Blackhat 99

Perils and Pitfalls of IIS Web
Security
Eugene Schultz, Global Integrity Corporation (an SAIC
Company) and Purdue University
Black Hat Conference
Las Vegas, Nevada
July 8, 1999
Copyright 1999, Global Integrity Corporation - All Rights Reserved
Copying these materials without the explicit, written permission of
Global Integrity Corporation is prohibited.
Agenda
Introduction
Vulnerabilities
Solutions
Conclusion
Copyright 1999, Global Integrity Corporation
Surprise,
25 June 1999:surprise?
Federal Computers Vulnerable
According to federal officials, federal websites and
computer systems are particularly vulnerable to
outside attacks because they lack two important
elements: adherence to security plans and qualified
personnel to maintain security measures.
http://www.newspage.com/cgi-bin/NA.GetStory?story=h0624132.500
&date=19990625&level1=46510&level2=46515&level3=821
About the IIS Web

server
Very widely used
Web server package
Main advantages
Price
Ease
of development and maintenance
Server itself can be implemented using

CGI
ISAPI
ASP
A related component--Front Page

Supports development
and maintenance of Web
pages
Consists of
Explorer
(client side)
Editor (client side)
Server
Server Extensions (for managing and referencing HTML
pages)
FrontPage Bots perform tasks such as

automatically creating a table of contents
IIS Web
authentication*
Basic authentication---to
determine
identification and rights of client

First check--to see if user is anonymous
If anonymous access fails, server sends back information

about other types of authentication that are available
If user is authenticated, server determines whether users
credentials are sufficient to allow access to resources
Second--challenge-response authentication
If anonymous access fails, IIS will normally attempt challengeresponse authentication
Last resort--cleartext authentication

* - Most events that occur are transparent to users---exception, when the
type of authentication used requires users to enter a usernamepassword sequence
MSV1_0
authentication
4. Retrieval of
entries from
SAM
database
1. Authentication request
5. Encryption
of nonce
2. 8-byte
nonce
SERVER
6. Comparison
of encrypted
nonces
3. Encrypted
nonce
CLIENT
Choosing IIS Web authentication

WWW Service Properties for EXCELSIOR
Service Directories Logging Advanced

Connection Timeout:
600
seconds
Maximum Connections 1000

Anonymous Logon
Username
Password
Password Authentication
Allow Anonymous
Basic (Clear Text)
Windows NT Challenge/Response
OK
Cancel
Apply
Help
8
Basic IIS access control

methods
Authentication
Limited execution environment
NTFS permissions
Internet Service Manager settings
Exposures in IIS Web

services
Incompatibility
of authentication schemes
drives cleartext authentication as the
common denominator
Web users are authenticated either as local
users or domain users
Local access short circuits many security controls

Unauthorized access to Web server can result in
unauthorized domain-wide access
IIS runs as SYSTEM
10

Buffer overflowservices
conditions abound
IUSR_Servername account is created either in a
domain or on a member server of an IIS Web server
ASP page access is not properly limited
Front Page vulnerabilities allow a variety of
undesirable outcomes, including
Unauthorized,
privileged access to Web server

Ability to remotely read and write to any file
Denial of service
11

services
Vulnerabilities in
Active Server itself can result in a
wide range of undesirable outcomes from a security
perspective
Denial
of service
Ability to modify Web page content
Ability to read and/or alter files that are not part of the Web
server
Bots may allow unauthorized reads/writes of Web

page content
Most Web servers themselves are not well-written
from a security perspective
12
Exampl
e 1 condition in the ISAPI
A potential buffer overflow
extension ISM.DLL (a filter used to process .HTR
files) allows
Someone
to crash IIS by sending a long argument

(FORMAT: GET /[overflow].htr HTTP/1.0)
Execution of rogue code
Version affected: IIS 4.0 (SPs 4 and 5)

Problem: lack of proper bounds checking
Solutions: Apply hot fix, or remove the script
mapping for .HTR files from ISAPI.DLL
13
Exampl
eto2use a default .asp page to
A bug allows anyone
view and also to modify source code by requesting
a file from a virtual directory (simply enter ../)
Problem: normal processing of the file is
circumvented
Several variants of this bug exist
Found in IIS 3.0 and 4.0
Patch is available (but best solution may be to
remove all default .asp pages)
14
Exampl
3 that require
A bug allows CGIe
scripts
authentication to be run without any
authentication
Version affected: IIS 3.0
Is really more of a limitation in an intended
security feature than a vulnerability
Upgrade to IIS 4.0
15
Exampl
e 4 the path to a virtual
Someone can discover
directory
Requires only connecting to the msdownload
directory at a site, then pressing
Refresh/Reload
Can facilitate an attackers efforts to locate
resources to attack
All versions are affected
No patch available yet
16
Exampl
5 can crash IIS,
A malformed GETe
request
causing data corruption
Requires that more than one virtual server run
on one machine
Problem: quitting inetinfo.exe by one server
fails to produce a file handle for TEMP files that
the other needs for data writes
Problem is robust across different releases
Hot fix (see Q192296) available
17
Exampl
e can
6 create an ISAPI
An unprivileged user
extension to load rogue CGIs that run as SYSTEM
GetExtensionVersion()
Default()
Applies to any Web server that supports ISAPI

extensions
Exploit code posted widely over the net
All versions are affected
Solution: do not allow users to load CGIs
18
Exampl
e 7can use NetBIOS
An anonymous user
mechanisms to remotely reach \%systemroot
%\system32\inetsrv\iisadmpwd (virtual
directory /IISADMPWD) to start up HTR files
Passwords
can be changed without authorization

Information about accounts is readable
Best solution is debatable

Delete
/IISADMPWD?
Filter traffic bound for TCP port 139?
19
Exampl
e can
8 access cached files
An unauthorized user
without being authenticated
Requires that
More
than one virtual server run on one machine

Both servers have the identical physical and virtual
directory for each target file
This bug is found in all versions of IIS

Problem: failure to recheck credentials after a
cached file is initially accessed
Solutions: Allow only one virtual server on any
machine, or disable caching
20
Exampl
e 9 HTTP requests
IIS may fail to log successful
Requests include
File
name
Default.asp
Request method (the attacker must make this very
long---at least 10140 bytes)
May be found only in particular releases (e.g., IIS

4.0 server that was upgraded)
No suitable solution so far, but try installing IIS 4.0
instead of upgrading from IIS 3.0
21
Example
10 calling one or more
Under certain conditions,
ASPs may cause 100% CPU utilization
\exair\root\search\advsearch.asp
\exair\root\search\query.asp
\exair\root\search\search.asp
Default exair page and the DLLs it references

must not be in memory
Best solution: delete \exair and everything
below it
22
IIS-specific Web security

measures
Consider running
a Web server that does not
run as SYSTEM
Run the most recent version of IIS Web server
Avoid running IIS on domain controllers
Ensure that the IUSR_<servername> account
has a strong password
Dedicate Web-accessible volumes to HTTPbased access
23

measures
Use Internet Service Manager to set
access permissions (read and/or write)
Ensure that Front Page extensions have
appropriate NTFS permissions
Avoid Active Server implementations
when security needs are higher
Use Active Server only to access a
Microsoft transaction component (i.e.,
dont put code in Active Server itself)
24

measures
Consider enabling
IP filtering
Disable the NetBIOS layer of networking
Use SSL, HTTP-S, or PCT to encrypt sessions
It is generally best to deploy IIS as an internal
Web server
Patch, patch, patch...
25
Placement of external IIS

servers
INTERNET OR EXTERNAL NETWORK
SERVER SHOULD NOT

BE PART OF ANY NT
DOMAIN
ROUTER
IIS WEB SERVER
DMZ
FIREWALL
INTERNAL NETWORK
SECURITY PERIMETER
26
TFT
Trivial File TransferP
27
TFT
Trivial File TransferP
28

measures
Consider enabling IP filtering

Disable the NetBIOS layer of networking
Use SSL, HTTP-S, or PCT to encrypt
sessions
It is generally best to deploy IIS as an
internal Web server
Patch, patch, patch...
(continued from previous slide)
Conclusion
We havent even looked into security-related
vulnerabilities in
Browsers
IIS FTP
Choose your poison---CGI, ISAPI, or ASP

Securing IIS requires paying attention to
IIS and its many vulnerabilities

The many extensions and filters that are typically part of
the IIS environment
The Web application
Windows NT itself
Conclusion
The number of reported bugs has
increased dramatically over the last year
The problem is only going to get worse in
the next version
Fronting server
Cache box
(continued from previous slide)
TCP/IP Services and NT

Domains
Serious concern: NT web servers or firewalls
running within an NT domain (and, thus,
effectively within NTs security perimeter)
Recommendations:
Run
each firewall as a domain-independent NT

platform
Run Web servers as domain-independent NT
platforms or as part of a Web server domain
Do not mix internal and external Web servers in the
same domain
32
TCP/IP Services and NT

Domains
INTERNET
SERVERS
THAT ARE NOT
PART OF AN
NT DOMAIN
ROUTER
NT
EXTERNAL
WEB
SERVER
NT FIREWALL
INTERNAL NETWORK
Continued
SECURITY PERIMETER
33
Sniffer
Attacks
Logical or physical sniffers

Data in packet headers for NT logon packets
is vulnerable
FTP and telnet-based logons are in cleartext
Network Monitor (NM) tool part Back Office
Solution: inspecting for unauthorized
sniffers, use of VPNs, limiting use of NM
and similar tools
34
Password Transmission
in
Heterogeneous
Environments
Windows NT
Unix
Cleartext
password
35
PPTP-Protected
Transmissions
Host
Host
PPTP
RAS Server
RAS Server
36
Password
Cracking
The Windows NT security model attempts to provide strong
protection against password cracking
Strong
password encryption algorithm

Cleartext passwords are not sent over the net during conventional NT
authentication
Security Accounts Manager (SAM) Database is not accessible to
interactive users
Accounts Policy Settings guard against weak passwords
What Microsoft didnt realize

The
NT encryption procedure itself is not that strong

The SAM database can be accessed in a number of ways
The challenge-response mechanism itself is vulnerable
NT-based web browsers send encrypted passwords to web servers
37
Password
Cracking
Solutions
PPTP
Exceptionally
strong passwords
Third-party authentication
38
Exploitation of
SMB
SMB servers have weak authorization
requirements for file transfers
SMB has numerous back-door mechanisms
Concerns:
It
is relatively easy to trick SMB into transferring

files that are not otherwise available for access
SMB can be spoofed
Best solution (?): disable SMB
39
Considerations for
Access to
Platforms
Windows Other
NT does not recognize permissions from
any operating system other than NTFS
Most NT-compatibility programs require that
A
privileged user remotely logon to the NT domain to

establish remote access
All subsequent access not be interfered with by the OS on
which files are stored
Important point: the only access control is in most

cases NT share permissions
Implication: move critical files to NT servers if
security is a major consideration
40
Case Study: Gateway Services

for Netware
Service that allows Windows NT access to resources
on NetWare services
Files
Directories
Printers
Allows NT Server to serve as nondedicated gateway

Uses NWLink to connect to, then share NetWare
servers directories
Users can connect to directories using NT share
mechanism
41
So Whats The
Problem?
Gaps in the Windows NT security model
Faulty implementations that result in
security exposures
Security weaknesses in logic of design of
network service programs
Backdoors in protocols
Immaturity of Windows NT as an
operating system
42
Cracks in the NT Security

Infrastructure
It takes time to learn how to compromise
security in a new operating system
Much of the new in Windows NT is
really the old, after all
Many network security control
mechanisms dont go far enough
New services and utilities keep getting
added to Windows NTs capabilities
43
Conclusi
Windows NT has many security-related bells and
on
whistles that really are not so important
NT domains in many respects constitute steel
doors in grass huts
NT-based TCP/IP services will increasingly
constitute the greatest threat to security
Most critical tools
Third-party
authentication tools
Firewalls
Packet
scanners
Vulnerabilities scanners
Network monitoring tools
44
Conclusi
on with Windows NT
The problem of dealing
network vulnerabilities is exacerbated by
The
immaturity of this operating system

Microsofts approach to dealing with NTrelated vulnerabilities
The lack of a clearinghouse for NT-related
vulnerability information
Windows 2000 may provide a stronger

framework on which to build security
45

Blackhat 99

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Blackhat 99

Hochgeladen von

Copyright:

Verfügbare Formate

Perils and Pitfalls of IIS Web

Copyright 1999, Global Integrity Corporation

Copyright 1999, Global Integrity Corporation

About the IIS Web

of development and maintenance

Server itself can be implemented using

Copyright 1999, Global Integrity Corporation

A related component--Front Page

FrontPage Bots perform tasks such as

identification and rights of client

If anonymous access fails, server sends back information

If anonymous access fails, IIS will normally attempt challengeresponse authentication

Last resort--cleartext authentication

Copyright 1999, Global Integrity Corporation

Choosing IIS Web authentication

Service Directories Logging Advanced

Maximum Connections 1000

Basic IIS access control

Copyright 1999, Global Integrity Corporation

Exposures in IIS Web

Local access short circuits many security controls

IIS runs as SYSTEM

Copyright 1999, Global Integrity Corporation

Exposures in IIS Web

privileged access to Web server

Copyright 1999, Global Integrity Corporation

Exposures in IIS Web

Bots may allow unauthorized reads/writes of Web

to crash IIS by sending a long argument

Version affected: IIS 4.0 (SPs 4 and 5)

Copyright 1999, Global Integrity Corporation

Copyright 1999, Global Integrity Corporation

Applies to any Web server that supports ISAPI

Copyright 1999, Global Integrity Corporation

can be changed without authorization

Best solution is debatable

Copyright 1999, Global Integrity Corporation

than one virtual server run on one machine

This bug is found in all versions of IIS

May be found only in particular releases (e.g., IIS

Default exair page and the DLLs it references

IIS-specific Web security

Copyright 1999, Global Integrity Corporation

IIS-specific Web security

IIS-specific Web security

Copyright 1999, Global Integrity Corporation

Placement of external IIS

INTERNET OR EXTERNAL NETWORK

SERVER SHOULD NOT

IIS WEB SERVER

Copyright 1999, Global Integrity Corporation

Copyright 1999, Global Integrity Corporation

IIS-specific Web security

Consider enabling IP filtering

Choose your poison---CGI, ISAPI, or ASP

IIS and its many vulnerabilities

TCP/IP Services and NT

each firewall as a domain-independent NT

TCP/IP Services and NT

Logical or physical sniffers

Copyright 1999, Global Integrity Corporation

Copyright 1999, Global Integrity Corporation

Copyright 1999, Global Integrity Corporation

password encryption algorithm