Thread-topic: FYI: The Microsoft France incident: IIS 6.0 bug or not? How it happened...
The Microsoft France incident: IIS 6.0 bug or not? How it happened...
and why PDF Print E-mail
User Rating: / 7
PoorBest
Written by R. Preatoni - D. Werner
Tuesday, 20 June 2006
After yesterday's incident where a Microsoft France website was hacked
and defaced by a Turkish cracker going by the handle of TIThack, Zone-H
investigated a bit and contacted the cracker and asked to detail the
intrusion methodology [the cracker originally reported a generic "web
server intrusion"].
So, are we looking at a new win2k3 / IIS 6.0 0day exploit here?
The attacker revealed that he exploited a .net script 0day vulnerability
after discovering that expert.microsoft.fr had installed and was running
a vulnerable .net nuke script.
This hole allowed the attacker to gain the same rights as the script,
and that was enough to to upload a FSO script, a kind of shell used by
the attacker to create a new folder and upload the defacemernt.
When asked what his motivation was, the cracker indicated that he was
frustrated at a Microsoft XP upgrade that broke his system and hence was
looking for revenge.
Who's fault is this? Clearly it is Microsoft's, who should have explicit
rules about what software is allowed to be installed on corporate
assets, especialy on a mission critical Internet facing servers.
Obviously checks and balances across the corporate enterprise were not
in effect here and we are sure this will result in a full audit of
Microsoft's worldwide Internet presence.
While this attack is not the feared 0day IIS 6.0 attack, we can not rule
out that the large increase in win2k3 / iis6 attacks is due to an as yet
unknown vector. Zone-h has always stressed that the most secure systems
can be compromised because of unauthorised installation of non-approved
software and web applications.
