RE: IIS 4 Security
From: Henry Sieff (hsieff@orthodon.com)
Date: 12/11/02
- Previous message: Mike Coppins: "Re: IIS 4 Security"
- Maybe in reply to: anyluser: "IIS 4 Security"
- Next in thread: Brian W. Spolarich: "RE: IIS 4 Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Henry Sieff <hsieff@orthodon.com> To: "'anyluser@yahoo.com'" <anyluser@yahoo.com>, focus-ms@securityfocus.com Date: Wed, 11 Dec 2002 12:31:46 -0600
Very insecure; see comments inline.
> -----Original Message-----
> From: anyluser [mailto:anyluser@yahoo.com]
> Sent: Tuesday, December 10, 2002 3:53 PM
> To: focus-ms@securityfocus.com
> Subject: IIS 4 Security
>
>
> A friend and I are having a (friendly) debate and I
> was wondering the SecBasics crowd thought.
>
> The Hypothetical Situation: A publicly available yet
> password protected web site is hosted using IIS 4 w/o
> SSL. It is completly unpatched and yet there are no
> sites or pages that can be accessed w/o a valid
> username and password. IOW, no anon access, ever.
But in other respects, it is the default install (ie all the default isapi
mappings, no patches?) RDS is installed along with sample pages?
>
> My Premise: It is reasonably secure right up until a
> brute force attack or eaves dropping yields a valid
> username/pass. If there are no URLs that don't
> require username and pass then a malformed URL will be
> challened just as thoroughly, relegating exposure.
>
> His Argument: It can still be hacked b/c the username
> and password can be bypassed even w/o a directed
> effort towards discovering valid auth info (brute
> force). Note: He thinks it's possible but in
> practice doesnt know how to do it or if it can indeed
> be done.
I would probably exploit 'Malformed HTR Request', since it requires no web
page access
(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security
/bulletin/MS99-019.asp). All you need to do is pass a specially crafted GET
for .htr et al type files, and regardless of whether the file exists or
whatever, the buffer on the .dll which handles those types will overflow.
DoS with arbitrary code execution possibilities.
Not sure what pre-coded exploits there are for this, but my IDS reports
enough GET requests for this to imply that people scan for the
vulnerability. I believe it is included in the Whisker scanner.
> The only thing I could imagine happening is that
> someone telnets into port 80 and passes a URL in that
> way, but I didnt tell him that :) Since I dont know
> how to do that yet (I'm about to google it) I can't
> test it.
netcat; swiss army knife of the netadmin. But, like I said, there are
probably tools out there that will 'telnet' to 80 and pump the exploit to
it.
>
> So what do yall think? How secure is a pw protected
> site from attack w/o a valid username and password?
If that is all you're relying on, you are sunk before even leaving the
harbor. It is easy enough to patch an IIS server, and to lock it down so
that the most common vulnerabilities are eliminated.
Remember, that authentication mechanism only kicks in once the web server
has processed the request to figure out what needs to be done. If the
vulnerability exists in one of the many .dll's which contain the appropriate
libraries for the requested file type, the authentication system never even
gets to kick in (and with some exploits, it never even gets logged to the
IIS logs).
HTH,
Henry
- Next message: Brian W. Spolarich: "RE: IIS 4 Security"
- Previous message: Mike Coppins: "Re: IIS 4 Security"
- Maybe in reply to: anyluser: "IIS 4 Security"
- Next in thread: Brian W. Spolarich: "RE: IIS 4 Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
