Security provider Secarma is warning of a new vulnerability on the scale of WannaCry called ExplodingCan. The company says that it believes around 375,000 systems worldwide that are running Windows Server 2003 are vulnerable to this exploit. What is worrying is that this is not a new exploit. ExplodingCan was first identified as part of a data dump from hacking group Shadow Brokers earlier this year. What Secarma is saying is that it has now effectively proven it can be weaponised.
What is ExplodingCan
ExplodingCan exploits a vulnerability in Microsoft Internet Information Services v6 (IIS6) webservers. To be effective, the webservers must also have the WebDAV protocol enabled for use. WebDAV allows users to create, change and move documents on a server. ExplodingCan uses a common attack technique called buffer overflow. By sending too much data to the PROPFIND function in WebDAV the attacker can then execute any code they want on the server.
Secarma also looked to see if there were signs this vulnerability had been weaponised. Given that it was first identified back in April that didn’t take long. It discovered a Metasploit module was available for ExplodingCan. This means that the code to use this attack is there for anyone to use and even adapt to add an attack of their own choice.
Proving that this is real not theoretical
Secarma set out to see if this was a valid attack. Researchers at Secarma set up a Windows Server 2003, applied ALL the available Microsoft patches and turned on IIS6 and WebDAV. They then took the Metasploit module and applied that to the server. It worked first time meaning that this is a serious attack waiting to happen.
By taking the Metasploit code, a Secarma researcher was able to convert it into standard python and add a new payload. This means that there is plenty of opportunity for hackers to do the same.
There is a caveat to all of this that Secarma calls out. To make this effective it has to be run against every directory that WebDAV is enabled on. That means being able to enumerate the entire directory tree to discover directory names. More importantly for attackers, they would have to do this on every affected server in order to be effective. This is no trivial task and one that would have to be done carefully to avoid triggering event alerts to administrators. However, it is possible.
The danger of hoarding exploits
Once again this shows the danger of exploits that have been discovered and not reported to vendors. In this case the exploit came from tools purported to have been stolen by the NSA. Like an increasing number of governments and security vendors, they have hoarded exploits. There has to be a better relationship between security researchers and vendors.
We have seen that governments and companies are unable to keep these exploits secure. Perhaps a stop-gap solution would be to legally require them to provide all details to vendors when a breach happens. This would be similar to the requirements when companies lose personal data. While it wouldn’t remove the threat completely, it would, at least, provide an opportunity to lessen the impact of an attack.
What does this mean for companies?
For those still running Windows Server 2003 the question is why? Microsoft withdrew support for it a while back. There is no reason for any enterprise to still be running an unsupported operating system. More importantly, cyber insurance is unlikely to pay out should such as machine be the cause of a claim.
It also shows how easy it is for hackers to take tools that have previously been released and reuse them. The fact that the Secarma researcher was able to create more resilient code and add their own payload shows how easy this is to do. There is the caveat about of knowing which directories to attack but that is not insurmountable.
IT departments need to start dealing with this problem now. Those that claim they don’t know what is running need to take this as a wake-up call. Not only should they know in order to meet their legal licence requirements they have an obligation to the business. There is also a role for cloud and other providers to inform customers of the risk they are running. Where customers ignore the risk those providers should consider what actions they need to take to protect other customers using the same infrastructure.
One of the common reasons for still running legacy operating systems is that businesses still use legacy applications that only run on them. Business need to reconsider whether this strategy is acceptable. IT leaders should highlight the wider risk of a security attack should that legacy system become compromised. Budgets need setting aside to replace or upgrade those systems.
Will this lead to the next WannaCry debacle as Secarma claim? Who knows. It’s certainly a start point but it will require more effort than WannaCry did.