiftly to shore up its corporate systems, and has not yet contacted law enforcement about the incident.
CUSTOMER DATA SAFE?
The vulnerabilities in DoubleClick's network were first discovered by a French hacking information site, Kitetoa.com, and published last week in the online version of the technology magazine Transfert.
Using a well-known security bug in the Unicode feature of IIS, Kitetoa was able to view a non-public directory on the doubleclick.net server and discovered the existence of a file called eeyehack.exe. That program was written in 1999 by security software maker eEye Digital Security to demonstrate a buffer overflow flaw it discovered in IIS 4.0.
According to Marc Maiffret, chief hacking officer at eEye, the existence of the program and a secondary file, eeyerulez.asp, suggests the intruders were able to gain IUSR_MACHINE privileges on the DoubleClick server.
"What we know for sure was that the exploit did work enough to upload files to the server and execute commands as the IUSR account. Typically on a default NT4 installation, IUSR has permission to do as it pleases to the hard drive, so they could have been reading different databases or reading data depending on how DoubleClick set it up," said Maiffret.
Although DoubleClick insists that the back-door program failed to execute properly because it was in a folder that lacked permission to run ASP scripts, Maiffret notes that other folders on the server, such as the one hosting the company's legal disclaimers, are set up to use such scripts, and an astute attacker could have transferred the back-door files to that folder and run them successfully.
Security experts also challenged DoubleClick's assertion that the damages to its Abacus Online site were minimal. Ollie Whitehouse was part of a team which discovered the Malformed Hit-Highlighting Argument Vulnerability that enabled Kitetoa to view ASP files on the Abacus server.
"We see a lot of people embedding usernames and passwords in the source code with the misunderstanding that external users are not going to be able to review their source code. And typically the passwords you see embedded in ASP pages are for connecting to back-end databases or systems of some kind, and are never used purely for viewing the ASP page," said Whitehouse, currently the managing security architect with security consulting firm @Stake.
OTHER SYSTEMS VULNERABLE?
The compromised DoubleClick servers are among at least 25 DoubleClick systems running Microsoft Windows NT4, including machines used by advertisers to manage their accounts. While Microsoft's Windows 2000 operating system and IIS5 web server are not vulnerable to the three exploits that afflicted DoubleClick, Whitehouse of @Stake said many Internet sites have not made the move to Windows 2000.
"IIS4 by itself poses a lot more security vulnerabilities than IIS5, but people that invested in large NT4 infrastructures are not able to convert overnight," said Whitehouse. He said that companies must nonetheless keep up with the latest NT4 service packs, and noted that DoubleClick appears to be at least one full service pack behind.
Last August, Kitetoa discovered that software maker Bull Groupe's web site had left exposed an internal sales and marketing database containing confidential customer information.
In an email interview with InternetNews.com, Kitetoa suggested that the attackers might have planted password sniffers on the compromised servers or used them to traverse to other DoubleClick systems.
But Polonetsky insisted that DoubleClick's customers are not at risk.
"We're confident we have appropriate security measures firmly in place in any areas where customer or production equipment is in place, and we've moved to make sure these two external systems have appropriate measures as well."