May 1, 2001 - eEye™ Digital Security Announces Major Vulnerability in Microsoft® Windows 2000 IIS 5.0 Web Server Software
Security Vulnerability Gives Attackers Full Control Over Any Web Server Running Microsoft Windows® 2000 with Internet Information Services (IIS) 5.0
(ALISO VIEJO, CA.) – eEye Digital Security announces the discovery of a major security vulnerability in Microsoft Windows 2000 IIS 5.0 Web Server software. The vulnerability is within the code that handles Internet Printing, which is implemented as an ISAPI filter. The Internet Printing ISAPI filter does not do proper "bounds checking" on user inputted buffers and therefore is susceptible to buffer overflow attacks. Attackers that leverage the vulnerability can gain full access to any server that is running a default installation of Windows 2000 and using Microsoft’s Internet Information Services Web Server software. Therefore, such an attacker can gain control over the server and take any desired action, including installing and running programs; manipulating Web server databases; adding, changing or deleting files and Web pages; or taking other actions.
The vulnerability impacts servers running IIS 5.0 with Microsoft Windows 2000 Server, Windows 2000 Advanced Server and Windows 2000 Datacenter Server. With the ubiquity of Microsoft's use on Web servers worldwide, this vulnerability potentially impacts millions of servers and leaves thousands of companies and organizations totally exposed to network intrusion, operational disruption and client proprietary data exposure.
"This is a very, very serious vulnerability that should be treated with the utmost urgency and priority by network administrators globally," said Marc Maiffret, Chief Hacking Officer at eEye Digital Security. "Administrators should refer immediately to the advisory and patch being released by Microsoft today."
eEye alerted Microsoft's security team immediately upon discovery of the vulnerability and has worked closely with Microsoft on the development of a patch and the expeditious alerting of the issue to administrators worldwide.
In discovering the vulnerability, eEye has also developed an "exploit" that leverages the ISAPI vulnerability. This exploit is a piece of computer code that would be used by an attacker to compromise the server under assault and was developed by eEye to prove that the vulnerability exists and is very serious.
"The exploit we developed can be pointed at any Windows 2000 IIS 5.0 Web server and within a matter of a few seconds we will have complete SYSTEM level access (command prompt) to that machine at which point we are able to execute any commands we wish" said Maiffret. "We have shared the exploit with Microsoft to demonstrate the seriousness of our finding. eEye has decided not to release the exploit to the general public given the potential abuse by malicious individuals.
"After working closely with Microsoft to help them create a patch for this vulnerability, we were assured and we are confident that Microsoft will do everything within its power to help get the word out on this most serious vulnerability."
eEye discovered the vulnerability while conducting its ongoing research of new network security vulnerabilities. eEye conducts this research in support of the overall security of global networks as well in support of its product development efforts. In particular, the vulnerability was discovered when the eEye team was developing and testing two of its products that rely on the discovery of such vulnerabilities. These products are Retina™, a vulnerability assessment scanner; and SecureIIS™ Web, an application firewall designed specifically for IIS Web server to stop both known and unknown attacks.
"When we discovered the IIS vulnerability, we found that SecureIIS Web, would have successfully blocked attempts to compromise our Web servers using the ISAPI exploit even before we had known about the existence of that vulnerability", said Maiffret.
About eEye Digital Security
eEye Digital Security is the security software and services division of eCompany, Inc. eEye Digital Security (www.eEye.com) is a leading developer of high-end network security products and a contributor to the furthering of network security research and education. eEye products include Retina™ the Network Security Scanner, SecureIIS™, the Application Firewall for IIS Web Server, and Iris™ the Network Traffic Analyzer. The company was founded in 1998 and is currently staffed by some of world's leading systems engineers, software engineers, and security consultants dedicated to uncovering network security vulnerabilities. eEye is based in Southern California at One Columbia, Aliso Viejo CA 92656. The company has sales and support offices in Geneva, London and Madrid. www.eEye.com.
eEye Digital Security
+1 949 349 9062 x109
eEye Digital Security
+41 22 819 1713
from http://www.eeye.com/html/press/PR20010501-2.html Copyright © 1998-2001 eEye Digital Security
Copyright © 1998-2001 eEye Digital Security