Perils and Pitfalls of IIS Web Security Eugene Schultz, Global Integrity Corporation (an SAIC Company) and Purdue University Black Hat Conference Las Vegas, Nevada July 8, 1999 Copyright 1999, Global Integrity Corporation - All Rights Reserved Copying these materials without the explicit, written permission of Global Integrity Corporation is prohibited.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Perils and Pitfalls of IIS Web Security
Eugene Schultz, Global Integrity Corporation (an SAIC Company) and Purdue University
Black Hat ConferenceLas Vegas, Nevada
July 8, 1999
Copyright 1999, Global Integrity Corporation - All Rights Reserved
Copying these materials without the explicit, written permission of Global Integrity Corporation is prohibited.
2 Copyright 1999, Global Integrity Corporation
Agenda
Introduction
Vulnerabilities
Solutions
Conclusion
3 Copyright 1999, Global Integrity Corporation
Surprise, surprise?
“According to federal officials, federal websites and computer systems are particularly vulnerable to outside attacks because they lack two important elements: adherence to security plans and qualified personnel to maintain security measures.”
About the IIS Web serverVery widely used Web server package
Main advantages Price Ease of development and maintenance
Server itself can be implemented using CGI ISAPI ASP
5 Copyright 1999, Global Integrity Corporation
A related component---Front PageSupports development and maintenance of Web
pagesConsists of
Explorer (client side) Editor (client side) Server Server Extensions (for managing and referencing
HTML pages)
FrontPage “Bots” perform tasks such as automatically creating a table of contents
6 Copyright 1999, Global Integrity Corporation
IIS Web authentication*Basic authentication---to determine
identification and rights of client First check--to see if user is anonymous
If anonymous access fails, server sends back information about other types of authentication that are available
If user is authenticated, server determines whether user’s credentials are sufficient to allow access to resources
Second--challenge-response authentication If anonymous access fails, IIS will normally attempt
challenge-response authentication Last resort--cleartext authentication
* - Most events that occur are transparent to users---exception, when the type of authentication used requires users to enter a username-password sequence
7 Copyright 1999, Global Integrity Corporation
MSV1_0 authentication
SERVER
CLIENT
1. Authentica- tion request
2. 8-byte
nonce
3. Encrypted nonce
4. Retrieval of entries from SAM database
5. Encryption of nonce
6. Comparison of encrypted nonces
8 Copyright 1999, Global Integrity Corporation
Choosing IIS Web authentication X WWW Service Properties for EXCELSIOR
OK Cancel Apply Help
Service Directories Logging Advanced
Connection Timeout: 600 seconds
Maximum Connections 1000
Anonymous Logon
Username
Password
Password Authentication
Allow Anonymous
Basic (Clear Text)
Windows NT Challenge/Response
9 Copyright 1999, Global Integrity Corporation
Basic IIS access control methodsAuthentication
Limited execution environmentNTFS permissionsInternet Service Manager settings
10 Copyright 1999, Global Integrity Corporation
Exposures in IIS Web servicesIncompatibility of authentication schemes
drives cleartext authentication as the common denominator
Web users are authenticated either as local users or domain users
Local access short circuits many security controls Unauthorized access to Web server can result in
unauthorized domain-wide access
IIS runs as SYSTEM
11 Copyright 1999, Global Integrity Corporation
Exposures in IIS Web servicesBuffer overflow conditions abound
IUSR_Servername account is created either in a domain or on a member server of an IIS Web server
ASP page access is not properly limitedFront Page vulnerabilities allow a variety of
undesirable outcomes, including Unauthorized, privileged access to Web server Ability to remotely read and write to any file Denial of service
12 Copyright 1999, Global Integrity Corporation
Exposures in IIS Web servicesVulnerabilities in Active Server itself can result in a
wide range of undesirable outcomes from a security perspective
Denial of service Ability to modify Web page content Ability to read and/or alter files that are not part of the
Web server
Bots may allow unauthorized reads/writes of Web page content
Most Web servers themselves are not well-written from a security perspective
13 Copyright 1999, Global Integrity Corporation
Example 1A potential buffer overflow condition in the ISAPI
extension ISM.DLL (a filter used to process .HTR files) allows
Someone to crash IIS by sending a long argument (FORMAT: GET /[overflow].htr HTTP/1.0)
Execution of rogue code
Version affected: IIS 4.0 (SPs 4 and 5)Problem: lack of proper bounds checkingSolutions: Apply hot fix, or remove the script
mapping for .HTR files from ISAPI.DLL
14 Copyright 1999, Global Integrity Corporation
Example 2A bug allows anyone to use a default .asp page to
view and also to modify source code by requesting a file from a virtual directory (simply enter ../)
Problem: normal processing of the file is circumvented
Several variants of this bug existFound in IIS 3.0 and 4.0Patch is available (but best solution may be to
remove all default .asp pages)
15 Copyright 1999, Global Integrity Corporation
Example 3A bug allows CGI scripts that require
authentication to be run without any authentication
Version affected: IIS 3.0Is really more of a limitation in an intended
security feature than a vulnerabilityUpgrade to IIS 4.0
16 Copyright 1999, Global Integrity Corporation
Example 4Someone can discover the path to a virtual
directoryRequires only connecting to the
“msdownload” directory at a site, then pressing Refresh/Reload
Can facilitate an attacker’s efforts to locate resources to attack
All versions are affectedNo patch available yet
17 Copyright 1999, Global Integrity Corporation
Example 5A malformed GET request can crash IIS,
causing data corruptionRequires that more than one virtual server run
on one machine Problem: quitting inetinfo.exe by one server
fails to produce a file handle for TEMP files that the other needs for data writes
Problem is robust across different releasesHot fix (see Q192296) available
18 Copyright 1999, Global Integrity Corporation
Example 6An unprivileged user can create an ISAPI
extension to load rogue CGIs that run as SYSTEM
GetExtensionVersion() Default()
Applies to any Web server that supports ISAPI extensions
Exploit code posted widely over the netAll versions are affectedSolution: do not allow users to load CGIs
19 Copyright 1999, Global Integrity Corporation
Example 7An anonymous user can use NetBIOS
mechanisms to remotely reach \%systemroot%\system32\inetsrv\iisadmpwd (virtual directory /IISADMPWD) to start up HTR files
Passwords can be changed without authorization Information about accounts is readable
Best solution is debatable Delete /IISADMPWD? Filter traffic bound for TCP port 139?
20 Copyright 1999, Global Integrity Corporation
Example 8An unauthorized user can access cached files
without being authenticated Requires that
More than one virtual server run on one machine Both servers have the identical physical and virtual
directory for each target fileThis bug is found in all versions of IISProblem: failure to recheck credentials after a
cached file is initially accessedSolutions: Allow only one virtual server on any
machine, or disable caching
21 Copyright 1999, Global Integrity Corporation
Example 9IIS may fail to log successful HTTP requests
Requests include File name Default.asp Request method (the attacker must make this very
long---at least 10140 bytes)
May be found only in particular releases (e.g., IIS 4.0 server that was upgraded)
No suitable solution so far, but try installing IIS 4.0 instead of upgrading from IIS 3.0
22 Copyright 1999, Global Integrity Corporation
Example 10Under certain conditions, calling one or more
ASPs may cause 100% CPU utilization \exair\root\search\advsearch.asp \exair\root\search\query.asp \exair\root\search\search.asp
Default exair page and the DLLs it references must not be in memory
Best solution: delete \exair and everything below it
23 Copyright 1999, Global Integrity Corporation
IIS-specific Web security measuresConsider running a Web server that does not
run as SYSTEMRun the most recent version of IIS Web serverAvoid running IIS on domain controllers Ensure that the IUSR_<servername> account
has a strong passwordDedicate Web-accessible volumes to HTTP-
based access
24 Copyright 1999, Global Integrity Corporation
IIS-specific Web security measures
Use Internet Service Manager to set access permissions (read and/or write)
Ensure that Front Page extensions have appropriate NTFS permissions
Avoid Active Server implementations when security needs are higher
Use Active Server only to access a Microsoft transaction component (i.e., don’t put code in Active Server itself)
25 Copyright 1999, Global Integrity Corporation
IIS-specific Web security measuresConsider enabling IP filtering
Disable the NetBIOS layer of networkingUse SSL, HTTP-S, or PCT to encrypt sessionsIt is generally best to deploy IIS as an internal
Web serverPatch, patch, patch...
26 Copyright 1999, Global Integrity Corporation
Placement of external IIS servers
IIS WEB SERVER
SERVER SHOULD NOT BE PART OF ANY NT DOMAIN
SECURITY PERIMETER
INTERNET OR EXTERNAL NETWORK
ROUTER
INTERNAL NETWORK
FIREWALL
DMZ
27 Copyright 1999, Global Integrity Corporation
TFTPTrivial File Transfer
28 Copyright 1999, Global Integrity Corporation
TFTPTrivial File Transfer
IIS-specific Web security measures
Consider enabling IP filtering Disable the NetBIOS layer of networking Use SSL, HTTP-S, or PCT to encrypt
sessions It is generally best to deploy IIS as an
internal Web server Patch, patch, patch...
(continued from previous slide)
Conclusion We haven’t even looked into security-related
vulnerabilities in Browsers IIS FTP
Choose your poison---CGI, ISAPI, or ASP Securing IIS requires paying attention to
IIS and its many vulnerabilities The many extensions and filters that are typically part
of the IIS environment The Web application Windows NT itself
Conclusion The number of reported bugs has
increased dramatically over the last year The problem is only going to get worse in
the next version
(continued from previous slide)
Fronting server
Cache box
32 Copyright 1999, Global Integrity Corporation
TCP/IP Services and NT Domains
Serious concern: NT web servers or firewalls running within an NT domain (and, thus, effectively within NT’s security perimeter)
Recommendations: Run each firewall as a domain-independent NT
platform Run Web servers as domain-independent NT
platforms or as part of a Web server domain Do not mix internal and external Web servers in
the same domain
33 Copyright 1999, Global Integrity Corporation
TCP/IP Services and NT Domains
Continued
NT EXTERNALWEB SERVER
SERVERS THAT ARE NOT PART OF AN NT DOMAIN
SECURITY PERIMETER
INTERNET
ROUTER
INTERNAL NETWORK
NT FIREWALL
34 Copyright 1999, Global Integrity Corporation
Sniffer Attacks
Logical or physical sniffersData in packet headers for NT logon
packets is vulnerableFTP and telnet-based logons are in
cleartext Network Monitor (NM) tool part Back OfficeSolution: inspecting for unauthorized
sniffers, use of VPN’s, limiting use of NM and similar tools
35 Copyright 1999, Global Integrity Corporation
Password Transmission in
Heterogeneous Environments
Cleartext password
Windows NT Unix
36 Copyright 1999, Global Integrity Corporation
PPTP-Protected Transmissions
PPTP
Host Host
RAS Server RAS Server
37 Copyright 1999, Global Integrity Corporation
Password Cracking
The Windows NT security model attempts to provide strong protection against password cracking Strong password encryption algorithm Cleartext passwords are not sent over the net during conventional NT
authentication Security Accounts Manager (SAM) Database is not accessible to
interactive users Accounts Policy Settings guard against weak passwords
What Microsoft didn’t realize The NT encryption procedure itself is not that strong The SAM database can be accessed in a number of ways The challenge-response mechanism itself is vulnerable NT-based web browsers send encrypted passwords to web servers