New Exploit Allows Compromise of SSL Servers

A new SSL remote exploit tool has been released, which allows an attacker to gain system access on unpatched Microsoft secure servers. The exploit, which targets the PCT vulnerability (MS04-011) detailed in a security update last week, could allow attackers to gain complete control of servers handling credit card and banking data for online transactions.

The code published Wednesday by The Hackers Choice web site has already been downloaded more than 2,200 times. "This particular exploit, now that it's moved to root access, has a very high likelihood of someone writing a new worm (or as the current trend is, patch one of the current worms or bots) to take advantage of this one," the SANS Institute warned. "Be sure to install the MS04-011 Security Update or be prepared to rebuild the IIS server later."

More than 132,000 web-facing SSL servers are running either Windows 2000 or Windows NT4, according to our March Secure Server Survey, representing nearly 45 percent of all SSL servers. The PCT and SSL 2.0 protocols targeted by the exploit are enabled by default in Win2K and NT4. As we noted last week, many SSL sites have a poor track record applying patches for known security holes, including those enabling a system compromise.

An earlier exploit, known as SSL Bomb, equipped attackers to launch a denial of service on SSL sites.