The Remote Execution Vulnerability of IIS Reoccurred: Watch out for the New Codered
Security Research and Emergency Response Center of Antiy Labs
Release: 00:37, April 16, 2015
Latest version: 08:10, April 16, 2015
Introduction to the vulnerability
Microsoft has patched several vulnerabilities in April 2015, which involved Windows, OFFICE, IE, IIS and so on. The amounts of patches are more the average. According to the study and determination about the relevant patch information, the Security Research and Emergency Response Center of Antiy Labs believed that several OFFICE and IE vulnerabilities might be related to current attacks, and the IIS remote execution vulnerability MS15-034 deserved more attention.
The full name of IIS is Internet Information Services, which is the WEB service program provided by Microsoft. It can provide the relevant services relating to HTTP, HTTPS and FTP, and support WEB scripts of ASP and JSP, which has a wide range of application.
According to the degree of MS15-034 and relevant statements, the attackers can access the host execution code and privileges with IIS services. It focused on the HTTP request with special construction realized by driving HTTP.SYS. Then it can execute code at the context of System accounts. The influenced versions include:
• Windows 7（Most versions do not install IIS by default）
• Windows Server 2008 R2
• Windows 8
• Windows 8.1
• Windows Server 2012
• Windows Server 2012 R2
Analysis on the risk influence
Antiy CERT wants to remind users: it can be detected easily by the giant scan due to the openness of WEB service. As for skilled attackers, the IP distribution of current WEB system is a kind of existing resources, including types and versions of the corresponding WEB SERVER. Therefore, different attack groups will find large amounts of targets rapidly, and lots of servers now are in danger.
The exploit code that can make the server be blue screen has occurred now. Until 24:00 April 15, 2015, however, the ShadowHunter honey network of Antiy Labs and other paths did not arrest effective privilege actions. We have found that the scan times against port 80 have increased. It did not mean there are no this kind of attacks or attacks against large areas in the future. Since time is limited, we have not test whether DEP and ASLR mechanisms can generate efficient protections currently.
The vulnerability of IIS has been condemned by the industry for a long time. There were several vulnerabilities in the early stage, such as ASP source code breach, which resulted in the relevant risks on backend data base. Among early vulnerabilities, it was the advance overflow one that was used by Codered made huge influence in 2001. It has the following characteristics: memory propagation, thread scanning and setting CMD backdoors, which has penetrated almost every security protection. And the CMD backdoor left triggered a chain of disasters.
There might be large amounts of penetration attacks; meanwhile, the worm propagation threat might occur, too, just like the method of Codered. There will be more attacks, such as website tampering, black links and so on.
After Microsoft strengthened the memory security protection, the severe vulnerabilities of IIS have been efficiently controlled. There are various rumors that the price of 0DAY of IIS is about millions. This also proved that once the remote execution vulnerability occurred, the threats would be pretty severe.
Antiy reminds all the network manages to restart the repair after finishing the patching provided by Microsoft; otherwise they will still be in danger. Antiy Labs is not engaged in R&D work of hotfix, and we have known several friendly vendors are producing temporary patches, so users that cannot shutdown could query and pay attention to them. In addition, some Windows Server systems are not used as WEB, but they install IIS by default. This might be a blind spot of protection for network managers. So they need to scan and detect relevant server ports within the networks they are controlling.
Antiy CERT will further follow and pay attention to the development of relevant incidents, and keep the public informed.
Appendix 1: References and the patch number
From Microsoft website: https://technet.microsoft.com/zh-CN/library/security/ms15-034.aspx
Official download address of the patch: https://support.microsoft.com/zh-cn/kb/3042553
Appendix 2: About Antiy Labs
Antiy Labs is a professional next-generation security-testing engine R&D enterprise. Antiy’s engines provide the ability to detect various viruses and malware for network security products and mobile devices. They are used by more than ten well known security vendors. Antiy’s engines are embedded in tens of thousands of firewalls and tens of millions of mobile phones all over the world. Antiy Labs is awarded the “Best Protection” prize by AV-TEST in 2013. Based on engines, sandboxes and background systems, Antiy Labs will continue to provide traffic-based anti-APT solutions for enterprises.