Subject: Re: Code-red worm (snicker snicker :-) )
To: Todd Gruhn's account <tgruhn2@mail.com>
From: Dave Huang <khym@azeotrope.org>
List: netbsd-users
Date: 08/02/2001 20:44:39
On Thu, 2 Aug 2001, Todd Gruhn's account wrote:
> OK. Why is the IIS allowed to run as root? And then again Micro-(mumble) does
> things differently. Maybe this makes a statement about the Micro-(mumble) way?
> BTW: Just how does code-red infect an NT system?
IIS doesn't run as root (or Administrator). Nothing code red does
requires particularly high privileges. It might deface your website, but
it doesn't do it by overwriting your files. It does it by taking over
the web server process and sending it's canned message whenever any HTTP
request comes in--no privileges needed (other than taking over IIS in
the first place). It opens a socket (on a non-privileged port) and
connects out to other web servers. Again, no privileges needed. It is
entirely memory-resident. It does not need to write to the filesystem at
all, and it goes away when you reboot. (I suppose stopping and
restarting IIS would work just as well).
And it infects an NT system by taking advantage of a buffer overflow in
one of the IIS plugins that is enabled by default (the .ida handler).
Same kind of buffer overflow that's been found (and exploited) in many
Unix daemons.
Sure, MS is lame for shipping code with buffer overflow errors, and
enabling that code by default when most people don't need it. But
numerous Unix vendors have been lame in the exact same way.
--
Name: Dave Huang | Mammal, mammal / their names are called /
INet: khym@azeotrope.org | they raise a paw / the bat, the cat /
FurryMUCK: Dahan | dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 25 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++