DoubleClick confirmed Monday that two of its web sites have been penetrated
by attackers. The ad-serving giant said no customer data has been accessed
or affected by the intrusions, but security experts questioned whether the
company was understating the impact of the incident.
According to DoubleClick’s chief privacy officer Jules Polonetsky,
unidentified attackers exploited a vulnerability in Microsoft’s Internet
Information Server IIS4 web server on March 19th to place a back-door
program on the company’s corporate web server at www.doubleclick.net. But
the attackers were unable to execute the file, which would have given them
system-administrator control of the web server, because the folder it was in
did not have script access.
In addition, the attackers used a separate bug in IIS4 to view files on
another server, abacusonline.doubleclick.net. Among the files they accessed
was the source code of an active server page that contained a username and
password. According to Polonetsky, the server is a development machine which
doesn’t host live customer data, and the login data would only have enabled
a user to view the source code to the ASP page.
Patches which closed the security holes were released by Microsoft last
year. Polonetsky said DoubleClick was moving swiftly to shore up its
corporate systems, and has not yet contacted law enforcement about the
incident.
“These two sites have both have these patches implemented to ensure that
type of intrusion, although unsuccessful, wouldn’t be able to occur again.
And we are continually assessing the security issues that face any of the
other server we have out on the Internet,” said Polonetsky.
CUSTOMER DATA SAFE?
The vulnerabilities in DoubleClick’s network were first discovered by a French hacking information site,
Kitetoa.com, and published last week in the online version of the technology
magazine Transfert.
Using a well-known security bug in the Unicode feature of IIS, Kitetoa was
able to view a non-public directory on the doubleclick.net server and
discovered the existence of a file called eeyehack.exe. That program was
written in 1999 by security software maker eEye Digital Security to
demonstrate a buffer overflow flaw it discovered in IIS 4.0.
According to Marc Maiffret, chief hacking officer at eEye, the existence of
the program and a secondary file, eeyerulez.asp, suggests the intruders were
able to gain IUSR_MACHINE privileges on the DoubleClick server.
“What we know for sure was that the exploit did work enough to upload files
to the server and execute commands as the IUSR account. Typically on a
default NT4 installation, IUSR has permission to do as it pleases to the
hard drive, so they could have been reading different databases or reading
data depending on how DoubleClick set it up,” said Maiffret.
Although DoubleClick insists that the back-door program failed to execute
properly because it was in a folder that lacked permission to run ASP
scripts, Maiffret notes that other folders on the server, such as the one
hosting the company’s legal disclaimers, are set up to use such scripts, and
an astute attacker could have transferred the back-door files to that folder
and run them successfully.
Security experts also challenged DoubleClick’s assertion that the damages to
its Abacus Online site were minimal. Ollie Whitehouse was part of a team
which discovered the
Malformed Hit-Highlighting Argument Vulnerability that enabled Kitetoa
to view ASP files on the Abacus server.
“We see a lot of people embedding usernames and passwords in the source code
with the misunderstanding that external users are not going to be able to
review their source code. And typically the passwords you see embedded in
ASP pages are for connecting to back-end databases or systems of some kind,
and are never used purely for viewing the ASP page,” said Whitehouse,
currently the managing security architect with security consulting firm
@Stake.
OTHER SYSTEMS VULNERABLE?
The compromised DoubleClick servers are among at least 25 DoubleClick systems running Microsoft Windows NT4,
including machines used by advertisers to manage their accounts. While
Microsoft’s Windows 2000 operating system and IIS5 web server are not
vulnerable to the three exploits that afflicted DoubleClick, Whitehouse of
@Stake said many Internet sites have not made the move to Windows 2000.
“IIS4 by itself poses a lot more security vulnerabilities than IIS5, but
people that invested in large NT4 infrastructures are not able to convert
overnight,” said Whitehouse. He said that companies must nonetheless keep up
with the latest NT4 service packs, and noted that DoubleClick appears to be
at least one full service pack behind.
Last August, Kitetoa discovered that software maker Bull Groupe’s web site
had left exposed an internal sales and marketing database containing
confidential customer information.
In an email interview with InternetNews.com, Kitetoa suggested that the
attackers might have planted password sniffers on the compromised servers or
used them to traverse to other DoubleClick systems.
But Polonetsky insisted that DoubleClick’s customers are not at risk.
“We’re confident we have appropriate security measures firmly in place in
any areas where customer or production equipment is in place, and we’ve
moved to make sure these two external systems have appropriate measures as
well.”
