|
|
|
Microsoft Eschews Patch, Gives Exploit Code for IIS 5.0 Bug
By: Lisa Vaas
2007-06-05
Article Rating: / 0
There are 0 user comments on this Network Security & Hardware story.
Updated: Microsoft says the vulnerability is actually a feature but urges customers to upgrade to a later version of Internet Information Server.Saying that an Internet Information Server exploit is due to a feature, not a flaw, Microsoft has published exploit code for the flaw but no workaround or patch. (Microsoft has removed the exploit code since this story first posted, saying that it was posted inadvertently.)
The exploit, which was discovered on Dec. 15, 2006, and made public at the end of May, works against IIS 5.x. By design, versions 5.x allow bypass of basic authentication by using the "hit highlight" feature. The hit-highlighting feature can be used by an unauthorized user to grab documents to which he or she has no privileges.
At the very least, this leaves IIS 5.x users vulnerable to data interception. And while the exploit hasnt been used to take over systems to date, that could well change, according to Swa Frantzen of the Internet Storm Center.
The ability to execute code is "unexplored, but hinted about," Frantzen wrote in a blog post on SANS Internet Storm Center security alert site.
The ISC has tracked public exploits that apparently focus on leaking protected information.
According to Microsoft, which has written up the issue in its Knowledge Base article 328832, hit-highlighting with Webhits.dll only relies on the Microsoft Windows NT ACL (Access Control List) configuration on 5.x versions.
Microsoft "strongly [recommends] that all users upgrade to IIS (Internet Information Services) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security," the company wrote in its KB article.
Microsoft is currently shipping IIS 6.0 of the Internet Information Services Server for Windows Server 2003. Microsoft is up to IIS 7.0 for Windows Vista and IIS 5.1 for Windows XP Professional.
 What are the security issues with Microsofts "Surface"? Click here to read more.
Yet, in spite of urging upgrading in order to gain improved security, Microsoft is treating the bug as a nonissue, providing no workaround nor indications that it will patch versions 5.0 and 5.1. "This behavior is by design," the KB article asserts.
Rather than supply a patch or workaround, Microsoft published six steps to reproduce the exploit—a response that is "a bit atypical," according to Frantzen. "Microsoft is telling the world how to exploit their products being used by their customers. Not that the worst of those interested in it did not already know, but the one thing we need from Microsoft is not the exploit, but the patch or at least a decent work-around," Frantzen wrote.
As it turns out, Microsoft told eWEEK on June 5, the publishing of exploit code on the KB article was a goof. "In working with the researcher to develop the KB article to better educate customers, we inadvertently included sample steps the researcher provided to us to highlight the risks of using the feature incorrectly that could be misused," a spokesperson said. "Once we learned of this issue, we immediately removed the information. … We are currently working to update the KB article to provide customers with the appropriate level of information to help protect themselves from this issue."
The issue is creaky with age, at any rate: Microsoft originally published Knowledge Base article 328832 in 2002 because a researcher approached the company to express concern about the implications of people misusing the IIS hit-highlighting feature.
The company still wont commit to a patch. The only defensive information Microsoft gives is to urge users to upgrade to 6.0—an upgrade thats neither free nor easy, Frantzen pointed out. He provided these possible workarounds:
- If you dont use the Web hits functionality, a simple workaround would be to remove the script mapping for .htw files. Without a script mapping, IIS should treat the file as static content.
- Try to use application-level firewalls (filters). If you have the infrastructure it can be a temporary measure till you can upgrade IIS, solving the actual problem.
- URLScan, a URL filter by Microsoft can be used to stop access to .htw files and is reported by some SANS-ISC readers as being effective.
- Manage rights on the confidential files or directories themselves.
- Upgrade to Apache or another Web server, with or without a (cross) upgrade of the OS.
- Scramble an upgrade to Windows 2003, potentially on more potent hardware.
Frantzen advised IIS 5.x users that failing to find "null.htw" in a document root directory doesnt mean much—the exploit doesnt need the file.
Editors Note: This story was updated to include input from Microsoft.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
|
|
�������x}v69y�Di�SnG&tvh)�S$l%w%�
�oYm;i$BPU(���?{{~��riɅ,d>
3L�Ahy.P|o%o�2t<�)C4ò|W�R�9�Ͱ�4���z=�z";���1�8R
�e0Ǔ4ޙ1=�ͩ:6|�q3�e��.EiѶu6b
^PkɁyG`n���%xH#"�5^�8�I$�w,S0e#��b0 �g?NUol�m�)HB$�!F�cDX߱[{軵w"�7��b0A!黖:?"CnBVD�Rd9zPo�+χ� /�L2r&bL{zF��_tC�g�L4H
�U�HIp[:t,=�<�k��c9�tNTZ \�S�tTTC⫶�9�\�I��?jbA6f���TB�p7R[8'��-W״|s�zl�]@vlcQV5 ¿
*߂CU�{֏̳'A.$Q,0"U���w]'�t|`<�nh�c"��3ˑ(zNwf0il#�5붦bUHR-_.RZ"{֝{2كC4gVo~w.dEEsv!��u7�Z}��m1xUUJ�sruO}~N�6n��� ��
�NTRߙ+0Q�&*ʥR>_&�|�Cx:~�Xs|\c~TwnFZ�I)y ٥RӒB-f3}��f�V҈�c�Y,ǝq%>[ڗu&u}Yf0\.+
C A)�tV?#;S3ժu|qӹluoz{MZOv�Y31���+?fV'_Zկ-?o!aj;A�1la0M�*bU3�~luOd�@��D&"~zֿ8'�=M�%�$>sؿ����$J@Ъn>�@|S7p6u2eT��h^�
;CiG7ۯ@BVnZPu��r���ƿf]=s���ɡ7[=RDp&�\� 9?��*>UnbEK7�+R;H
XR6���>(Ie"E]n8r.JR)!"x䎳34qA�.LJ��!=!��1&pH�Ky=bf>USg<8�Zo͉*]X^uejZL�E?jiA©w9qn?^[wսu5?acYb}Fƚ���څkYj7-��(騔Kt�?Z�9�Z�
JUY��1p�3ZDh"X��jXtR:�gtA�utةS{N�~�9ևm'#3�a
�>�
�>�zF�j$�>R7(Z��tu0Iձ3c)м3�tν`rg�oM�C?�F��c(�U�,/��{H_@Z�2.Hp�z)��E
8�ԙo@�>ȁ{0`sD;մԡiGx>�b<
Mbx��-WR�:;C/0t@Fa$�"D%� T
h��4�Af�0�E�ENA1wW+�.�\,q"��m':�Ν3Ňb�x$,�Rȧ\VKK@cfh(Ӕ0{~4md'l!'b�f�("7�(Vn)�CE*ÿR=bOEr�j~�#J4�~gx�8�L�3R�t0[�C˟�G/4- ŇFg˺|+fYWQE/�MX<�u�b[�&���L%��㵛Z{:K�_i��hHC�umz��9[�G��J1M̆ɭEj҆�T�F��9gm���"eQgӟ�TYZ�cXHJ9�Rk5>,0!.(".H _t��T�:aL0
Oanx'�As,\O�D
Xr�_l0TN�cߣ(a!��w1
Z�t:Aװ�Dؙ�\�kܧuQJ�hx-E�8��4Y_`.%�Vɡcͧڋİw^�v˦?�~3Gd>n #��[!B����D+ڇ`�L�ECMk�<՝tm\D_`��/�,Ǥ'I?ڀH{N��"LE(,frFe9 'æ#jI�Ӓ´g�9&�V�hPK1
"I�9MUϗ$J#_.ox�>YF�=3�$�h@Gc4e4f�M4_�0-8c��KD!/I�Oܧx]3�7TOc_��>��%H�I�F��R�7VD0plI�tl2Tt2�-�݂à�*LGd�'H\+�PJ\,
r\
=c>�1L)?�"5㻆�m�8�8�_�p˹�M?7�^oO?KՁqc�~�L}6݁�/�rΩ�,�|tqZI�L([v�'^+0v��
*UXLR_!�!=�4.Q9�fr���-ݛ96_$瑩?!'lƗ+�@LP[|\έ! p�E
�~0dݤ/Hɘ51V2"g{ �n�Ie[�S[3]W��� OQ�:$8{4��{3�e+
wڬ,pZ�^�u/
Ӳ*SHjH@A̚:y>z,L�``">kv=�Q�H+�}juZ�}�]\r5,#XKۇv1�E�
����z qKkh0(-j;[+pT�*g� ykhU!R_�*5= 7U_ �-ʖzgɲ��gQy�gfE-^M>�%XLϑS�w"J��İ\.[C5^�(�93F]-M:j6_:nM<��('\Vb_�,0ƹ!>
JSO�(Z7MJ|/E)~gQ�C.Bq�imh�e~�:Sfb;?%ߴspoF'�=
�iK-Y.)3R/ΐْ�tK37/XC�5܅.�ܒ(tם7/��F1uecfaJ3N9�`�{IO$#�
#�%ڭ(+,XT�%_�rYtn:0n�ɘُ鎶��A⭃db:iԧk\n5t�fag_j�{̝9P�0�L;�
�@+ b'P��0u�ڈs���S@
ʃ\<$g-�1�O.&+-JR9_-]QKSA��:��""!v].6
ws[��[^?qp�g5<91��C5؈��f7dz%qmr7A'�ً,`TA-A���E1 W�cyIT�v�jZ�qR4t�8䏽77V�N}ڽ�͋#TGZ`��~�:GX#0kueK\4?İ��-�:%�Ѹ�m&@*$pp}P#&ƸCO^ڈY�jZ�5+C[�~;o��7�2ۈlhXw/8%I}=^x5rl�Icx�/sg&HJ<|O/1Okw�tE�xW(k�LrEo%ǸvRt� `~<ɩ}AmF9˙�FҼ�6N+��7V��?|�%E�骺7GdbaG�ț�L]y;���pv0s�cd9G!!�R
BbOQ2ބ5�MJ]m]S-�SS[)N yuX0Ƞg=uBYY3=IY�#BI. 駠%M$�;�kBz+lAzW Ns��ݚ]ܥY�t.>\7�"�Z��M�TpHCR��Cs<���\}$Xy��#O�gJRZz-*$�?z�ڇ!q��wy~@0G�W刜jC=;r*We._w�gn!�K�CΑ%ؘ&$'JNP,,2�˞(eȔN��Hƭ��`@T6COځy:-3H�l#{Zڭ;�=D٥�~vك�dsxB%?_Ri8EDʡ�C�W}�k=KS~͇C~�;F�.0O2@����R�mB.p�.&q�\Yxf;��w~5+� =�pв+Ý1֘mlkTkurDa_:we�&vT}fbx�'��M96��rF"`60~�m!xp7 M���7m'n6ΊT6R��)gbJ]_@f)˄n�d��r]�ߪa[f'Fo6�C#
F�w"$ot%t?�|E��}�p:鮑�! ē�1��a�]^�s�60x�}g�TH���\k`{73Za4eԥ Gpč�m?;ˌL->UN|2/㆝A�>ɰb�Wbf�r�,h"*S2%U$Y/{�zu�,$��D(�E0V֑tJb�s��Sc��rHn܋ϣa&�hhhf9�x<>�L�D!E2``�\{�O�W=\dRJ1ѭJ__Q��6GK7t�"b@�5��*Ol"%�tru"Ko��{]/Jr5XI?>`ΖXf#TJTCޔ�U!ߥխxU�U1#Gi;4:�c a�8鄲��gcA�r(qKOM�( ߰?q@���{��0S�H�%该JH�B˗"dWmV6q_eA.�$�m7�
jUh?0�9-u.|Y`P.R�ۅI� ��8I�VDZixFݹRo˕J.P zw1Ɖ!(, F�`@�@j�/�C� 8@I�0n|�X:H�]l/ra;J"aUP�R-#�[կ/Ee.~.�/�jGӹo$6m�")�+�zbO!����S^V�MƳAlvWb�-�0@�<�^�QY_9OBZ(W�ὥ���;D5Pj6Ehȃ"S%lɉ�ŚM$)�8�}x�֙M(QrJN�0
#v-l�.ߖ^~i
tl����M�1xDyMgCIKg6,d1ͱU[fnӼ�ֹ$wlw�w�w�w�7+�evEC}�
?`�ǃx�]�z��`�O�,N1Z<1���W^ݲakecl_��ٸi�腧00`Y0q<��>��"! �� ��Δ7AƎ�7.Hy���G.kӿ�+�S ���eEE!
f�5{۶6=x)E(���4 L��yS-p\?+"F�Ƌ��D;MAa7Z$LJصEI�ı,�hO�BDmpio'{o;�gsxa�A(F[x}7� r8+ �^�#/Hv$Ec�,1ިm0�x�
3݁0��hpHx]rm�Zm
[+�`@vuMs�f�cI�H(K(
�-66R�6h0ZJx|) pW� h,wsd}?
3v�R�c{1VE~/mZ~#�fmfk
븪e%k}K�\"7{�Wv�@9b5O�3=�<��^�bxK�!C�DtϠ6x�l'׆w2]�A��m�%sPZT!5�l�kmX�%Eaq{Ou]@EY_Z\�[sg,�r;ؔJ�&:Oc;z7�58�-�@�fk֒��S$
kIH�}2�"*NhfV`32ݲaD�K%{�rpDzKG7��|=:v��!5�1} �',/^Ky�³�Ǟ-���/,`5-k1;�hO�٦�8ͯddEKb\�{j�
sTa,�CǠܮ�oRMU
O/&�ޝ
S�l/Q@@#@q"o�>cҡR9�,��.N ب��kNiNCT\B��ӐT�2C(:l[Hml��s�^��PAg.x��E��
�M).ء�?Dy7�m|z�#o�?%b&�-a�ud�{
3Gs:^A퇽�W�TsC��fK� Z��GM�t|���o�קc$�H|+$�gژ�V�P-IZ53�.t�]W�hm?��GXHt�xY0hv {HRMVha!�O��#HIA��w5t?Ciu~�r,x;~؋.",p[\f4�I=[��L�dD�y� z�yA
y!Fz�{�K/JW{$H�UVT�sr+� ,���["VJd��Y� �KJ�H�
]?�B�?��X
8m8%/-Iy10cXbS)sY4ʰKc&�JYʫ%�|�Zn�iE�]LQxy��[OpUKk̘xUq4�v�tL:�a�<5Tm�]�RU�BJ
�?Ϗ�|^�ԙn:ϫ�VDs="`U��zhUD#{�̴s5
ji<1E�3�z�Z<�hY'r"of0Tvo=r�6aA}���r'�Qk^��xi,�h-�aZ`Y'e~��2��:F�̹OMĀnl琯%)y(J!qݧ�"JA�yr�:r]c6߽JۭnkQ�Qҵ4�*A��0݈h.E9&[I{y
�>ڸY
xO3;<�KZyގMݚ+5injut)6A�96z_Be{θj9o n>%cev*MWljmڢ,�nR� ¨ӔAJL`�0LUT��m2h�Ds
Tq��/[ J}�9T[6ފj
wKzJ[RBGh9=Q+)T(YP&e
� )DŽ1R�MVmIr .�sh}�pǕz~#.K�JE��K�Y����46�g+mB5-�2�g7H��co«IVAW6�!�:{~^:,�ex@"?{|} d�>���Q>IG�hB�<['wzԥ7?=oN�8��YeiW7�el9Nh$�Zb s"uBf&"�d(�1�`�m��9'yo_C3<>wfMdC�c9ޛdhJC(4xpcTz!3�9cH�]XA�3�Bx70Gs.mh@^>!�&�uuc-l
�q\Q,�s0A2Z}eOJyH\n`?ކ1��lZވʛ!&���P1
d�U
{__{=*n%療)����5"L�GF3%H�=C�LDcrf舘bةCr�6�l
[3�ɇSsE�%�oP$P *vDecFar9��wq_~|7
B"H�("*�@�[�`g*�#��S�f
��Đ�͌$��y�E{3�9O`�:>�JwP0pw�\[E�8ԭ� ʼuthx��dj���,95,ɚMG$�,#[��Cg0&?za&ts
ƹTP��(T
IBsu�XRFB(6ng<+JHnLO[�|���{x��%1�_qTR1�� �<�30�L`,~k<�[ބfI+U�4r�ӄ^I+L^^�^@pA=#(�2g4T�B!PW$u4'};�1h^]&k$6}<\w%9nwo�ֵ�K4>N�w[OWO;e?851^�v>JUu+L�i.P^6/N�ؕS21\,bԖM70xixID_0}4��e8q'Q?B)e;s\VCT8(ӫS0L��7[vlVk.??BՉOt.3]r�;[Z8mzf�b
k�n<3eF�L�o��4SD^}'v�ԬT<<�v<ߐ�!7HmC5_O?i�67w!!�9>�4h7@S�|�?lGH>iu֧wZF!�l�3
g�2_z�?C�|��ekC\@/6�_l�@��\@/6�b�^�^lO
�6Aن@?6_@ņt
{ sA~..7_�n�AtAt7+
q�6�?=hoC{ކ�+>#
?mJ}оO@O�w�7ҁo6
�
��a8�
rּ)��bq_%�ʗA6�tCz�7賒���fڍ�~-4j�KL�_�6{ 9ȬL:W'Vr^-.9=Ð�e4W�i5�zifq]lƣ�_(��^ؤB~��<"A-gG6�+D.Эͧ'ވm]=�gy)Iy�=0?&Mu0Wvt+Jy.)ܢ�}:�s\̱9�;q�mm�tsl�E B:eaޜd֗l��|a68�NtgА1 }-,76��.7 V��t{r
�M$���.
�Fn�.��_v�Txu�Ӛ\OԷťhe?>/�άuEWf�5V,�JA�m!�5q}³2ى;٦فg:?����O�D4{T
�m
�C?�c
H7�zi�XK��u>O>^w�Ҿl��=RA]iPͩ8�(a$x
FZ
<�ROs��x0�"wmX�=]
PN�7pܣ17�?i<ʁ�4
$uqgCTP\r\,2�Ŀk$2t���3h�̈$J�w1 ط�
V)Ib�0�XN ���^;QHJvo�*K0+9�=q̐E���*1Voq+�B8&LC��szG̗0�Y5��@�KCt�c+x;B(�F0 ~vԞ=@i^jЫِD\ř�gxyjt3T�
��^Ėٵv"҂Yhpw�z:(e9tfiǝaƱr�@A;v��[h ��x�q~1mWZ
6 �rz\n2"&283�Mũ{z�H�.u5wtsT0=_nuB�'&̧F'�!�(!P$1`�
�p'/-3=$u1�/~}F'FK�=o�wқ`&<ÄLYZʣm�^#%:Bc M�}�Xo�`]_�����d�{PN�B!��.D/2>c'TfB
xF��m�$tp�;bt<�H(F� 9ao9RFX`n犲L߰�wh}r:WX
-Q<�~:t�6T#
��te�a*`<
R0B(�yEMl1\-U,l$9�=�NCh��WU��9
gKJ-i�w�cw[/AI!�[aȹD.vfAM=SY4�~ NGv��~5�BIπ���s6z��o
��۠Sã��S���%�N&b�_w^sTeEL 3t#�[E#Ҧ,iou Kn?��4�Ǻ���AZ+yJ>?�&T|ޭ�k�8mN����`t�ZD8�9f����A&{�_vDԧR*�FS��xSE�z�}ĵ���!M�0��y,�9z�n$ }'�_l2!⸇�ue}�nH>�Y֧j2Lp8�n�0�nH�ś(Zx�SyN?�Fu:h��Y W�96����-|��
0qGĶ6n�K->u¤"ZUXؕ%�(X_'A֎ik�{3G}�ŀp�c��*Ԯ��x[9�ߘ¸yg�ex���h�eX�" ��B�c|Lr%}�&\B��tl%Ng�3�Jܨ�� �D7=lTtO
,�%`Gi�U`+z#q-E�<]\x~{պ
u+e!N�(a��t!L?1?cu];nj�1uF.x]�hT[�pgUD'���3+�q�3aW_<̿G�FP1V)?&Il}Mh�B=aQ ���+��o=Љe�/�Z[8Ki#m.GD�I
qr.M-m��.�y+)!�;ڰ_p<����aL��;cJ
4�
o
#�wR�4W�VmAb�?�ܩʱLm`O}q4�ycMVKx1pwU9s,ulQ�oz;|:g`({B=�Ay4G~Q!�8ǧ\! @݄68�t.�@W6
�5ϸCi61Ĝbd�r0�"Й_ǀ�9�sw,��h|aF�|1G,kR�tEA�]D3ܚ>|��éoh�c9"�R�:�-x?A�~�-pe_�~fk80 ܂LkK=3-�8�.�&R1,`r�H(�s�@6p�E,5Tu�T]cmeȏuPb �*�x3(gER11#?�R4�. (�gkYl90>4R$D�?��p4�{?5}
'^3ؗ�,�\9��H+�j���l�ź}�t�m�f*2p�)H]<=,J�e1C9GT3��3�$�N�m++4HCQ�дEͼ�C2Z��^-�[72TV$�E[��(놥9ҡRZ9TMn�Tɨ?{
^{=1#k{4��}OkeP¬}�h�ɒ$Epp_o�\�*RmodZ@Dp'>OW�[?Y�k�ttf*ތ~ÉyxA\ Ҝx�]PE%�z?�8H|<ŧ�XC@+] V`E��Q
dIeMz'swq�}rN`|�
-P'�w±JSD�R.ev�
2HQ`o, ɗϵ�Z0�. 1GTG8[�&sD+ TfthxYJ�"-tL�.@\8~�9B Ё�1ơ*M%Ss�
?|�D{:mR�-ˬ�-��t�l)u#mpYjV# y\�~ZD��h�}nMZ#e:xtǏވ"3{�1 53�jBm$Ko9�eQe&o }u13,A
+apCe�qcWfX6i �C&}{9bVc|[�q�B�
mĄ.PQwsB>FDŽ�_�+׳=f�wٴ� ϒ
�u06/��W&ǖ3T,~"�A{%i: D=�|NėIJB�@�XxE|A��q�C7}N�zRG^w�Tnz1q0>
;�&4P9L'3z$C��qԭO;r=A'U7Eh�m��y/R��VTeTj�kJ-�H5�s\HD8v�;�6y&N5l0s:�K'���Lc숡6O�TCE9T\
|
Network Security & Hardware 
