IIS outgoing http vulnerability

From: Andrew Clancy (nite_at_achren.org)
Date: 07/07/04


Date: 7 Jul 2004 06:48:58 -0700

Hi,

I am having a discussion with my systems administrators at the moment
related to the security of ServerXMLHttp on an IIS 6 webserver.

Their current policy is to restrict all outgoing connections and only
allow connections to specific ports. This is based on a best practice
founded in a vulnerability that I feel is redundant and logically
impossible to exploit now from 2+ years ago.

Here is a link to the type of vulnerability:
http://www.governmentsecurity.org/articles/HackingIISTutorial.php

My suggestions are:

Both of these vulnerabilities can be prevented.
"Buffer overruns should be handled by a good firewall. However, if
this were ever compromised: "

(response was firewalls cant detect types of traffic, only expensive
addons can, but cant the firewall just prevent massive amounts of
simultaneous requests?)

"Listening programs should be prevented from receving connections
using software installed on the server. Only IIS-initiated connections
should be allowed. "

(response was it is not possible to restrict outgoing access to
specific apps, but surely it is?? can software like this handle it
http://www.eeye.com/html/products/secureiis/)

I'm sure there is a workable solution to this out there where any IP's
can be opened outgoing (my issue is that it is taking to long to open
each IP with the time to wait for IP range lists and the request being
processed up to 3 days)

Any suggestions would be appreciated!
Thanks,
AndyC



Relevant Pages

  • Re: What to Block
    ... > automatically block a majority of connections to the net that may be ... Messenging programs are a vulnerability due to the idea: ... disconnect a computer from your LAN, ... smaller issue with a firewall. ...
    (comp.security.firewalls)
  • Re: IIS outgoing http vulnerability
    ... Do you want to allow a specific application hosted on your IIS server to ... > allow connections to specific ports. ... > founded in a vulnerability that I feel is redundant and logically ... > "Buffer overruns should be handled by a good firewall. ...
    (microsoft.public.inetserver.iis.security)
  • Re: What is the Pattern here ?
    ... These are all Dialup Connections that I had no connection with at the time. ... It's obviously an enormous security hole, ... > and a real firewall box. ...
    (comp.security.firewalls)
  • Re: Port 135
    ... The patch doesn't disable DCOM / RPC, so connections can still be made. ... That's why you need a firewall. ... the patch is not the thing to control ... control over your TCP/IP ports and services, ...
    (microsoft.public.security)
  • Re: Black Ice confesses faulty program!!!
    ... > outgoing connections or traffic except in cases where these connections ... > "dangerous/suspicious" traffic by the BlackICE program. ... > get into your machine then even a PC *without* a firewall is completely ... If you don't think "Spyware" is a problem for computer ...
    (comp.security.firewalls)