IIS logging issue (update)
From: me@ONESEMICOLON.CJB.NETDate: 11/23/01
- Previous message: 3APA3A: "SECURITY.NNOV: Outlook Express and SPA (Secure Password Authentication)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <200111230158.fAN1wF518745@mail.cjb.net> Date: Thu, 22 Nov 2001 18:58:15 -0700 From: me@ONESEMICOLON.CJB.NET Subject: IIS logging issue (update) To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Hi,
I would like to offer extra information as I received some emails with questions and/or remarks.
Konstantin Belkin (kbelkin@yahoo.com) and dumbwabbit (dumbwabbit@yahoo.com) wrote this becomes a non-issue when using Microsoft's URLScan as it has a rule that covers this issue.
After Jurjen Oskam's (jurjen@quadpro.stupendous.org) original post we exchanged emails and he came up with the following solution, a solution which would make me a happy camper if it was implemented, for the IIS logging problem:
beginning of excerpt:
I've been thinking about this some more, after a little conversation with
another NTBugtraq subscriber. Given that:
1) You want to log what is actually sent to your server, including binary
data and/or control characters
2) You want your log to be reliable, i.e. you want to be certain that
what is in your log is not fake.
The problem is that it is possible to insert "fake" newlines in the log
from the outside. This is what your advisory (correctly) stated. Given that
it is possible to insert fake lines in the log,
you at least want to *know* which lines are fake and which lines are real.
The solution is simple: let the server start each *real* line
with a "secret" that is only known internally to the server. This way, the
"fake" line will immediately be identifiable by an administrator when he/she
reads the log (with whatever textreader/editor) because the "secret" is
missing or wrong in the faked line.
The secret could be a line number, for example. This way, there's *no way* a
line could be undetectably inserted from the outside. Even when the
attacker knows exactly which line-number his fake line would get (*highly*
unlikely), the server would log the line after the fake line with the same
number.
Crude example:
22-11-2001 09:34:45 [223] GET /real/request/1
22-11-2001 09:34:45 [224] GET /real/request/2
22-11-2001 09:34:46 [225] GET /real/request/3
22-11-2001 09:34:46 [226] GET /real/request/4
22-11-2001 09:34:47 [227] GET /fake/request/with/control/character/in/it
22-11-2001 09:34:47 [227] GET /this/line/is/faked
22-11-2001 09:34:53 [228] GET /real/request/5
22-11-2001 09:34:53 [229] GET /real/request/6
22-11-2001 09:34:54 [230] GET /real/request/7
22-11-2001 09:34:57 [231] GET /real/request/8
22-11-2001 09:34:57 [231] GET /real/request/9
Note that the attacker has no way to make his fake line be
indistinguishable from a real line: the administrator can tell because of
the double line number. Some extra thought is required though, because now
you can't be sure whether it's the first 227 or the second 227 that's fake.
It could be that 226 contained the control character and the first 227 is
fake while the second 227 is real. However, this is only an issue when the
attacker knows *exactly* which line number to use. On even a moderately
busy server, this probably is a small enough risk.
Also note that it's *still* possible to insert control characters into the
log that will be interpreted by some log-viewers or text editors. You have
to view your logs with a program that won't interpret anything but newlines
or returns. If you don't, an attacker could for example insert backspace
characters and you, as the admin, might be fooled by the program you use to
view your logs.
end of excerpt.
I also received an email asking me if it was possible to remove log entries through the use of a backspace character. So far I was unable to make that work.
I received multiple emails informing me that IIS does not only log time in Greenwich time and that it will for example take the time of the local server. To clarify this: when you take the default settings in IIS after a normal install of IIS 5.0 on Win2K I was able to verify that the DEFAULT uses Greenwich time. You CAN change the logging settings easily to different kinds of logging types and the fields you wish to use with them. I hope that is clear enough for everyone who may have had questions about that.
1;
============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a
ntivirus.com/smex2000_rebate
- Previous message: 3APA3A: "SECURITY.NNOV: Outlook Express and SPA (Secure Password Authentication)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
