[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Remote IIS 5.x and IIS 6.0 Server Name Spoof
From: inge_eivind.henriksen () chello ! no
Date: 2005-08-22 15:23:08
Message-ID: 20050822152308.12702.qmail () securityfocus ! com
[Download RAW message or body]
** Inge Henriksen Security Advisory - Full Disclosure Proof of Concept at \
http://ingehenriksen.blogspot.com/ **
It is possible to remotely spoof the "SERVER_NAME" Microsoft® Internet Information \
Server® 5.0, 5.1 and 6.0 variable by doing a modified HTTP request. Thus potentially \
revealing sensitive ASP code through the IIS 500-100.asp error page, the spoof also \
opens up a potential range of exploits in third party web applications and web \
services.
Technical Description
Microsoft® Internet Information Server® shows sensitive information if the \
"SERVER_NAME" IIS 5.x server variable is "localhost". If a ASP page has an error, the \
code on the fault line in the ASP page is shown in the browser, but only \
if"SERVER_NAME" IIS server variable is "localhost". One can spoof the "SERVER_NAME" \
IIS server variable so that it shows whatever one want. Other third party web \
applications or web services may also be vulnerable if authentication depends on the \
validity this server variable.
The IIS server variable that can be spoofed is the "SERVER_NAME", it can be accessed \
through request.servervariables("SERVER_NAME") with ASP, and \
HttpContext.Current.Request.ServerVariables("SERVER_NAME") with .NET, other \
programming languages have other methods to access this server variable, but are \
equally vulnerable.
If the HTTP request comes from a remote client, then the server variable \
"SERVER_NAME" returns the IP address of the web server itself. If the HTTP request \
came from the same IP as the web server (thus the request came from the an \
authenticated user browsing from the web server itself), then \
request.servervariables("SERVER_NAME") returns "localhost". This fact is used as \
"proof" in web applications or web services that the person browsing the web server \
is in fact browsing from the web server itself. The web applications or web services \
may use this proof to display an administrative interface to the web browser user if \
such is the case. One exploitable example is the IIS 5.x 500-100.asp page; the page \
uses the server variable to determine if to display the code where the error \
occurred.
The technical description of the server variable is "The server's host name, DNS \
alias, or IP address as it would appear in self-referencing URLs", it is therefore \
often used to determine the IP address of the web server itself in once code, this \
opens up for a range of exploits including cookie-stealing, data redirection, and \
other URL manipulation issues.
There are many other applications that utilize validity of this server variable, and \
MSDN holds many examples for developers that are easily exploitable with this bug; \
among the most serious are the Microsoft® .NET Passport SDK examples, any web \
application or web service based on these examples are probably vulnerable due to the \
bug.
Vendor Status: Notified 28. January 2005
Confirmed applications: Microsoft® Internet Information Server® 5.0, Microsoft® \
Internet Information Server® 5.1 and Microsoft® Internet Information Server® 6.0.
Confirmed platforms: Microsoft® Windows® 2000 with SP4, Microsoft® Windows® XP \
Professional with SP2, Microsoft® Windows® 2003 with SP1.
Full Disclosure Proof of Consept at http://ingehenriksen.blogspot.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic