Less than 24 hours after the publication of a severe, system-level security
flaw
in Microsoft's IIS 5.0, source code to a program that exploits the hole and
gives a remote user full control of a vulnerable server has been posted online.
Slashdot: News for nerds, stuff that matters::
Remote Root Exploit in IIS 5.0. Posted by jamie on 2001-05-02 21:25 is a remote SYSTEM-level exploit in a popular webserver, in the wild, i.e.
http://www.dimka.com/daily/external-pages/slashdot.org.htmlHOME |
Jill.c, a 167-line program written in the C language, was authored by a
grey-hat hacker in New Zealand who uses the nickname Dark Spyrit. Using the
compiled code against a default installation of Microsoft's popular web
server, an attacker merely needs to type in the name of a remote system and
a port number, and in a matter of seconds can gain complete control of the
machine.
The code, which was distributed on a Windows 2000 security mailing list
Wednesday afternoon, exploits a vulnerability discovered by security
software firm eEye Digital Security and published Tuesday.
Jill.c causes a buffer overflow in a component called msw3prt.dll, also
known as the .printer ISAPI filter, which gives the operating system
support for the Internet Printing Protocol. Jill.c then overwrites the
instruction pointer with a location in memory that jumps to the program's
exploit code, which provides the user a command prompt on the remote web
server.
www.net-security.org/dl/newsletter/txt/issue040.txt::
organization is preparing to release the first in a wave of security benchmarks As of today, no exploit code is known to exist in the wild.
http://www.net-security.org/dl/newsletter/txt/issue040.txtHOME |
Web Security Threat Classification::
Since the attacker must exploit custom code on a remote system, they would have The first is vanilla SQL Injection in which the attacker can format his query to
http://www.webappsec.org/projects/threat/v1/WASC-TC-v1_0.txtHOME |
The exploit is not yet in widespread circulation, but security experts say
it will quickly become a popular attack tool for web site defacers and more
malicious computer criminals.
"Once it's up on one of the lists, it gets into the underground archives. I
think it will be a long-standing member of the arsenal used against IIS 5
boxes. Right now it's certainly the tool of choice because of its ability
to give you a command prompt," said Russ Cooper, surgeon general of TruSecure Corp.
In an email interview with InternetNews.com Wednesday, Dark Spyrit said he
released Jill.c to encourage system administrators to apply the patch
released by Microsoft on Tuesday.
Slashdot | Wu-ftpd Remote Root Hole::
the wild. Ive seen portscans on newly installed. lines in less than 5 minutes! wu_ftpd remote root exploit, I decided that it was time for me to rewrite
http://slashdot.org/articles/01/11/28/2358231.shtmlHOME |
But the hacker, who has done consulting work for eEye and COVERT Labs in
recent years, said there were other motivations besides "full disclosure"
for publishing the exploit: "To be honest - I wanted to get my name back
out, show off a few techniques - and well.. hmm.. chicks dig it?"
Cooper, however, believes that even the innocuous sample exploit released
by eEye with its advisory may do more harm than good.
"This was not necessary to put fire under the butts of anybody. Every
alerting mechanism on the planet has been invoked. So I think there's a
naivete when people think they need to do a proof of concept to convince
others that this is serious," said Cooper.
Despite the advisories from Microsoft,
CERT, and NIPC,
and others, Cooper nonetheless predicted that system administrators will be
slow to apply the patch.
 OASIS Begins Work on Election Markup Language
 Zone Labs Upgrades Security Software
|
First Remote IIS 5 Root Exploit In The Wild