First Remote IIS 5 Root Exploit In The Wild

Less than 24 hours after the publication of a severe, system-level security
flaw
in Microsoft’s IIS 5.0, source code to a program that exploits the hole and
gives a remote user full control of a vulnerable server has been posted online.


Jill.c, a 167-line program written in the C language, was authored by a
grey-hat hacker in New Zealand who uses the nickname Dark Spyrit. Using the
compiled code against a default installation of Microsoft’s popular web
server, an attacker merely needs to type in the name of a remote system and
a port number, and in a matter of seconds can gain complete control of the
machine.


The code, which was distributed on a Windows 2000 security mailing list
Wednesday afternoon, exploits a vulnerability discovered by security
software firm eEye Digital Security and published Tuesday.


Jill.c causes a buffer overflow in a component called msw3prt.dll, also
known as the .printer ISAPI filter, which gives the operating system
support for the Internet Printing Protocol. Jill.c then overwrites the
instruction pointer with a location in memory that jumps to the program’s
exploit code, which provides the user a command prompt on the remote web
server.


The exploit is not yet in widespread circulation, but security experts say
it will quickly become a popular attack tool for web site defacers and more
malicious computer criminals.


“Once it’s up on one of the lists, it gets into the underground archives. I
think it will be a long-standing member of the arsenal used against IIS 5
boxes. Right now it’s certainly the tool of choice because of its ability
to give you a command prompt,” said Russ Cooper, surgeon general of TruSecure Corp.


In an email interview with InternetNews.com Wednesday, Dark Spyrit said he
released Jill.c to encourage system administrators to apply the patch
released by Microsoft on Tuesday.


But the hacker, who has done consulting work for eEye and COVERT Labs in
recent years, said there were other motivations besides “full disclosure”
for publishing the exploit: “To be honest – I wanted to get my name back
out, show off a few techniques – and well.. hmm.. chicks dig it?”


Cooper, however, believes that even the innocuous sample exploit released
by eEye with its advisory may do more harm than good.


“This was not necessary to put fire under the butts of anybody. Every
alerting mechanism on the planet has been invoked. So I think there’s a
naivete when people think they need to do a proof of concept to convince
others that this is serious,” said Cooper.


Despite the advisories from Microsoft,
CERT, and NIPC,
and others, Cooper nonetheless predicted that system administrators will be
slow to apply the patch.

News Around the Web