Hacker exploits Microsoft server flaw

Just days after Microsoft released a patch for a dangerous security hole in IIS 5.0, a hacker releases a program to circumvent it
Written by ZDNet Staff, Contributor

A hacker has announced that time's up for system administrators who haven't patched Windows 2000 Web servers vulnerable to a flaw revealed by Microsoft two days ago.

The hacker -- using the handle "Dark Spyrit" -- released a program on Wednesday night designed to exploit the security hole and give anyone with limited technical knowledge the ability to completely control a Windows 2000 server running version 5 of Microsoft's Internet Information Server (IIS) Web software.

While not a point-and-click program, the code -- dubbed "jill.c" -- could result in a new rash of attacks, especially this week, when online hooliganism has risen between US-allied and China-allied vandals.

But Marc Maiffret, chief hacking officer for eEye Digital Security -- the company that found the original flaw and reported it to Microsoft -- said the code could prove a bit difficult for many online vandals.

"The code requires one more step than a lot of scripts, but it is not a hard step," he said. Maiffret analyzed the so-called exploit code submitted by Dark Spyrit and believes the design could help it fool many firewalls by essentially masquerading as a Web server.

Most Web servers use a specific connection, or "port," to send data to a browser. Because Web traffic is generally considered necessary for most companies, the data is rarely blocked by a firewall.

"Most firewall rules are not too specific about what port a Web site can connect to," Maiffret said.

Microsoft acknowledged Tuesday that a flaw in the Internet printing module included with Windows 2000 could allow an attacker to break into servers that use the company's IIS 5.0 Web software. The vulnerability affects only servers that have Internet printing turned on, the default setting with the software.

By sending a specially formatted string of characters, the printing module can be made to give the remote user full access to the Web server. The "jill.c" code published by the hacker automates the process and returns a system command prompt back to the attacker.

The creation of the exploit code for the flaw came as no surprise to Microsoft. "Customers who have applied the patch don't have to worry," the company said in a statement. "Customers who haven't applied the patch should take this as a reminder to do so immediately."

Take me to Hackers

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read what others have said.

Editorial standards