IRM 006: The configuration of Microsoft URLScan can be enumerated when implemented in conjunction with RSA SecurID

From: IRM Advisories (advisories_at_irmplc.com)
Date: 08/14/03

  • Next message: Mariusz Woloszyn: "Re: Buffer overflow prevention"
    To: <bugtraq@securityfocus.com>
    Date: Thu, 14 Aug 2003 10:58:58 +0100
    
    

    ----------------------------------------------------------------------------

    IRM Security Advisory No. 006

    The configuration of Microsoft URLScan can be enumerated when implemented in
    conjunction with RSA SecurID

    Vulnerablity Type / Importance: Information Leakage / High

    Problem discovered: July 18th 2003
    Microsoft contacted: July 18th 2003
    RSA contacted: August 11th 2003
    Advisory published: August 13th 2003

    ----------------------------------------------------------------------------

    Abstract:

    URLScan is an ISAPI filter, provided by Microsoft that performs various
    checks on HTTP requests sent to a web server. It can be configured to block
    access to various file extensions, HTTP methods and potentially malicious
    URL sequences. SecurID is a product supplied by RSA Security to provide a
    two-factor authentication mechanism to prevent unauthorised access to a
    website. If the products are used together on the same web server and
    configured in a certain way then it is possible to enumerate the
    configuration of URLScan and hence potentially uncover malicious file
    extensions that may not be filtered by the product.

    Description:

    Recently during a penetration test IRM identified a serious security
    vulnerability when URLScan and SecurID are combined on the same machine.

    IRM requested the following URL from the target web server:

    http://server/irm.ida

    Contained within the page contents that were returned was the following
    line:

    <INPUT TYPE=HIDDEN NAME="referrer"
    VALUE="Z2FZ3CRejected-By-UrlScanZ3EZ3FZ7EZ2Firm.ida">

    Then IRM requested the URL shown below:

    http://server/irm.htm

    No line relating to URLScan was returned in the page contents.

    The default urlscan.ini file contains the following line:

    RejectResponseUrl= ; UrlScan will send rejected requests to the URL
    specified here. Default is /<Rejected-by-UrlScan>

    This is where the 'referrer' value that is returned originates.

    As the ISAPI extension '.ida' is associated with the Indexing service, which
    was exploited by the infamous Code Red worm, the engineer thought it was
    likely to be in the filtered extensions list within the URLScan
    configuration. A script was then produced to test this theory (available on
    the IRM website - http://www.irmplc.com/advisories.htm) and it was
    demonstrated that using this technique the configuration of URLScan could
    be enumerated.

    Microsoft were initially contacted, but were unable to reproduce the issue
    using just URLScan. However, when RSA Security were made aware of the
    vulnerability they confirmed that it was related to the interaction between
    the use of URLScan and SecurID and provided a simple workaround to resolve
    the problem.

    Tested Versions:

    Microsoft IIS 5
    RSA ACE/Agent 5.0
    URLScan 2.5

    Tested Operating Systems:

    Microsoft Windows 2000

    Vendor & Patch Information:

    RSA Security were contacted on the 11th August and on 13th August provided a
    workaround to resolve the issue.

    Workarounds:

    In Microsoft Internet Services Manager, the SecurID filter needs to be the
    first in the global ISAPI filter list, above URLScan.

    Credits:

    Research & Advisory: Andy Davis

    Disclaimer:

    All information in this advisory is provided on an 'as is'
    basis in the hope that it will be useful. Information Risk Management
    Plc is not responsible for any risks or occurrences caused
    by the application of this information.

    ----------------------------------------------------------------------------

    Information Risk Management Plc.
    22 Buckingham Gate
    London
    SW1E 6LB
    +44 (0)207 808 6420

     
     


  • Next message: Mariusz Woloszyn: "Re: Buffer overflow prevention"

    Relevant Pages

    • Re: anyone seen this problem?
      ... I added it to urlscan just to be safe. ... I guess Security ... Tracker didn't mention the solution. ... >fairly sure Microsoft has seen it [although the person who ...
      (microsoft.public.inetserver.iis.security)
    • Re: Article on WebDAV Vulnerability (MS03-007)
      ... > The advice from Matt Scarborough stating that URLScan does not limit URL ... > length AFAIK is not exactly correct. ... Nor is the advice from Microsoft to ... > use the MaxURL setting in URLScan entirely correct. ...
      (microsoft.public.win2000.security)
    • Re: Article on WebDAV Vulnerability (MS03-007)
      ... > The advice from Matt Scarborough stating that URLScan does not limit URL ... > length AFAIK is not exactly correct. ... Nor is the advice from Microsoft to ... > use the MaxURL setting in URLScan entirely correct. ...
      (microsoft.public.inetserver.iis.security)
    • [TOOL] URLScan, Automatic Request Sanitization Tool from Microsoft
      ... URLScan, Automatic Request Sanitization Tool from Microsoft ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... URLScan protects the server while it's in operation. ...
      (Securiteam)
    • [NT] Microsoft URLScan Configuration Can be Enumerated when Implemented in Conjunction with RSA Secu
      ... Get your security news from a reliable source. ... URLScan is an ISAPI filter, provided by Microsoft that performs various ... the configuration of URLScan and hence potentially uncover malicious file ... IRM identified a serious security ...
      (Securiteam)