IIS outgoing http vulnerability

From: Andrew Clancy (nite_at_achren.org)
Date: 07/07/04


Date: 7 Jul 2004 06:48:58 -0700

Hi,

I am having a discussion with my systems administrators at the moment
related to the security of ServerXMLHttp on an IIS 6 webserver.

Their current policy is to restrict all outgoing connections and only
allow connections to specific ports. This is based on a best practice
founded in a vulnerability that I feel is redundant and logically
impossible to exploit now from 2+ years ago.

Here is a link to the type of vulnerability:
http://www.governmentsecurity.org/articles/HackingIISTutorial.php

My suggestions are:

Both of these vulnerabilities can be prevented.
"Buffer overruns should be handled by a good firewall. However, if
this were ever compromised: "

(response was firewalls cant detect types of traffic, only expensive
addons can, but cant the firewall just prevent massive amounts of
simultaneous requests?)

"Listening programs should be prevented from receving connections
using software installed on the server. Only IIS-initiated connections
should be allowed. "

(response was it is not possible to restrict outgoing access to
specific apps, but surely it is?? can software like this handle it
http://www.eeye.com/html/products/secureiis/)

I'm sure there is a workable solution to this out there where any IP's
can be opened outgoing (my issue is that it is taking to long to open
each IP with the time to wait for IP range lists and the request being
processed up to 3 days)

Any suggestions would be appreciated!
Thanks,
AndyC