How did Atul Dwivedi hack the RAAF web site this week?

By David M Williams
Thursday, 16 July 2009 19:09

Security

Indian techie, Atul Dwivedi, defaced the Royal Australian Air Force website this week, posting a message on the front page as a warning to Prime Minister Kevin Rudd. How did he do it?

Between Monday and Tuesday the RAAF website was modified to include a message saying

“This site has been hacked by Atul Dwivedi. This is a warning message to the Australian government. Immediately take all measures to stop racist attacks against Indian students in Australia or else I will pawn [sic] all your cyber properties like this one.”

Once discovered, the Department of Defence (DoD) took the entire site down, replacing it with a simple page explaining there had been “technical difficulties.”

The Department has been quick to point out that no sensitive information has been compromised because the public-facing web site is hosted externally and has no connection to any operational DoD systems.

The DoD is conducting an investigation into the incident and is refusing to comment on the technical aspects. Yet, maybe we can work this out ourselves.

The RAAF website has been restored and viewing the page source reveals immediately that the site is a .NET site, with internal links being to .aspx pages.

Sure enough, Netcraft’s uptime record shows that the RAAF web site is running on a Microsoft Windows Server 2003 and Internet Information Services (IIS) 6.0 platform, hosted by Net Logistics – an Australian web hosting company that provides both Linux and Windows environments.

The most immediate thought as to how Dwivedi achieved his hack was by exploiting a known vulnerability within either Windows Server 2003 or IIS 6.

Each month Microsoft has a bumper “patch Tuesday” where new security and bug fixes are issued. It happened again just Tuesday this week, providing patches for nine vulnerabilities in Windows, Office, Virtual PC and Virtual Server. The security holes that relate to Windows operating system have the potential to allow complete control of a system.

However, none of these could have been the exploit that Atul Dwivedi used because the exploits require specific maliciously crafted files to be opened. That is, the exploits would affect a computer that has a user interactively opening files on it. That’s not usually the case for a hosted web server.

This means that the flaw Dwivedi exploited is either one that does not yet have a solution, or one that has a patch available but which has not been applied on the server.

One such possibility is described by CERT in note VU#787932 which explains Microsoft IIS 6.0 is vulnerable to a flaw when Unicode tokens are embedded in an URI.