A computer security company warned on Wednesday that it discovered a new automated tool for exploiting the recently publicized WebDAV vulnerability affecting Microsoft Corp.'s Windows NT and 2000 operating systems.
The availability of an automated attack tool on the Internet may pave the way for a new worm that could take advantage of unpatched systems, raising the stakes for those organizations that have not applied Microsoft's patch, according to a statement from Citadel Security Software Inc.
Microsoft originally disclosed the vulnerability when it released a patch for the problem in March.
WebDAV is a set of extensions to HTTP (Hypertext Transfer Protocol) that allows users to edit and manage files on remote Web servers. The protocol is designed to create interoperable, collaborative applications that facilitate geographically-dispersed "virtual" software development teams.
An unchecked buffer in a core Windows component, ntdll.dll, could enable an attacker to cause a buffer overflow on the machine running IIS, according to the Microsoft Security bulletin MS03-007. (See http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp.)
The vulnerability allows attackers to mount a denial of service (DoS) attack against Windows 2000 machines or execute their own malicious code in the security context of the Internet Information Server (IIS) service, giving them unfettered access to the vulnerable system, Microsoft said.
At the time the bulletin was released, Microsoft and Internet Security Systems Inc. were aware of at least one attack against a Microsoft customer that used the heretofore unknown WebDAV vulnerability, though no automated tools to take advantage of the vulnerability existed.
With the help of an automated tool, even technically unsophisticated attackers, or "script kiddies," could launch such attacks on a wide scale, according to Chris Wysopal, director of research and development at @stake Inc. in Cambridge, Massachusetts.
Such automated tools often appear soon after new vulnerabilities and exploits become known within the malicious hacking community, following a progression from simple 'proof of concept' exploits to more sophisticated attacks and then to automated attacks, Wysopal said.
Automated tools often build on the work of others, adding functionality for automatically scanning ranges of Internet addresses for vulnerable hosts and graphical user interfaces that make it easy to compromise large numbers of vulnerable machines, even with no understanding of how the exploits work, according to Wysopal.
"Once you get to that point, (automated tools) can be turned into a worm. That's the point where it's at now," he said.
The WebDAV vulnerability tool uncovered by Citadel uses a command line interface rather than a graphical interface, but comes with detailed instructions that describe the command syntax necessary to compromise vulnerable machines, according to Kerry Steele, director of vulnerability research and remediation at Dallas, Texas-based Citadel.
"This is an automated tool that anyone including your grandma could use to attack machines on the Internet," Steele said. The tool is currently circulating online within "the underground security community," according to Steele.
The transition from automated tool to worm could be short, with the "guts" of the automated tool married to code that enables the attack to reproduce itself independent of the attacker, Wysopal said.
"There's enough code circulating out there that any moderately competent programmer could put together a worm," he said. "It's knitting at this point. You know what to do, it just takes a certain amount of time to do it."
Steele agreed, saying it would take an experienced computer hacker only a matter of hours to join the self replication code from the SQL Slammer worm to the automated WebDAV exploit tool his company uncovered, producing a powerful worm.
That, coupled with a critical and remotely executable vulnerability on public-facing Web servers poses a significant threat for organizations that haven't patched vulnerable Windows servers, according to Wysopal.
Attacks could come in the form of malformed WebDAV requests to a machine running IIS version 5.0. Because WebDAV requests typically use the same port as other Web traffic (Port 80), attackers would only need to be able to establish a connection with the Web server to exploit the vulnerability, Microsoft said.
While organizations affected by the Slammer worm could simply block port 1434, which was used by the worm, those affected by the WebDAV vulnerability could not shut down the port used in an attack without cutting off access to their Web page, Steele said.
Also on Wednesday, Microsoft provided an updated patch for the WebDAV vulnerability that covers Windows NT 4.0.
The Redmond, Washington, company knew in March that the vulnerable ntdll.dll component existed in NT 4.0 in addition to Windows 2000. However, NT 4.0 does not support WebDAV and was not vulnerable to attack, so no patch for that platform was supplied at that time, Microsoft said.
Despite that and the absence of any attacks against NT 4.0 machines using the ntdll.dll vulnerability, Microsoft felt that patching NT 4.0 was a priority, according to Stephen Toulouse, security program manager at Microsoft's Security Response Center.
"What we were trying to communicate in the (updated) bulletin was that even though the WebDAV vector was not present in NT 4.0, the vulnerability is still available," Toulouse said.
Attackers could well find other ways than the WebDAV extensions to exploit the ntdll.dll vulnerability, Toulouse said.
Citadel, Microsoft and others strongly recommend that customers using IIS version 5.0 on Windows 2000 or Windows NT apply the patch at the earliest possible opportunity.