RE: Microsoft Security Advisory MS 03-007

• Previous message: Marc Fossi: "MS03-007 Round-up"
• Maybe in reply to: Douglas R. Wilson: "Microsoft Security Advisory MS 03-007"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Colcord, Aaron" <AColcord@rwbaird.com>
To: "'M. Burnett'" <mb@xato.net>, focus-ms@securityfocus.com
Date: Tue, 18 Mar 2003 14:20:15 -0600

Great Post. Quick Question.

>2. Limit the length of requests (the url and any headers) by setting the
HKLM\SYSTEM\CurrentControlSet\Services\w3svc\parameters
MaxClientRequestBuffer to something like 16k

I am curious if changing this setting will affect SSL Encrytion as it runs
under an ISAPI filter. Following the links:
http://support.microsoft.com/default.aspx?scid=KB;en-us;q260694 ->
http://support.microsoft.com/default.aspx?scid=kb;EN-US;255574 ->
http://support.microsoft.com/default.aspx?scid=kb;EN-US;239439. It looks
like it will, but isn't clear. Anyone done any testing on this setting?

Aaron Colcord

-----Original Message-----
From: M. Burnett [mailto:mb@xato.net]
Sent: Monday, March 17, 2003 5:16 PM
To: focus-ms@securityfocus.com
Cc: Douglas R. Wilson
Subject: Re: Microsoft Security Advisory MS 03-007

Setting the permissions on httpext.dll is not the preferred method
for disabling WebDAV. Setting the DisableWebDAV registry key
(mentioned below) will completely disable the WebDAV capability on
IIS.

Note that the IIS Lockdown wizard DOES NOT set this registry key, it
only uses permissions.

It is, however, best to both set this key and tighten permissions.
For permissions, I only allow administrators Write access to the
file. That allows for updating the file when installing hotfixes and
service packs.

As for this specific vulnerability, the following steps can also help
prevent it:

1. Completely disable WebDAV by setting the
HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\DisableWebDAV
registry key to 1

2. Limit the length of requests (the url and any headers) by setting
the HKLM\SYSTEM\CurrentControlSet\Services\w3svc\parameters
MaxClientRequestBuffer to something like 16k

3. Block the following WebDAV HTTP verbs using URLScan (either by
specifically blocking them or by not listing them as allowed):
OPTIONS, PROPFIND, PROPPATCH, MKCOL, DELETE, PUT, COPY, MOVE, LOCK,
UNLOCK, OPTIONS, and SEARCH. Note that FrontPage does require the
OPTIONS method to work properly.

4. Block the following WebDAV-related headers using the [DenyHeaders]
section of URLScan.ini:
[DenyHeaders]
DAV:
Depth:
Destination:
If:
Label:
Lock-Token:
Overwrite:
TimeOut:
TimeType:
DAVTimeOutVal:
Other:
Translate:

5. If you require WebDAV, you can limit the
length of each individual header with these entries in the
[RequestLimits] section (The exact values are obviously pretty
generic and may need to be increased or decreased based on your
particular configuration):
[RequestLimits]
Max-DAV=250
Max-Depth=250
Max-Destination=250
Max-If=250
Max-Label=250
Max-Lock-Token=250
Max-Overwrite=250
Max-TimeOut=250
Max-TimeType=250
Max-DAVTimeOutVal=250
Max-Other=250
Max-Translate=250

Here is the batch file I use to disable WebDAV:
--------
@reg add hklm\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters /f
/v DisableWebDAV /d 1 /t REG_DWORD
@xcacls %SystemRoot%\Inetsrv\httpext.dll /G:administrators:W
@iisreset /restart
-------

or, if you prefer using security templates, here is my template for
disabling WebDAV:

---------
; Disable WebDAV

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1

[Registry Values]
MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\DisableWebD
AV1,0

[File Security]
"%SystemRoot%\system32\inetsrv\httpext.dll",1,"D:PAR(A;OICI;0x100116;;
;BA)"
-------

Mark Burnett
www.iissecurity.info

On Mon, 17 Mar 2003 17:02:06 -0500, Douglas R. Wilson wrote:
>I developed this for my work environment -- however, I believe that
>it isn't proprietary, and am forwarding it to the list for comment
>and/or informative values. Hopefully there are no glaring errors.
>
>Please realize that any information contained in here should be
>verified and tested independently before you apply the process to
>any environment you are responsible for. I take no responsibilty for
>any modifications anyone makes to their system based on what I put
>down here.
>
>--
>
>I have done some research today, as many people have asked the "are
>my web servers vulnerable/need to be patched, et al" question in
>response to the latest MSFT advisory (MS 03-007). It's likely that
>most servers that can be patched should be, BUT only after testing,
>as this may be a much more impactual problem than first realized, as
>well as all the other innate problems inherent with rolling patches
>out on production systems.
>
>
>
>Microsoft has handled this somewhat differently than a standard
>bulletin, and the conjecture on that could easily be a separate
>discussion. Initially, however, it points to the fact that this
>vulnerability is with ALL Windows 2000 servers, period, and they
>have come out with this patch at this time because IIS servers are
>actively being compromised already, before the bulletin was
>released, to deal with an active attack vector. This implies that
>they may have rushed the patch out the door, and that the problems
>may involve a lot more parts of windows . . .
>
>Points to consider:
>
>· This may not be something that is an immediate threat to a
>lot of the servers if you only consider the IIS attack vector, if
>they have been deployed with the IIS lockdown tool in most
>configurations. CERTAIN CONFIGURATIONS OF THE IIS LOCKDOWN TOOL DO
>LEAVE WEBDAV ENABLED -- other methods should be employed there.
>There is a list of these profiles that I have found at the end of
>this.
>
>· The servers in question may have other things impacted by
>the patch, as a core system dll is what is being replaced by this
>hotfix.
>
>· The servers in question may not be able to be rebooted
>right away in keeping with SLA?s/production schedules.
>
>
>
>This is an issue with a core dll, ntdll.dll, which (I believe) is
>currently being addressed because an exploit exists that can be
>injected using IIS as its attack vector.
>
>MSFT recommends the IIS lockdown tool as one specific solution.
>However, some people are not sure they have applied the tool
>properly, and some people have made modifications and/or installed
>other applications since then (like Cold Fusion) that may add/modify
>application mappings, and thus change settings done by the
>IISLockdown tool.
>
>I have derived one result from my research as a way to detect one
>form of "protection" from the exploit. This only addresses nailing
>down the IIS based attack vector, and only on certain boxes.
>However, the only true way to know for sure is if you have the
>exploit tool, and try using it, and it fails.
>
>
>WebDAV requests are processed in the httpext.dll. This is NOT the
>dll that the buffer overflow exists in, but it is the dll that
>initially would handle WebDAV requests, and it is that dll which the
>IISLockdown tool "locks down."
>
>
>So, if a windows 2000 server is running IIS 5.0, and it has had
>either:
>
>· Service Pack 3 for windows 2000 installed, or
>
>· Service Pack 2 and MS02-018: April 2002 Cumulative Patch
>for Internet Information Services installed, or later cumulative
>patches installed,
>
>
>
>The following test can be used:
>
>
>If the C:\winnt\system32\inetsrv\httpext.dll file has ACL?s on it
>such that anonymous web context accounts cannot execute it, the
>server in question is very likely not vulnerable to this exploit.
>(Obviously, if you start considering the concept of NT
>Authentication, and various user accounts accessing the httpext.dll,
>the scope varies).
>
>
>
>Older versions of the lockdown tool will simply deny the Everyone
>Group?s permissions to execute -? as long as the anonymous users
>haven?t been put in any privileged group, this is fine. Newer
>versions of the lockdown tool will create specific groups for web
>users, and then specifically deny permissions on these files.
>
>
>
>The reason the service pack level is important is before MS02-018,
>some WebDAV requests could get around the httpext.dll, due to
>another issue, which is patched in either MS02-018 or SP3.
>
>
>
>There may be some way of scripting up a tool that will check for the
>above parameters on servers, to do quick spot checking, if someone
>has not already developed a vulnerability testing tool. As I said
>before, however, the only true way to make sure is to attempt the
>exploit, and have it fail.
>
>IIS Lockdown 2.1 Profiles that leave WebDAV enabled:
>
>Small Business Server 2000 Exchange 2000 (OWA, PF, IM, SMTP, NNTP)
>Share Point Portal Server BizTalk Server 2000 Commerce Server 2000
>
>
>Initial public release as pertains to Windows 2000:
>http://www.microsoft.com/security/security_bulletins/ms03-007.asp
>
>
>
>The full bulletin, as pertains to IIS:
>
>
>http://www.microsoft.com/technet/treeview/?url=/technet/security/bull
>etin/MS03-007.asp
>
>
>
>Article on WebDAV getting around httpext.dll in earlier versions:
>
>http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B307934
>
>
>
>IIS Lockdown Tool 2.1
>
>http://download.microsoft.com/download/iis50/Utility/2.1/NT45XP/EN-
>US/iislockd.exe
>
>--
>
>Douglas R. Wilson
>
>dallendoug@dallenhome.org
>
>--
>
>"the biologist will tell you that progress is the result of
>mutations. mutations are another word for freaks. for god's sake
>let's have a little more freakish behavior- not less .
>.. . Maybe 90 per cent of the freaks will just be freaks, ludicrous
>and pathetic and getting nowhere but into trouble. . .
>Eliminate them, however- bully them into conformity- and nobody in
>america will ever be really young any more and we'll be left
>standing in the dead center of nowhere."
>
>-- Tennessee Williams
>
>
>---------------------------------------------------------------------
>-
>ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
>It's as simple as placing additional SQL commands into a Web Form
>input box giving hackers complete access to all your backend
>systems! http://www.spidynamics.com/mktg/sqlinjection33

----------------------------------------------------------------------
ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
It's as simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems!
http://www.spidynamics.com/mktg/sqlinjection33

**********************************************************************
Robert W. Baird & Co. is required by regulation to review and store
both outgoing and incoming electronic correspondence. Baird
may be required to produce-mail records for the SEC or other regulators in a criminal investigation. E-mail transmission cannot
be guaranteed to be secure, timely or error-free. Baird therefore
recommends that you do not send confidential information to us via
electronic mail, including account numbers, social security
numbers or any personal identification numbers. This is not an
offer, or solicitation of an offer to buy or sell any security
investment or other product. Any information regarding specific
investment products is subject to change without notice. Any review,
forwarding, dissemination or other use of, or taking of any action in
reliance upon this information by persons or entities other than the
intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer
on which it exists.

----------------------------------------------------------------------
ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
It's as simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems!
http://www.spidynamics.com/mktg/sqlinjection33

• Previous message: Marc Fossi: "MS03-007 Round-up"
• Maybe in reply to: Douglas R. Wilson: "Microsoft Security Advisory MS 03-007"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]