Since few days ago, a new exploit has been found and attacking IIS 5.0 servers. Incidents.org has a write up on this, Infoworld got it covered as well. Apparently, it is hitting users using IE and IIS 5.0 servers, have seen couple of discussions in public newsgroups and other IIS community forum. At the moment Microsoft official posted latest alert about Download.Ject. from the page..
Reports indicate that Web servers running Windows 2000 Server and IIS that have not applied update 835732, which was addressed by Microsoft Security Bulletin MS04-011, are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code.
If you have not patch the related fixes, I strongly recommended that you do it NOW, and as good security practice, you should restrict or limit HTTP port 80 surfing from your IIS web server. It should be there to serves HTTP / HTTPS requests not as your surf station.
Do you know you can 'annotate' your FTP directories? making it more 'user friendly'. We normally configure FTP messages, but this does not support folder level message. When you navigate among folders, you have no further message explaining the nature of the folder and so on. To make it easier, you can create a new DWORD registry key AnnotateDirectories at this key path:
Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Parameters\
Value: 0 (default - disable), 1 (enable)
After that, you create a text file named: ~ftpsvc~.ckm, place it in the desired folder. when users change working directory to this folder for example: ftp>cd test, if AnnotateDirectories is enabled and ~ftpsvc~.ckm file exist, IIS FTP will display the .ckm file content, for example:
ftp> cd test
250-This is a test message welcome message.
250 CWD command successful.
ftp>
You should configure ~ftpsvc~.ckm as a hidden file, hence it will not be listed when users are doing a directory listing.
There was a problem with content-location IIS 6.0, as the header may reveal IP address information, for example:
HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Location: http://10.1.1.1/Default.htm
Date: Friday, 10 June 2004 11:03:22 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Friday, 10 June 2004 11:00:05 GMT
ETag: "067f136a639be1:12c5"
Content-Length: 4123
Previously, in IIS 5.0 and 4.0, you can set the UseHostName to TRUE to replace the internal IP address with the FQDN of the site. I talked about this before. However this is not available for IIS 6.0, last I heard that this will be fix in SP1. But today, I found this kb:
834141 FIX: IP address is revealed in the content-location field in the TCP header in IIS 6.0
So Microsoft is releasing it first, but you have to ring PSS to get the fix. The other work around is to configure Host Header for the site.
About weeks ago, from a private security mailing list I get to know that recent findings on IIS 6 vulnerabilities count is 60! If you were on NTBugTraq mailing list, you might have read that as well. This actually came from Russ Copper's AUSCert presentation about Microsoft Security Bulletins. Russ is the editor for NTBugTraq, a well-known security expert in MS products security. However, I and couple of Security MVPs do not agree with his findings. Here's the short summary about IIS 6.0:
7. I then compared IIS versions. Given the timeframe of the products,the numbers are very different;
IIS 4.0 = 231 vulnerabilities
IIS 5.0 = 282 vulnerabilities
IIS 6.0 = 60 vulnerabilities
I went on to say that in the period since W2K3's release, IIS 6.0 boxes were 11% less vulnerable than W2K IIS 5.0 servers. This, however, IMO was largely due to configuration and not a lack of vulnerable code. I said that if you configured any IIS box the way W2K3 IIS 6.0 was configured and you'd get roughly the same security. IOWs, where were the results of the Security Push? Surely the results weren't only a new configuration
The full message thread can be found here. The information given is definitely misleading, so I and Susan were mailing Russ offline questioning about the formula and the method he used to derived the numbers. Now, Russ's formula,
IIS 6.0 = OE6 + IE6 + Media Player 8 + W2K3 + IIS 6.0 specific + IIS 6.0 removable
Therefore, the following bulletins apply to IIS 6.0 boxes;
MS03-004 (2 vulnerabilities)
MS03-014 (1 vulnerabilities)
MS03-015 (7 vulnerabilities)
MS03-017 (1 vulnerabilities)
MS03-020 (2 vulnerabilities)
MS03-026 (1 vulnerabilities)
MS03-032 (5 vulnerabilities)
MS03-033 (1 vulnerabilities)
MS03-034 (1 vulnerabilities)
MS03-039 (2 vulnerabilities)
MS03-040 (3 vulnerabilities)
MS03-041 (1 vulnerabilities)
MS03-043 (1 vulnerabilities)
MS03-044 (2 vulnerabilities)
MS03-045 (1 vulnerabilities)
MS03-048 (5 vulnerabilities)
MS04-001 (1 vulnerabilities)
MS04-003 (1 vulnerabilities)
MS04-004 (5 vulnerabilities)
MS04-006 (1 vulnerabilities)
MS04-007 (1 vulnerabilities)
MS04-011 (8 vulnerabilities)
MS04-012 (3 vulnerabilities)
MS04-013 (1 vulnerabilities)
MS04-014 (1 vulnerabilities)
MS04-015 (1 vulnerabilities)
So he has done his home work. Me and Susan have to do ours, Susan compiled her findings here. If you noticed, the vulnerabilities counts are quite different for some of the security bulletins number. Say MS04-011 for example. Ours are very simple, we count one with each CAN ID we can find in the bulletins list, and Hence MS04-011 is 14. Not 8!
Ok, my turn now, based on his formula and list, I conclude the following with a BRAND new formula:
IIS 6.0 = OE6 + IE6 + Media Player 9 + W2K3 + IIS 6.0 specific + IIS 6.0 removable + Messenger + MDAC + Jet
= 2+22+0+21+0+0+1+1+1
= 48
IE(22):
MS03-004(2)+MS03-015(4)+MS03-020(2)+MS03-032(3)+MS03-040(2)+MS03-041(1)+MS03-048(5)+MS04-004(3)
OE(2):
MS03-014(1)+MS04-013(1)
W2k3(21):
MS03-026(1)+MS03-034(1)+MS03-039(3)+MS03-044(1)+MS03-045(1)+MS04-006(1)+MS04-007(1)+MS04-011(7)+MS04-012(4)+MS04-015(1)
Messenger(1):
MS03-043(1)
MDAC(1):
MS04-003(1)
Jet(1):
MS04-014(1)
-------------
Total = 48!!!
Where are the other 12 vulnerabilities? and from his list:
MS03-017(1) Media Player 8?
MP9 comes with Windows Server 2003
MS03-033(1) MDAC
Windows Server 2003 MDAC 2.8 is not affected
MS04-001(1) ISA2k
ISA related to IIS 6 or Windows Server 2003?
It has NOTHING to do with Windows Server 2003, So the above 3 are definitely out of the picture!
Take another look at MS04-011, where it is packed with 14 vulnerabilities, but only 7 is related to Windows Server 2003.
LSASS Vulnerability - CAN-2003-0533
Help and Support Center Vulnerability - CAN-2003-0907
H.323 Vulnerability - CAN-2004-0117
ASN.1 “Double Free” Vulnerability - CAN-2004-0123
IIS 6.0 Related
PCT Vulnerability - CAN-2003-0719
Negotiate SSP Vulnerability - CAN-2004-0119
SSL Vulnerability - CAN-2004-0120
and Russ got 8 for that ? only 3 are related to IIS. and it's not IIS core or removable. it's ASN issues in OS, but the attacking point is via IIS. Now, we also argued about what constitute an IIS 6.0 box, so all the above applies. No doubt. But I have to strongly disagreed his statement of IIS 6 = 60 vulnerabilities.
It would make more sense to say.
Windows Server 2003 = 60 vulnerabilities.
and inside it list down every single vulnerability detail.
Just to summarize, from my findings. I concluded 3 vulnerabilities in IIS 6.0, however, you should take note of other 45, which is related to your W2k3 box (of coz depend on what your have in the box). And as security practise, you ARE not suppose to surf or email from your production box. Oh ya, Harry doesn't like the findings too :)
Next, you might wonder how about other vendor reports on IIS 6 exploits?
Months ago, Micheal howard blog this... saying "IIS ? zero", and one of the comment point to Microsoft Windows Server 2003 / IIS 6 Cross Site Scripting. Yes, you may classify this as 1 vulnerability; however, I didn't hear anything official from Microsoft For this, I would suggest you limit and restrict the usage of HTMLA. FYI, my production boxes don't have such thing.
Another one Microsoft IIS Cookie Variable Information Disclosure, this one related to information review of your web server. No harm I would say. but if you want to stop this, try
- IIS MMC, by disabling 'send detailed asp error message to client'
- Best practices with custom error pages
- disable ASP web service extension if is not needed
So far, these are the only 2 I known, if you found a new one, let me know. And just for the record, AFAIK, Microsoft does not officially address the above 2 incidents.
One more. This is specifically a message to MS, actually this is from Kerry Steele, I have to agreed and it make sense. If you do a search at Security Bulletins Search Page
With IIS 6 as the product, you will get ZERO bulletins.
However, if you try Windows Server 2003 (standard edition), you will get 24 bulletins (As of today!).
This is misleading as well. If there is an exploit related to IIS 6.0, it must be listed. For example MS04-011 the ASN exploits related to IIS 6.0.
Finally, with the above, I hope I can give everyone a clear picture about the current 'vulnerabilities' in IIS 6.0, you can count with whatever formula you wish. But I just want to make things clear here.
Cheers.
I must be pretty blur, should have post this before :) This is a sample chapter from my book. Get it here, hosted at Ken's site. Been busy recently, my coursework due this week :( It's not tough, just require lot of readings and the best part is “IT IS NOT TECHNICAL“ at all..... after this module, I will starting my last module (hopefully), it will take another 3 months....then planning to go for MSF exam (I know I know.. it's been two years since I wanted to go for it) I'm just too busy...
Oh ya, last week, I was in a hot discussions about Russ's presentation to AUSCert. I have to STRESS out, the way Russ categorize vulnerabilities for IIS 6.0 is completely WRONG MISLEADING. I will get into more detail when I'm done with my home work :(