RealTime IT News

First Remote IIS 5 Root Exploit In The Wild

Less than 24 hours after the publication of a severe, system-level security flaw in Microsoft's IIS 5.0, source code to a program that exploits the hole and gives a remote user full control of a vulnerable server has been posted online.

Jill.c, a 167-line program written in the C language, was authored by a grey-hat hacker in New Zealand who uses the nickname Dark Spyrit. Using the compiled code against a default installation of Microsoft's popular web server, an attacker merely needs to type in the name of a remote system and a port number, and in a matter of seconds can gain complete control of the machine.

The code, which was distributed on a Windows 2000 security mailing list Wednesday afternoon, exploits a vulnerability discovered by security software firm eEye Digital Security and published Tuesday.

Jill.c causes a buffer overflow in a component called msw3prt.dll, also known as the .printer ISAPI filter, which gives the operating system support for the Internet Printing Protocol. Jill.c then overwrites the instruction pointer with a location in memory that jumps to the program's exploit code, which provides the user a command prompt on the remote web server.

The exploit is not yet in widespread circulation, but security experts say it will quickly become a popular attack tool for web site defacers and more malicious computer criminals.

"Once it's up on one of the lists, it gets into the underground archives. I think it will be a long-standing member of the arsenal used against IIS 5 boxes. Right now it's certainly the tool of choice because of its ability to give you a command prompt," said Russ Cooper, surgeon general of TruSecure Corp.

In an email interview with InternetNews.com Wednesday, Dark Spyrit said he released Jill.c to encourage system administrators to apply the patch released by Microsoft on Tuesday.

But the hacker, who has done consulting work for eEye and COVERT Labs in recent years, said there were other motivations besides "full disclosure" for publishing the exploit: "To be honest - I wanted to get my name back out, show off a few techniques - and well.. hmm.. chicks dig it?"

Cooper, however, believes that even the innocuous sample exploit released by eEye with its advisory may do more harm than good.

"This was not necessary to put fire under the butts of anybody. Every alerting mechanism on the planet has been invoked. So I think there's a naivete when people think they need to do a proof of concept to convince others that this is serious," said Cooper.

Despite the advisories from Microsoft, CERT, and NIPC, and others, Cooper nonetheless predicted that system administrators will be slow to apply the patch.