How did Atul Dwivedi hack the RAAF web site this week?

David M Williams
Thursday, 16 July 2009 19:09

Business IT - Security

Despite Windows Server 2008 and IIS 7.0 having been out for some time this flaw was only discovered relatively recently.

This particular flaw has the effect that WebDAV authentication can be bypassed. That’s significant because WebDAV is a HTTP extension that allows the uploading and management of files on a remote server.

WebDAV is used by Microsoft Exchange 2003 for Outlook Web Access and by Microsoft SharePoint. It’s also used by Visual Studio .NET to publish web sites from a development machine onto a web host.

CERT’s note explains the impact of this weakness is that a remote attacker may be able to bypass access restrictions and list, download, upload and modify protected files. Such an upload conceivably is a modified home page with a custom message included.

At the time CERT filed their note there was no known solution besides simply disabling WebDAV. Microsoft has subsequently released a fix, just last month.

The simplest way, Microsoft say, for customers to avail themself of this solution is to ensure automatic updating takes place but it is uncommon – and certainly not good practice – for production servers to have any form of automatic updating due to the potential for negative ramifications within an environment that must be performing reliably and remain in a known state. You certainly don’t want to be rebooting – and incurring downtime – merely on the whim of an obscure update.

Of course, the burden is then increased on systems administrators to ensure they keep abreast of security updates, to evaluate them and to schedule deployment and maintenance. In practice, it’s unlikely that a patch issued last month would be installed in production this month.

Indeed, as the host used by the RAAF is running Windows Server 2003 anyway (and not 2008) it stands to reason the server’s environment is a conservative one.

As with most things on the Internet, it’s not hard to find working code to determine if a server is vulnerable to this particular exploit and how to use it.

This may not have been Dwivedi’s method. There are many other known vulnerabilities in Windows Server 2003 as well as IIS 6.

Alternatively, Dwivedi may have gained access through the illegitimate use of legitimate means. It is possible that he obtained a valid login and a means of connecting and used these.

While Dwivedi is Indian it is not known if he resides within India or Australia. The reason he target the RAAF may not be because of a specific belief the RAAF themself ought to carry his message but due to an existing relationship with that some site in some way, including through staff or contractors involved with the DoD, the web host or any external web designers.

Still, however he did it, Dwivedi did it and unless he or the DoD speak all we can do is surmise. It’s most definitely not magic though; the above is a plausible scenario that may have been employed or something very like it beginning just as we did by effortlessly determining the platform the site sits on.