Crackers can take full control on servers with the help of the IIS 5 security flaw
NEW hacker tools have already been developed to exploit a security hole Microsoft announced on June 19 in its web server software, Internet Information Services (IIS) 5.0, which leaves 6 million Internet sites around the world vulnerable to attacks.
These new tools already widely circulated on mailing lists around the world takes advantage of a "huge" security hole part of the IIS indexing component that potentially allows hackers to take complete control of a server.
Microsoft has already released a bulletin to system administrators around the world to download and apply a patch downloadable from the company's TechNet website. It said the flaw is evident not only in its current Windows 2000 release but also IIS running on Windows NT and the beta version of Windows XP.
According to Microsoft, if the patch is not applied soon, no "meaningful" defense could stop hackers from controlling their servers.
The flaw stems from ISAPI extensions--or .dll files that extend the server software functionality--that are installed with IIS. A particular file in question, idq.dll, a component of Index Server or Windows 2000 Indexing Service, that supports Internet Data Queries or .idq files and administrative scripts or .ida files. In the Microsoft website, an advisory pointed out that the idq.dll file contains "an unchecked buffer in a section of code that handles input URLs."
It added that a malicious hacker could "conduct a buffer overrun attack and execute code on the web server" when the intruder establishes a web session with the attacked system.
"Idq.dll runs in the System context, so exploiting the vulnerability would give the attacker complete control of the server and allow him to take any desired action on it," the Microsoft advisory further said.
Such buffer overrun can happen even before any indexing feature is requested, the advisory stressed. Because of this even if the Index Server or Indexing Service is not running, a hacker can gain control of the server with ease and abuse the vulnerability. A hacker only needs to establish a web session and a "script mapping" of .idq or .ida files were present.
Microsoft emphasizes this is a "serious" vulnerability and urges systems administrators using IIS not to delay downloading and applying the patch, which is available at www.microsoft.com/downloads.
According to Microsoft, there are specific patches for Windows NT, Windows 2000 Professional, Server, and Advanced Server. The Windows 2000 Datacenter Server patch can be obtained from the original equipment manufacturer. The patch for Windows XP will be distributed together with its next beta release.
