Government Security
Network Security Resources

Jump to content


Securing IIS Using ISSAPI Filters

- - - - - security scanning server exploit vulnerability perl cgi tools denial of service patch
  • Please log in to reply
No replies to this topic

#1 Blake


    Former Commander In Chief

  • Retired Admin
  • 7,334 posts

Posted 27 September 2002 - 07:39 PM

Protecting your IIS box using URLScan-SRP [Not an answer for laziness on the SA's part]
Will help protect against:
∑ A buffer overrun vulnerability involving the operation of the chunked encoding transfer mechanism via Active Server Pages in IIS 4.0 and 5.0. An attacker who exploited this vulnerability could overrun heap memory on the system, with the result of either causing the IIS service to fail or allowing code to be run on the server.
∑ A Microsoft-discovered vulnerability that is related to the preceding one, but which lies elsewhere within the ASP data transfer mechanism. It could be exploited in a similar manner as the preceding vulnerability, and would have the same scope. However, it affects IIS 4.0, 5.0, and 5.1.
∑ A buffer overrun involving how IIS 4.0, 5.0 and 5.1 process HTTP header information in certain cases. IIS performs a safety check prior to parsing the fields in HTTP headers, to ensure that expected delimiter fields are present and in reasonable places. However, it is possible to spoof the check, and convince IIS that the delimiters are present even when they are not. This flaw could enable an attacker to create an URL whose HTTP header field values would overrun a buffer used to process them.
∑ A Microsoft-discovered buffer overrun vulnerability in IIS 4.0, 5.0 and 5.1 that results from an error in safety check that is performed during server-side includes. In some cases, a user request for a web page is properly processed by including the file into an ASP script and processing it. Prior to processing the include request, IIS performs an operation on the user-specified file name, designed to ensure that the file name is valid and sized appropriately to fit in a static buffer. However, in some cases it could be possible to provide a bogus, extremely long file name in a way that would pass the safety check, thereby resulting in a buffer overrun.
∑ A buffer overrun affecting the HTR ISAPI extension in IIS 4.0 and 5.0. By sending a series of specially malformed HTR requests, it could be possible to either cause the IIS service to fail or, under a very difficult operational scenario, to cause code to run on the server.
∑ A denial of service vulnerability involving the way IIS 4.0, 5.0, and 5.1 handle an error condition from ISAPI filters. At least one ISAPI filter (which ships as part of FrontPage Server Extensions and ASP.NET), and possibly others, generate an error when a request is received containing an URL that exceeds the maximum length set by the filter. In processing this error, the filter replaces the URL with a null value. A flaw results because IIS attempts to process the URL in the course of sending the error message back to the requester, resulting in an access violation that causes the IIS service to fail.
∑ A denial of service vulnerability involving the way the FTP service in IIS 4.0, 5.0 and 5.1 handles a request for the status of the current FTP session. If an attacker were able to establish an FTP session with an affected server, and levied a status request that created a particular error condition, a flaw in the FTP code would prevent it from correctly reporting the error. Other code within the FTP service would then attempt to use uninitialized data, with an access violation as the result. This would result in the disruption of not only FTP services, but also of web services.
∑ A trio of Cross-Site Scripting (CSS) vulnerabilities affecting IIS 4.0, 5.0 and 5.1: one involving the results page thatís returned when searching the IIS Help Files, one involving HTTP error pages; and one involving the error message thatís returned to advise that a requested URL has been redirected. All of these vulnerabilities have the same scope and effect: an attacker who was able to lure a user into clicking a link on his web site could relay a request containing script to a third-party web site running IIS, thereby causing the third-party siteís response (still including the script) to be sent to the user. The script would then render using the security settings of the third-party site rather than the attackerís.

The following is how the URLScan file should be configured. Because the filter executes before the webserver translates the URL information it can catch many malformed URL and unicode attacks. [Vulnerabilities have been found in ISSAPI Filters though :-(

[options]UseAllowVerbs=1 ; if 1, use [AllowVerbs] section, else use [DenyVerbs] sectionUseAllowExtensions=0 ; if 1, use [AllowExtensions] section, else use [DenyExtensions] section
NormalizeUrlBeforeScan=1 ; if 1, canonicalize URL before processing
VerifyNormalization=1 ; if 1, canonicalize URL twice and reject request if a change occurs
AllowHighBitCharacters=0 ; if 1, allow high bit (ie. UTF8 or MBCS) characters in URL
AllowDotInPath=0 ; if 1, allow dots that are not file extensions
RemoveServerHeader=0 ; if 1, remove "Server" header from response
EnableLogging=1 ; if 1, log UrlScan activity
PerProcessLogging=0 ; if 1, the UrlScan.log filename will contain a PID (ie. UrlScan.123.log)
AllowLateScanning=0 ; if 1, then UrlScan will load as a low priority filter.
PerDayLogging=1 ; if 1, UrlScan will produce a new log each day with activity in the form UrlScan.010101.log
RejectResponseUrl= ; UrlScan will send rejected requests to the URL specified here. Default is /<Rejected-by-UrlScan>
UseFastPathReject=0 ; If 1, then UrlScan will not use the RejectResponseUrl or allow IIS to log the request

; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header


; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.



; The verbs (aka HTTP methods) listed here are used for publishing
; content to an IIS server via WebDAV.
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.



; The following request headers alter processing of a
; request by causing the server to process the request
; as if it were intended to be a WebDAV request, instead
; of a request to retrieve a resource.



; Extensions listed here are commonly used on a typical IIS server.
; Note that these entries are effective if "UseAllowExtensions=1"
; is set in the [Options] section above.



; Extensions listed here either run code directly on the server,
; are processed as scripts, or are static files that are
; generally not intended to be served out.
; Note that these entries are effective if "UseAllowExtensions=0"
; is set in the [Options] section above.
; Also note that ASP scripts are denied with the below
; settings. If you wish to enable ASP, remove the
; following extensions from this list:
; .asp
; .cer
; .cdx
; .asa

; Deny ASP requests

; Deny executables that could run on the server

; Deny infrequently used scripts
.htw ; Maps to webhits.dll, part of Index Server
.ida ; Maps to idq.dll, part of Index Server
.idq ; Maps to idq.dll, part of Index Server
.htr ; Maps to ism.dll, a legacy administrative tool
.idc ; Maps to httpodbc.dll, a legacy database access tool
.shtm ; Maps to ssinc.dll, for Server Side Includes
.shtml ; Maps to ssinc.dll, for Server Side Includes
.stm ; Maps to ssinc.dll, for Server Side Includes
.printer ; Maps to msw3prt.dll, for Internet Printing Services

; Deny various static files
.ini ; Configuration files
.log ; Log files
.pol ; Policy files
.dat ; Configuration files

.. ; Don't allow directory traversals
./ ; Don't allow trailing dot on a directory name
\ ; Don't allow backslashes in URL
: ; Don't allow alternate stream access
% ; Don't allow escaping after normalization
& ; Don't allow multiple CGI processes to run on a single request

Also tagged with one or more of these keywords: security, scanning, server, exploit, vulnerability, perl, cgi, tools, denial of service, patch