RealTime IT News

Intruder Alert, MS IIS Found Vulnerable to Remote Hacking

A Computer Emergency Response Team (CERT) advisory issued today said a serious vulnerability in Microsoft IIS may allow remote intruders to execute commands on an IIS Web server.

The advisory, titled CA-2001-12 Superfluous Decoding Vulnerability in IIS, warned that a vulnerability closely resembling a previous vulnerability in IIS has again reared its ugly head.

The problem, said Shawn Hernan, an Internet security analyst for the CERT Coordination Center, a computer security organization based at Pittsburgh's Carnegie Mellon University, was discovered by NSFocus, a Chinese consultancy during a routine software check.

A successful exploitation of the vulnerability would let an intruder execute commands on a Web server, replace pages, attempt to gain other privileges and monitor transactions.

Hernan said a hacker would not be able to gain direct administrative control of a machine.

"There's a safe inside a house and this lets you get into the house," he said.

The "house" can be entered because IIS decodes some of the input twice and the second decoding is superfluous. When security checks are applied to the results of the first decoding IIS utilizes the results of the second decoding opening it up wide for intrusion.

"If the results of the first decoding pass the security checks and the results of the second decoding refer to a valid file, access will be granted to the file even if it should not be,"the alert stated.

To reduce exposure to the problem the advisory recommends users configure Web servers according to these guidelines:


Microsoft has also provided a patch to fix the problem.

Hernan noted that the rather "large" patch would include roll-ups of other patches that were applied to past Microsoft software vulnerabilities, including a catch-up patch for IAS.