[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] DoubleClick Admits Servers Were Hacked
From:       InfoSec News <isn () C4I ! ORG>
Date:       2001-03-27 2:48:16
[Download RAW message or body]

http://www.internetnews.com/wd-news/article/0,,10_723761,00.html

By Brian McWilliams
March 26, 2001

DoubleClick confirmed Monday that two of its web sites have been
penetrated by attackers. The ad-serving giant said no customer data
has been accessed or affected by the intrusions, but security experts
questioned whether the company was understating the impact of the
incident.

According to DoubleClick's chief privacy officer Jules Polonetsky,
unidentified attackers exploited a vulnerability in Microsoft's
Internet Information Server IIS4 web server on March 19th to place a
back-door program on the company's corporate web server at
www.doubleclick.net. But the attackers were unable to execute the
file, which would have given them system-administrator control of the
web server, because the folder it was in did not have script access.

In addition, the attackers used a separate bug in IIS4 to view files
on another server, abacusonline.doubleclick.net. Among the files they
accessed was the source code of an active server page that contained a
username and password. According to Polonetsky, the server is a
development machine which doesn't host live customer data, and the
login data would only have enabled a user to view the source code to
the ASP page.

Patches which closed the security holes were released by Microsoft
last year. Polonetsky said DoubleClick was moving swiftly to shore up
its corporate systems, and has not yet contacted law enforcement about
the incident.

"These two sites have both have these patches implemented to ensure
that type of intrusion, although unsuccessful, wouldn't be able to
occur again. And we are continually assessing the security issues that
face any of the other server we have out on the Internet," said
Polonetsky.

CUSTOMER DATA SAFE?

The vulnerabilities in DoubleClick's network were first discovered by
a French hacking information site, Kitetoa.com, and published last
week in the online version of the technology magazine Transfert.

Using a well-known security bug in the Unicode feature of IIS, Kitetoa
was able to view a non-public directory on the doubleclick.net server
and discovered the existence of a file called eeyehack.exe. That
program was written in 1999 by security software maker eEye Digital
Security to demonstrate a buffer overflow flaw it discovered in IIS
4.0.

According to Marc Maiffret, chief hacking officer at eEye, the
existence of the program and a secondary file, eeyerulez.asp, suggests
the intruders were able to gain IUSR_MACHINE privileges on the
DoubleClick server.

"What we know for sure was that the exploit did work enough to upload
files to the server and execute commands as the IUSR account.
Typically on a default NT4 installation, IUSR has permission to do as
it pleases to the hard drive, so they could have been reading
different databases or reading data depending on how DoubleClick set
it up," said Maiffret.

Although DoubleClick insists that the back-door program failed to
execute properly because it was in a folder that lacked permission to
run ASP scripts, Maiffret notes that other folders on the server, such
as the one hosting the company's legal disclaimers, are set up to use
such scripts, and an astute attacker could have transferred the
back-door files to that folder and run them successfully.

Security experts also challenged DoubleClick's assertion that the
damages to its Abacus Online site were minimal. Ollie Whitehouse was
part of a team which discovered the Malformed Hit-Highlighting
Argument Vulnerability that enabled Kitetoa to view ASP files on the
Abacus server.

"We see a lot of people embedding usernames and passwords in the
source code with the misunderstanding that external users are not
going to be able to review their source code. And typically the
passwords you see embedded in ASP pages are for connecting to back-end
databases or systems of some kind, and are never used purely for
viewing the ASP page," said Whitehouse, currently the managing
security architect with security consulting firm @Stake.

OTHER SYSTEMS VULNERABLE?

The compromised DoubleClick servers are among at least 25 DoubleClick
systems running Microsoft Windows NT4, including machines used by
advertisers to manage their accounts. While Microsoft's Windows 2000
operating system and IIS5 web server are not vulnerable to the three
exploits that afflicted DoubleClick, Whitehouse of @Stake said many
Internet sites have not made the move to Windows 2000.

"IIS4 by itself poses a lot more security vulnerabilities than IIS5,
but people that invested in large NT4 infrastructures are not able to
convert overnight," said Whitehouse. He said that companies must
nonetheless keep up with the latest NT4 service packs, and noted that
DoubleClick appears to be at least one full service pack behind.

Last August, Kitetoa discovered that software maker Bull Groupe's web
site had left exposed an internal sales and marketing database
containing confidential customer information.

In an email interview with InternetNews.com, Kitetoa suggested that
the attackers might have planted password sniffers on the compromised
servers or used them to traverse to other DoubleClick systems.

But Polonetsky insisted that DoubleClick's customers are not at risk.

"We're confident we have appropriate security measures firmly in place
in any areas where customer or production equipment is in place, and
we've moved to make sure these two external systems have appropriate
measures as well."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".

[prev in list] [next in list] [prev in thread] [next in thread]