May 3, 2001 1:00 PM PDT
Hacker exploits Microsoft server flaw
The hacker--using the handle "Dark Spyrit"--released a program Wednesday night designed to exploit the security hole and give anyone with limited technical knowledge the ability to completely control a Windows 2000 server running version 5 of Microsoft's Internet Information Server (IIS) Web software.
While not a point-and-click program, the code--dubbed "jill.c"--could result in a new rash of attacks, especially this week, when online hooliganism has risen between U.S.-allied and China-allied vandals.
But Marc Maiffret, chief hacking officer for eEye Digital Security--the company that found the original flaw and reported it to Microsoft--said the code could prove a bit difficult for many online vandals.
"The code requires one more step than a lot of scripts, but it is not a hard step," he said. Maiffret analyzed the so-called exploit code submitted by Dark Spyrit and believes the design could help it fool many firewalls by essentially masquerading as a Web server.
Most Web servers use a specific connection, or "port," to send data to a browser. Because Web traffic is generally considered necessary for most companies, the data is rarely blocked by a firewall.
"Most firewall rules are not too specific about what port a Web site can connect to," Maiffret said.
Microsoft acknowledged Tuesday that a flaw in the Internet printing module included with Windows 2000 could allow an attacker to break into servers that use the company's IIS 5.0 Web software. The vulnerability affects only servers that have Internet printing turned on, the default setting with the software.
By sending a specially formatted string of characters, the printing module can be made to give the remote user full access to the Web server. The "jill.c" code published by the hacker automates the process and returns a system command prompt back to the attacker.
The creation of the exploit code for the flaw came as no surprise to Microsoft. "Customers who have applied the patch don't have to worry," the company said in a statement. "Customers who haven't applied the patch should take this as a reminder to do so immediately."