[NT] Microsoft URLScan Configuration Can be Enumerated when Implemented in Conjunction with RSA SecurID

From: SecuriTeam (support_at_securiteam.com)
Date: 08/18/03

  • Next message: SecuriTeam: "[UNIX] Remote Vulnerability in Horde MTA" 
    To: list@securiteam.com
Date: 18 Aug 2003 14:46:42 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Microsoft URLScan Configuration Can be Enumerated when Implemented in
    Conjunction with RSA SecurID
    ------------------------------------------------------------------------

    SUMMARY

    URLScan is an ISAPI filter, provided by Microsoft that performs various
    checks on HTTP requests sent to a web server. It can be configured to
    block access to various file extensions, HTTP methods, and potentially
    malicious URL sequences. SecurID is a product supplied by RSA Security to
    provide a two-factor authentication mechanism to prevent unauthorized
    access to a website. If the products are used together on the same web
    server and configured in a certain way then it is possible to enumerate
    the configuration of URLScan and hence potentially uncover malicious file
    extensions that may not be filtered by the product.

    DETAILS

    Recently during a penetration test, IRM identified a serious security
    vulnerability when URLScan and SecurID are combined on the same machine.

    IRM requested the following URL from the target web server:
    http://server/irm.ida

    Contained within the page contents that were returned was the following
    line:

    <INPUT TYPE=HIDDEN NAME="referrer"
    VALUE="Z2FZ3CRejected-By-UrlScanZ3EZ3FZ7EZ2Firm.ida">

    Then IRM requested the URL shown below:
    http://server/irm.htm

    No line relating to URLScan was returned in the page contents.

    The default urlscan.ini file contains the following line:
    RejectResponseUrl= ; UrlScan will send rejected requests to the URL
    specified here. Default is /<Rejected-by-UrlScan>

    This is where the 'referrer' value that is returned originates.

    As the ISAPI extension '.ida' is associated with the Indexing service,
    which was exploited by the infamous Code Red worm, the engineer thought it
    was likely to be in the filtered extensions list within the URLScan
    configuration. A script was then produced to test this theory (available
    on the IRM website - <http://www.irmplc.com/advisory/URLScan_enum.tar.gz>
    http://www.irmplc.com/advisory/URLScan_enum.tar.gz) and it was
    demonstrated that using this technique the configuration of URLScan could
    be enumerated.

    Microsoft were initially contacted, but were unable to reproduce the issue
    using just URLScan. However, when RSA Security were made aware of the
    vulnerability they confirmed that it was related to the interaction
    between the use of URLScan and SecurID and provided a simple workaround to
    resolve the problem.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:advisories@irmplc.com> IRM
    Advisories.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Remote Vulnerability in Horde MTA"

    Relevant Pages