SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft IIS Web Server May Disclose Private IP Addresses in Certain Cases
SecurityTracker Alert ID:  1010610
SecurityTracker URL:  http://securitytracker.com/id/1010610
CVE Reference:   CAN-2002-0422   (Links to External Site)
Date:  Jun 29 2004
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4, 5, 5.1
Description:   A vulnerability was reported in Microsoft's Internet Information Server (IIS). A remote user may be able to determine internal IP addresses.

In March 2002, NGSSoftware reported that a remote user can make a specially crafted request against a web server that is using a private IP address to determine the private IP address. An HTTP PROPFIND request with a blank Host header value will trigger the flaw, the report said. A demonstration exploit request is provided:

PROPFIND / HTTP/1.1
Host:
Content-Length: 0

The WRITE or MKCOL method can also be used, it was reported.

The advisory indicated that IIS version 4.0 is only affected if HTTP Basic authentication is enabled.

The original advisory is available at:

http://www.nextgenss.com/advisories/iisip.txt
Impact:   A remote user can determine the internal IP address of the web service (if, for example, the web server is using a private IP address).
Solution:   The author has provided the following solution steps [quoted]:

Open a command prompt and change the current directory to c:\inetpub\adminscripts or to where the adminscripts can be found.

Run the commands

adsutil set w3svc/UseHostName True
net stop iisadmin /y
net start w3svc

This will cause the IIS server to use the machine's host name rather than its IP address.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (NT), Windows (2000), Windows (XP)

Message History:   None.

 Source Message Contents
Date:  2002-03-05 17:58:24
Subject:  IIS Internal IP Address Disclosure (#NISR05032002B)


NGSSoftware Insight Security Research Advisory

Name: 			Internal IP Addresses and IIS
Systems Affected: 	Microsoft IIS 4/5/5.1
Platforms:			Windows NT/2000/XP
Severity:			Low Risk
Vendor URL: 		http://www.microsoft.com/
Author:			David Litchfield (david@nextgenss.com)
Date:				4th March 2002
Advisory number:		#NISR05032002B
Advisory URL:		http://www.nextgenss.com/advisories/iisip.txt

Issue:			Possible to discover internal IP addresses used
				by IIS Servers

Description
***********
Microsoft's Internet Information Server offers web, ftp, mail and nntp
services. If the server is protected by a firewall using Network Address
Translation and the server uses a private internal IP address then, by
making a malformed request to the web service it is possible for an
attacker to discover this IP address. Whilst this won't come anywhere
near to allowing an attacker to compromise a IIS server it will help
them formulate further attacks. This issue is similar to the issue
documented at
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q218180&id=KB;EN
-US;Q218180


Details
*******
By making certain requests to the web service with a blank Host HTTP
client header the server response will often contain the server's IP
address, for example when using the PROPFIND request method.

PROPFIND / HTTP/1.1
Host:
Content-Length: 0

The server will return a 207 Multi-Status response with certain
properties of the root page. The server's IP address will be revealed if
the HREF property. Using the WRITE or MKCOL method will return the
machine's IP address in the Location server HTTP header, though of
course if the server allows the WRITE and MKCOL methods then the server
has greater problems.

Only IIS 5 and 5.1 support the WebDAV methods so these methods only
affect these systems. IIS 5.x and 4.0 are both vulnerable to this issue
if Basic authentication is enabled. (see #NISR05032002A
http://www.nextgenss.com/advisories/iisauth.txt)




Fix Information
***************
To prevent internal IP address disclosure take the following steps.

Open a command prompt and change the current directory to
c:\inetpub\adminscripts or to where the adminscripts can be found.

Run the commands

adsutil set w3svc/UseHostName True
net stop iisadmin /y
net start w3svc

This will cause the IIS server to use the machine's host name rather
than its IP address.


Vendor Status
*************
Microsoft was informed of this issue. They didn't need to take any
action as a suitable work-around is available.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC