Re: IIS Internal IP Address Disclosure (#NISR05032002B)

• Previous message: Russ: "Alert:Microsoft Security Bulletin - MS02-014"
• In reply to: David Litchfield: "IIS Internal IP Address Disclosure (#NISR05032002B)"
• Next in thread: David Litchfield: "Re: IIS Internal IP Address Disclosure (#NISR05032002B)"
• Reply: David Litchfield: "Re: IIS Internal IP Address Disclosure (#NISR05032002B)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 5 Mar 2002 20:03:08 -0800
From: Eric <ews@TELLURIAN.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Please note that the "workaround" has been documented in KB article Q218180
(http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q218180&ID=KB;EN-US;Q218180)
and has been discussed and referenced in the IIS4 and IIS5 security
checklists (since June 2000.)

 From the IIS5 checklist
(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/iis5chk.asp)
Disable IP Address in Content-Location
The Content-Location header can expose internal IP addresses that are
usually hidden or masked behind a Network Address Translation (NAT)
firewall or proxy server. Refer to Knowledge Base article Q218180 for
further information about disabling this option.

At 05:58 PM 3/5/2002 +0000, David Litchfield wrote:
>NGSSoftware Insight Security Research Advisory
>
>Name: Internal IP Addresses and IIS
>Systems Affected: Microsoft IIS 4/5/5.1
>Platforms: Windows NT/2000/XP
>Severity: Low Risk
>Vendor URL: http://www.microsoft.com/
>Author: David Litchfield (david@nextgenss.com)
>Date: 4th March 2002
>Advisory number: #NISR05032002B
>Advisory URL: http://www.nextgenss.com/advisories/iisip.txt
>
>Issue: Possible to discover internal IP addresses used
> by IIS Servers
>
>Description
>***********
>Microsoft's Internet Information Server offers web, ftp, mail and nntp
>services. If the server is protected by a firewall using Network Address
>Translation and the server uses a private internal IP address then, by
>making a malformed request to the web service it is possible for an
>attacker to discover this IP address. Whilst this won't come anywhere
>near to allowing an attacker to compromise a IIS server it will help
>them formulate further attacks. This issue is similar to the issue
>documented at
>http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q218180&id=KB;EN
>-US;Q218180
>
>
>Details
>*******
>By making certain requests to the web service with a blank Host HTTP
>client header the server response will often contain the server's IP
>address, for example when using the PROPFIND request method.
>
>PROPFIND / HTTP/1.1
>Host:
>Content-Length: 0
>
>The server will return a 207 Multi-Status response with certain
>properties of the root page. The server's IP address will be revealed if
>the HREF property. Using the WRITE or MKCOL method will return the
>machine's IP address in the Location server HTTP header, though of
>course if the server allows the WRITE and MKCOL methods then the server
>has greater problems.
>
>Only IIS 5 and 5.1 support the WebDAV methods so these methods only
>affect these systems. IIS 5.x and 4.0 are both vulnerable to this issue
>if Basic authentication is enabled. (see #NISR05032002A
>http://www.nextgenss.com/advisories/iisauth.txt)
>
>
>
>
>Fix Information
>***************
>To prevent internal IP address disclosure take the following steps.
>
>Open a command prompt and change the current directory to
>c:\inetpub\adminscripts or to where the adminscripts can be found.
>
>Run the commands
>
>adsutil set w3svc/UseHostName True
>net stop iisadmin /y
>net start w3svc
>
>This will cause the IIS server to use the machine's host name rather
>than its IP address.
>
>
>Vendor Status
>*************
>Microsoft was informed of this issue. They didn't need to take any
>action as a suitable work-around is available.

• Previous message: Russ: "Alert:Microsoft Security Bulletin - MS02-014"
• In reply to: David Litchfield: "IIS Internal IP Address Disclosure (#NISR05032002B)"
• Next in thread: David Litchfield: "Re: IIS Internal IP Address Disclosure (#NISR05032002B)"
• Reply: David Litchfield: "Re: IIS Internal IP Address Disclosure (#NISR05032002B)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Urgent! New router and big disaster ... The SBS DNS server, running on ... its IP it means that your problem is now DNS. ... forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ... (microsoft.public.windows.server.sbs) Re: RWW Disconnecting ... I have been connected from a remote site for about 3 ... DHCP server and even a wireless access ... the key codes to for Internet access. ... Client Workstations} ... (microsoft.public.windows.server.sbs) Re: Urgent! New router and big disaster ... I checked the binding order and the Server Local area connection is at the top. ... I should have been more clear about internet connection.. ... I wonder if I may have missed a firewall setting on the router as well. ... (microsoft.public.windows.server.sbs) RE: Catchall not working, EXTERNALLY? ... When I open the connection (over internet) to my exchange account, ... the data is stored on the Exchange server side. ... Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs) RE: remote access SBS 2003 Inop ... Since you know the problem is relate to RRAS (Routing and Remote Access ... On the SBS 2003 Server open the Server Management console. ... Click the "Connect to the Internet" link. ... Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint