RE: Web Services

From: Skinner, Kit (KSkinner@sandstream.com)
Date: 03/08/02


From: "Skinner, Kit" <KSkinner@sandstream.com>
To: "'jmcmaster@appliedsystems.com'" <jmcmaster@appliedsystems.com>, "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Fri, 8 Mar 2002 19:12:15 -0000 

Okay, after looking at these sites, I think I see why you're getting these
false positives. If you try to connect to your site, it places the
requested page inside of a frameset. I'm assuming you're using a forwarder.

Since the forwarding host (which happens to be running IIS5 according to the
headers) returns a frameset with your actual page inside of the page, it
does not return a 40x error like the WebScan is expecting. Since it gets a
successful 200, it assumes the file is there. WebScan does not look inside
the frameset to get the actual page. What you might want to do instead is
have WebScan look at your actual IP address rather than your URL.

-K

-----Original Message-----
From: jmcmaster@appliedsystems.com [mailto:jmcmaster@appliedsystems.com]
Sent: Thursday, March 07, 2002 10:23 AM
To: focus-ms@securityfocus.com
Subject: Web Services

Cerberus WebScan is telling me this about my server, it says its iis/5.0,
but i have that uninstalled, and all of its services stopped, and have
apache running on it, and i don't even have these dir's on my server, and i
don't know if this is a real security problem or not, and the access log
from apache i will attach to, but it just shows 404 errors when it tried to
access this files, can anyone explain to me whats going on, or if i should
even worry ? This is a win2k server w/ sp2, and all the security updates,
execpt maybe one, with apache 1.3.2.3 win32 version, Thanks.

Web Service
Web Server Software is Microsoft-IIS/5.0
Security Issues
<http://www.shadey.com/cgi-bin/>
Directory listing is allowed of the /cgi-bin/. This allows an attacker to
browse through scripts and executables in this directory allowing them to
target and exploit potential weaknesses. Directory browsing should be
disabled.
<http://www.shadey.com/scripts/>
Directory listing is allowed of the /scripts/ directory. This allows an
attacker to browse through scripts and executables allowing them to target
and exploit potential weaknesses. Directory browsing should be disabled.
<http://www.shadey.com/cgi-bin/sh>
The UNIX shell interpreter "sh" has been found in the /cgi-bin/. This should
be removed as it could allow remote attackers to run commands on the web
server remotely
<http://www.shadey.com/cgi-bin/csh>
The UNIX C shell interpreter "csh" has been found in the /cgi-bin/. This
should be removed as it could allow remote attackers to run commands on the
web server remotely
<http://www.shadey.com/cgi-bin/ksh>
The UNIX shell interpreter "ksh" has been found in the /cgi-bin/. This
should be removed as it could allow remote attackers to run commands on the
web server remotely
<http://www.shadey.com/cgi-bin/cmd.exe?/c>
The Windows NT shell interpreter "cmd.exe" has been found in the /cgi-bin/.
This should be removed as it allows remote attackers to run commands on the
web server remotely.
<http://www.shadey.com/scripts/cmd.exe?/c>
The Windows NT shell interpreter "cmd.exe" has been found in the /scripts/
directory. This should be removed as it allows remote attackers to run
commands on the web server remotely.
<http://www.shadey.com/cgi-bin/cmd32.exe>
Perl's "cmd32.exe" has been found in the /cgi-bin/. This should be removed
as it allows remote attackers to run commands on the web server remotely
<http://www.shadey.com/scripts/cmd32.exe>
Perl's "cmd32.exe" has been found in the /scripts/ directory. This should be
removed as it allows remote attackers to run commands on the web server
remotely
<http://www.shadey.com/cgi-bin/perl.exe?-v>
Perl.exe found in the /cgi-bin. This is highly dangerous as it allows an
attacker to run system commands. This should be removed as soon as possible.

<http://www.shadey.com/scripts/perl.exe?-v>
Perl.exe found in the /scripts directory. This is highly dangerous as it
allows an attacker to run system commands. This should be removed as soon as
possible.
<http://www.shadey.com/scripts/tools/newdsn.exe>
Newdsn.exe can be used by an a attacker to create files anywhere on your
disk if they have the NTFS correct file permissions to do so. Newdsn.exe can
also be used to overwrite the DSNs on existing on-line databases making the
information contained in the database inaccessible.
This file, getdrvrs.exe, dsnform.exe and mkilog.exe should be deleted or
renamed unless there is a strong reason not to do so. In that case, ensure
that only Administrators may access them.
<http://www.shadey.com/_vti_bin/fpcount.exe?Page=default.htm|Image=3|Digits=
15>
Fpcount.exe has been found in the /_vti_bin/ directory. If, when the link
above is followed , fifteen digits are displayed this version of fpcount.exe
is from the FrontPage Server Extentions 97 package and it contains a buffer
overrun that allows remote execution of arbitary code.
This should be deleted until a copy of the 98 version of FrontPage can be
obtained.
http://www.shadey.com/iissamples/issamples/query.asp
<http://www.shadey.com//iissamples/issamples/query.asp>
The query.asp page is the default sample search page for Index Server on
IIS4. From here an attacker can perform searches for files of a certain type
using "#filename=*.exe" or "#filename=*.asp". Ensure that Index Server has
been configured not to return reults for searches such as these.
Server exhibits the ::$DATA bug.
This can allow an attacker to download the source of scripts, such as Active
Sever pages or Perl scripts. This problem is fixed with service pack 4 or a
post SP3 hotfix can be downloaded the Microsoft web site.
<http://www.shadey.com/samples/search/queryhit.htm>
The queryhit.htm page is the default sample search page for Index Server
1.1. From here an attacker can perform searches for files of a certain type
using "#filename=*.exe" or "#filename=*.asp". Ensure that Index Server has
been configured not to return reults for searches such as these.
<http://www.shadey.com/iissamples/exair/search/advsearch.asp>
The sample ExAir site contains a number of scripts that can cause a
temporary situation where the inetinfo.exe process consumes 100 percent of
the processor time for 90 secs. This only happens if the Index Server ISAPI
dlls have not been loaded into memory. If they are not and this page or
query.asp or search.asp Are accessed directly the script will loop.
The solution to this problem is to remove these files.
http://www.shadey.com/iisadmpwd/aexp2.htr
<http://www.shadey.com/iisadmpwd/aexp3.htr>
From here an attacker can launch password attacks against the local machine
or or proxied attacks against other machines on the network. More
information can be found here
<http://www.infowar.co.uk/mnemonix/iispassproxy.htm>
<http://www.shadey.com/scripts/repost.asp>
Microsoft's Site Server 2.0 is installed. This allows users to upload files
to the /users directory. Even if it doesn't exist any valid user can create
the diectory via the web and the default NTFS permissions given to this
directory give the Everybody Group the "Change" permission - which allows
anybody to create, modify or delete files in that directory. Added to this
IIS gives the "Write" permission allowing users to use the HTTP PUT
REQUEST_METHOD to place content on the web site via the HTTP protocol.
Because of the defaults, if anonymous access is granted to the site anybody
can do this. Ensure that, if the directory exists the Anonymous Internet
Account is given only read access to this directory. Remove change
permissions for the Everybody Group and assign permissions per user.
<http://www.shadey.com/iissamples/exair/howitworks/codebrws.asp>
This sample script should be removed. It allows attackers to access files on
the same volume as the IIS install outside of the web file system.
<http://www.shadey.com/msadc/samples/selector/showcode.asp>
This sample script should be removed. It allows attackers to access files on
the same volume as the IIS install outside of the web file system.
<http://www.shadey.com/search?>
The search engine on Netscape Enterprise Server 3.5.x is enabled by default.
It is possible, by using specially formed search requests to obtain the
source scripts. The search engine and collections indexed should be checked
carefully to see if this problem exists on this site. If the search
functionality is not needed it should be disabled from the administration
pages.
<http://www.shadey.com/index.html>
By appending to the end of a file on Windows NT with Netscape Enterprise
3.5.x it accesses the raw data and consequently allows downloading of script
source. There is a patch available to resolve this issue.
<http://www.shadey.com/scripts/rguest.exe>
rguest.exe (Webcom CGI guestbook) has a vulnerability that allows files
anywhere on the file system to be read. It is suggested that wguest.exe be
removed.
<http://www.shadey.com/cgi-bin/rguest.exe>
rguest.exe (Webcom CGI guestbook) has a vulnerability that allows files
anywhere on the file system to be read. It is suggested that rguest.exe be
removed.
<http://www.shadey.com/scripts/wguest.exe>
wguest.exe (Webcom CGI guestbook) has a vulnerability that allows files
anywhere on the file system to be read. It is suggested that wguest.exe be
removed.
<http://www.shadey.com/cgi-bin/wguest.exe>
wguest.exe (Webcom CGI guestbook) has a vulnerability that allows files
anywhere on the file system to be read. It is suggested that wguest.exe be
removed.
<http://www.shadey.com/cgi-bin/get32.exe>
On Alibaba web servers this CGI program can be used to run commands. It
should be removed or updated.
<http://www.shadey.com/cgi-bin/alibaba.pl>
This script can be exploited to allow commands to be run on the server
remotely. It should be removed or updated.
<http://www.shadey.com/cgi-bin/tst.bat>
tst.bat can be exploited to run commands on the server remotely. It should
be removed.
<http://www.shadey.com/cgi-win/uploader.exe>
uploader.exe can be exploited to allow attackers to upload files remotely.
Ensure you are not vulnerable and if you are update it or remove it.
<http://www.shadey.com/cgi-bin/FormHandler.cgi>
FormHandler.cgi uses physical paths for web form templates. An attacker can
locally (ie on their machine) modify the form and gain access to sensitive
files such as /etc/passwd. This should be updated to prevent this.
<http://www.shadey.com/cgi-bin/testcgi>
Some early versions of testcgi have a vulnerability where *NIX shell
metacharacters can be fed in and reveal directory listings etc. testcgi
should be removed anyway as it gives away too much information about the
system.
http://www.shadey.com/cgi-bin/testcgi/*?*
<http://www.shadey.com/cgi-bin/test-cgi/*?*>
Some versions of test-cgi have a vulnerability where *NIX shell
metacharacters can be fed in and reveal directory listings etc. test-cgi
should be removed anyway as it gives away too much information about the
system.
<http://www.shadey.com/cgi-bin/test.cgi>
Enusre that test.cgi, found in the /cgi-bin strips out shell metacharacters
from HTTP input test.cgi should be removed anyway as it gives away too much
information about the system.
<http://www.shadey.com/cgi-bin/environ.pl>
environ.pl should be removed anyway as it gives away too much information
about the system.
<http://www.shadey.com/scripts/environ.pl>
environ.pl should be removed anyway as it gives away too much information
about the system.
<http://www.shadey.com/server-info>
server-info reveals too much information about the system. Limit access to
this location in httpd.conf
<http://www.shadey.com/server-status>
server-status reveals too much information about the system. Limit access to
this location in httpd.conf
<http://www.shadey.com/cgi-bin/tcsh>
The UNIX shell interpreter "tcsh" has been found in the /cgi-bin/. This
should be removed as it could allow remote attackers to run commands on the
web server remotely
<http://www.shadey.com/cgi-bin/cgitest.exe>
Cgitest.exe, by Antelope Software, found in the /cgi-bin/ directory,
exhibits a buffer overrun
vulnerability caused by an overly long User-Agent HTTP client header field.
If exploited it can
allow attackers to execute arbritary code. Cgitest.exe should be removed.
<http://www.shadey.com/~root>
Access to /~root is allowed. This potentially gives an attacker access to
the whole
files system. This should be fixed as soon as is possible.
<http://www.shadey.com/~ftp>
Access to /~ftp is allowed. This presents a problem if Server Side Includes
are turned on and
anonymous uploads are allowed via ftp. Even still, remote users should be
denied access to this directory.
<http://www.shadey.com/cgi-bin/phf?Qalias=&Qname=haqr&Qemail=&Qnickname=&Qof
fice_phone=>
Older versions of the phf script don't strip the newline character from user
supplied input. Consequently
it allows attackers to run arbitary commands on the web server. Ensure this
script is not vulnerable.
<http://www.shadey.com/cgi-bin/count.cgi>
Some versions of count.cgi contain a buffer overrun. A CERT advisory was
issued reference this
issue. See <http://www.cert.org>.
<http://www.shadey.com/cgi-bin/nph-test-cgi>
Some versions of the nph-test-cgi script do not check user supplied input
properly allowing attackers
to get directory listings. It's would be safer to removed it anyway as it
gives out too much information.
<http://www.shadey.com/cgi-bin/webdist.cgi>
Webdist.cgi, as distributed with IRIX 5.x and 6.x contains a vulnerability
that allows remote attackers
execute commands. It should be removed.
<http://www.shadey.com/cgi-bin/aglimpse>
Some early versions of the aglimpse script ( < c. late 1997) contain a
vulnerability that allows
remote attackers to run commands on the server. If you have not updated
recently see <http://glimpse.cs.arizona.edu>.

ACCESS LOG from apache
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/ HTTP/1.0" 403
291
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "HEAD / HTTP/1.0" 200 0
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /*.idc HTTP/1.0" 403
288
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/ HTTP/1.0" 404
287
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/csh HTTP/1.0"
404 290
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/sh HTTP/1.0"
404 289
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/ksh HTTP/1.0"
404 290
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/cmd.exe?/c
HTTP/1.0" 404 294
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/cmd.exe?/c
HTTP/1.0" 404 294
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/cmd32.exe
HTTP/1.0" 404 296
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/cmd32.exe
HTTP/1.0" 404 296
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/perl.exe?-v
HTTP/1.0" 404 295
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/perl.exe?-v
HTTP/1.0" 404 295
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
/scripts/tools/newdsn.exe HTTP/1.0" 404 303
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
/_vti_bin/fpcount.exe?Page=default.htm|Image=3|Digits=15 HTTP/1.0" 404 299
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
/samples/search/queryhit.htm HTTP/1.0" 404 306
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
/iissamples/issamples/query.asp HTTP/1.0" 404 309
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/*%0a.pl
HTTP/1.0" 404 292
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
/iissamples/exair/search/advsearch.asp HTTP/1.0" 404 316
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /iisadmpwd/aexp3.htr
HTTP/1.0" 404 298
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/repost.asp
HTTP/1.0" 404 297
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "OPTIONS / HTTP/1.0" 200 -
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "OPTIONS /users/ HTTP/1.0"
200 -
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "OPTIONS /cgi-bin/ HTTP/1.0"
200 -
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "OPTIONS /scripts/ HTTP/1.0"
200 -
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
/msadc/samples/selector/showcode.asp HTTP/1.0" 404 314
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
/iissamples/exair/howitworks/codebrws.asp HTTP/1.0" 404 319
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /?PageServices
HTTP/1.0" 200 1852
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /search? HTTP/1.0" 404
285
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /index.html%20
HTTP/1.0" 200 1852
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/rguest.exe
HTTP/1.0" 404 297
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/rguest.exe
HTTP/1.0" 404 297
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/wguest.exe
HTTP/1.0" 404 297
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/wguest.exe
HTTP/1.0" 404 297
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/get32.exe
HTTP/1.0" 404 296
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/alibaba.pl
HTTP/1.0" 404 297
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/tst.bat
HTTP/1.0" 404 294
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-win/uploader.exe
HTTP/1.0" 404 299
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
/cgi-bin/FormHandler.cgi HTTP/1.0" 404 302
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/testcgi
HTTP/1.0" 404 294
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/test-cgi/*?*
HTTP/1.0" 404 297
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/test.cgi
HTTP/1.0" 404 295
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/enivron.pl
HTTP/1.0" 404 297
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/environ.pl
HTTP/1.0" 404 297
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /server-info HTTP/1.0"
404 290
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /server-status
HTTP/1.0" 404 292
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/tcsh HTTP/1.0"
404 291
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/cgitest.exe
HTTP/1.0" 404 298
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /~root HTTP/1.0" 404
284
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /~ftp HTTP/1.0" 404 283
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
/cgi-bin/phf?Qalias=&Qname=haqr&Qemail=&Qnickname=&Qoffice_phone= HTTP/1.0"
404 290
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/count.cgi
HTTP/1.0" 404 296
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/nph-test-cgi
HTTP/1.0" 404 299
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/webdist.cgi
HTTP/1.0" 404 298
12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/aglimpse.cgi
HTTP/1.0" 404 299



Relevant Pages

  • RE: Web Services
    ... >>Cerberus WebScan is telling me this about my server, it says its iis/5.0, ... >>be removed as it could allow remote attackers to run commands on the web ...
    (Focus-Microsoft)
  • Re: Web Services
    ... Cerberus WebScan is telling me this about my server, it says its iis/5.0, ... Web Server Software is Microsoft-IIS/5.0 ... should be removed as it could allow remote attackers to run commands on the ...
    (Focus-Microsoft)
  • Re: Web Services
    ... >>Cerberus WebScan is telling me this about my server, it says its iis/5.0, ... >>should be removed as it could allow remote attackers to run commands on the ... >>web server remotely ...
    (Focus-Microsoft)
  • Re: Web Services
    ... >Web Server Software is Microsoft-IIS/5.0 ... >should be removed as it could allow remote attackers to run commands on the ...
    (Focus-Microsoft)
  • Web Services
    ... Cerberus WebScan is telling me this about my server, it says its iis/5.0, ... Web Server Software is Microsoft-IIS/5.0 ... should be removed as it could allow remote attackers to run commands on the ...
    (Focus-Microsoft)