On April 21 a member of the Full Disclosure mailing list posted a message that revealed the existence of a new tool that can be used to exploit IIS servers. By targeting unpatched IIS servers using the SSL protocol an attacker can cause the server to open a port that allows remote access to the system.
The vulnerability, which is discussed in the Common Vulnerabilities and Exposures (CVE) database (CAN-2003-0719) pertains to the Private Communications Transport (PCT) protocol. There are buffer overrun conditions in Microsoft's SSL implementation that could be used to execute arbitrary code.
Microsoft issued a patch for the problem, MS04-011, which users are strongly urged to apply as soon as possible to avoid intrusion. If your system has already been compromised then strongly consider a need to rebuild the entire server.
I have seen an exploit that takes advantage of this hole, but have not had the chance to test it. I will not dislose the website where I found it, but I will say that it is easily compiled with MS Visual C++.
Register
