Re: IIS 4 Security

From: Mike Coppins (mike@legolas.com)
Date: 12/11/02

  • Next message: Henry Sieff: "RE: IIS 4 Security" 
    Date: Wed, 11 Dec 2002 16:26:11 +0000
To: focus-ms@securityfocus.com
From: Mike Coppins <mike@legolas.com>

    At 10/12/2002 21:52, anyluser wrote:
    >A friend and I are having a (friendly) debate and I
    >was wondering the SecBasics crowd thought.
    >
    >The Hypothetical Situation: A publicly available yet
    >password protected web site is hosted using IIS 4 w/o
    >SSL. It is completly unpatched

    why?!? Do you like to create work for yourself in reinstalling the
    soon-to-be compromised box?

    > and yet there are no
    >sites or pages that can be accessed w/o a valid
    >username and password. IOW, no anon access, ever.

    If it is IIS4 totally unpatched, that will make no difference. There were
    definitely buffer overflows in every http method in a stock install of IIS4
    without any patches. When you say unpatched, what do you mean
    exactly? The machine has to be running IE4 and NT4 SP3 in order for IIS4
    to install, so assuming you made that much effort, how much more effort is
    really needed to get the machine up to SP6a and patches on top of that?

    >My Premise: It is reasonably secure right up until a
    >brute force attack or eaves dropping yields a valid
    >username/pass. If there are no URLs that don't
    >require username and pass then a malformed URL will be
    >challened just as thoroughly, relegating exposure.

    What are you basing your premise on? Do you read the security bulletins?

    >His Argument: It can still be hacked b/c the username
    >and password can be bypassed even w/o a directed
    >effort towards discovering valid auth info (brute
    >force). Note: He thinks it's possible but in
    >practice doesnt know how to do it or if it can indeed
    >be done.

    It's certainly possible, but what is much easier is just to target an
    exploitable http method (un a totally unpatched IIS4 install, they're all
    have known exploits) and inject code into the overflow from there. 

    -- 
Mike Coppins
mike@legolas.com
http://www.legolas.com/
http://www.copsys.co.uk/

    Relevant Pages

    • Re: Trend CSM 3.0 will not push to XP clients
      ... "hillservices\administrator does not have administrator privileges" and If I ... The username and/or password may be invalid...." ... >> was trying to install to an XP Pro SP2 client with the Microsoft Firewall ... >> or the target computer is running Windows XP using simple file sharing. ...
      (microsoft.public.windows.server.sbs)
    • Re: Trend CSM 3.0 will not push to XP clients
      ... The username and/or password may be ... >>> and I am trying to remotely install to XP Pro SP2 clients using the ... >>> was trying to install to an XP Pro SP2 client with the Microsoft ... >>> or the target computer is running Windows XP using simple file sharing. ...
      (microsoft.public.windows.server.sbs)
    • Re: Trend CSM 3.0 will not push to XP clients
      ... Hi Greg when you enter the username are you entering it in the form ... > and I am trying to remotely install to XP Pro SP2 clients using the ... > was trying to install to an XP Pro SP2 client with the Microsoft Firewall ... > the target computer is running Windows XP using simple file sharing. ...
      (microsoft.public.windows.server.sbs)
    • Re: "not installed for the current user" error:Office suddenly wont o
      ... the simplest solution is to uninstall all ... log off your user account. ... three visible ones should be "all users", "your old username", "the new ... Install office and the problem should be fixed. ...
      (microsoft.public.office.misc)
    • IIS 4 Security
      ... password protected web site is hosted using IIS 4 w/o ... require username and pass then a malformed URL will be ... Do you Yahoo!? ...
      (Focus-Microsoft)