[NT] Microsoft URLScan Configuration Can be Enumerated when Implemented in Conjunction with RSA SecurID
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 18 Aug 2003 14:46:42 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Microsoft URLScan Configuration Can be Enumerated when Implemented in
Conjunction with RSA SecurID
URLScan is an ISAPI filter, provided by Microsoft that performs various
checks on HTTP requests sent to a web server. It can be configured to
block access to various file extensions, HTTP methods, and potentially
malicious URL sequences. SecurID is a product supplied by RSA Security to
provide a two-factor authentication mechanism to prevent unauthorized
access to a website. If the products are used together on the same web
server and configured in a certain way then it is possible to enumerate
the configuration of URLScan and hence potentially uncover malicious file
extensions that may not be filtered by the product.
Recently during a penetration test, IRM identified a serious security
vulnerability when URLScan and SecurID are combined on the same machine.
IRM requested the following URL from the target web server:
Contained within the page contents that were returned was the following
<INPUT TYPE=HIDDEN NAME="referrer"
Then IRM requested the URL shown below:
No line relating to URLScan was returned in the page contents.
The default urlscan.ini file contains the following line:
RejectResponseUrl= ; UrlScan will send rejected requests to the URL
specified here. Default is /<Rejected-by-UrlScan>
This is where the 'referrer' value that is returned originates.
As the ISAPI extension '.ida' is associated with the Indexing service,
which was exploited by the infamous Code Red worm, the engineer thought it
was likely to be in the filtered extensions list within the URLScan
configuration. A script was then produced to test this theory (available
on the IRM website - <http://www.irmplc.com/advisory/URLScan_enum.tar.gz>
http://www.irmplc.com/advisory/URLScan_enum.tar.gz) and it was
demonstrated that using this technique the configuration of URLScan could
Microsoft were initially contacted, but were unable to reproduce the issue
using just URLScan. However, when RSA Security were made aware of the
vulnerability they confirmed that it was related to the interaction
between the use of URLScan and SecurID and provided a simple workaround to
resolve the problem.
The information has been provided by <mailto:email@example.com> IRM
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.