SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft Internet Information Server (IIS) Lets Remote Users Create Bogus Web Log Entries
SecurityTracker Alert ID:  1002778
SecurityTracker URL:  http://securitytracker.com/id/1002778
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 20 2001
Impact:   Modification of user information
Exploit Included:  Yes  
Version(s): 5.0, possibly other versions
Description:   A logging vulnerability was reported in Microsoft's Internet Information Server (IIS) web server. A remote user can create bogus web log entries.

It is reported that hex code characters from a URL request are translated into an ASCII character when written to an IIS log entry. For example, '/index%2easp' is recorded in the IIS log file as '/index.asp'. The report states that %0A is translated to a new line character and %FF is translated to what apparently looks just like a space character.

A remote user can create a URL that will result in a bogus log entry that appear to be valid.

For example, a URL reqest for '/index.asp' can be formed as the following string:

/index.asp%FF200%FFHTTP/1.1%0A00:52:11%FF[ipaddress]%FFGET%FF/evilplaces

The request for /index.asp is terminated with a 200 notice and HTTP/1.1 showing the HTTP version. Following that, a new line (%0A) is started. This will reportedly create a log entry from the '[ipaddress]' for '/evilplaces'.

The vendor has reportedly been notified.

Impact:   A remote user can cause the web server to create a bogus log entry.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)
Underlying OS Comments:  Tested on Windows 2000

Message History:   None.


 Source Message Contents

Subject:  IIS logging issue


TOPIC: Microsoft IIS is vulnerable to log faking.
ADVISORY NR: 200103
DATE: 18-11-01
VULNERABILITY FOUND AND WRITTEN BY: 1; (One Semicolon)

CONTACT INFORMATION
http://onesemicolon.cjb.net
me@onesemicolon.cjb.net


STATUS
Microsoft was contacted on September 18, 2001 by emailing
secure@microsoft.com. A reply was received saying Microsoft was unable to
reproduce this using Notepad. I had only given the hex codes for
Edit in MS-DOS. After letting this sit for a while I got the hex codes for
another text editor. So I sent that to Microsoft on November 12, 2001.
I did not receive a reply to this yet.


DESCRIPTION
Microsoft IIS is a web server. duh. ;)
This vulnerability was tested to work using Windows 2000 and IIS 5.0 without
changes to the logging settings.


VULNERABILITY
Log entries in the IIS logfile have the hex codes in a request translated
to a character.
/index%2easp becomes /index.asp and is shown as that in the logfile.
The problem is that %0A becomes translated to a new line and %FF to what
looks just like a space. Using these two you can successfully create two
perfectly real looking log entries.

/index.asp%FF200%FFHTTP/1.1%0A00:52:11%FF198.116.142.34%FFGET%FF/evilplaces
here the request for /index.asp is ended with a 200 notice and HTTP/1.1
showing what version has been used HTTP wise. Then a new line (%0A) is
started.
At first I thought that getting the time right would become a difficult
one. It turns out I was wrong. All logging is done using Greenwich time.
All one needs to do is figure out the current time in London and they are
done.
Then the IP of the person who you wish to use follows. Then whatever you
think they should be caught asking for.
The %FF and %0A works when using MS-DOS's Edit.
To make this work in WordPad which more likely will be used to view logs,
replace %FF with %09.


FIX
No fix has been released for this problem as far as I know.


PLEASE
Maybe administrators of computers that use different webserver software
could try all hexcodes and find out if their particular server is
vulnerable to the same issue and then proceed to contact their manufacturer?
I have already found another company's server software to be vulnerable to
the same issue. Rather than people going around issuing many advisories for
the same issue but different software company, it would be nice if the
seperate companies could just be notified and be able to issue a patch for
their particular program.


FINAL NOTES
These days logs are used very often to prove illegal activity. When logs
cannot be trusted there is a serious problem: how else do you prove
illegal activity?

IIS 5.0 lets you set different logging formats. I used the settings that
were put there by the IIS installation. For me this was W3C Extended
Log File Format, which logged the following things:
- Time (time)
- Client IP Address (c-ip)
- Method (cs-method)
- URI Stem (cs-uri-stem)
- Protocol Status (cs-status)
- Protocol Version (cs-version)

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC