This latest vulnerability allows an attacker running as a guest to escalate his or her privileges on the Web server system and gain full control of the system. The hacker can then take malicious actions, such as gaining access to confidential data, adding users, or crashing the system.
Entercept's solution: A shielding technology that prevents exploits even when the vulnerability hasn't yet been identified.
Users taking advantage of the latest IIS exploit would enter the system as a GUEST user (one who has the rights to execute code on the system) and then elevate his or her privileges. The attacker can then run arbitrary code on the machine with SYSTEM privileges. Usually, by using certain well-known attacks, the user can upload the exploit to the IIS virtual directory and remotely execute it.
Alternatively, anyone with a valid user name and password can log into the system, upload the exploit file into the IIS virtual tree, and execute it.
IIS supports three different modes of process isolation. These modes control how well the IIS process is isolated from the processes being invoked as part of the request processing. Due to a weakness in IIS, several dll files are always executed by the least secure isolation level regardless of the actual process isolation settings. By adding or replacing one of these dlls with a malicious version, an attacker can run arbitrary code with SYSTEM privileges.
Entercept this week simulated the vulnerability in its Entercept Knowledge Acquisition Team labs and worked closely with Microsoft's security group on this issue.
Entercept offers a shielding technology solution that prevents replacing or writing any files into the virtual tree. Therefore, the attempt to replace the dll fails, preventing attacks even when the specific vulnerability is unknown.
The shielding technology prevents the exploitation of this attack with no need for any specific signature. The company also claims the shielding was able to prevent the attack long before the exploit was made public.
For a solution to this specific vulnerability, Microsoft has created a patch for MS01-044 that can be downloaded at http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.
Entercept strongly recommends against ever granting an untrusted user the ability to put cgi scripts or other executable content onto a Web server. If a server administrator has not observed this fairly basic precaution, the server is in grave danger, even in the absence of this vulnerability, according to Entercept.