Saturday, April 3, 2010

Attacks against IIS


Attacks against IIS


  • IIS is one of the most widely used Web server platforms on the Internet.

  • Microsoft's Web Server has been the frequent target over the years.

  • It has been attacked by various vulnerabilities. Examples include:

    1. ::$DATA vulnerability

    2. showcode.asp vulnerability

    3. Piggy backing vulnerability

    4. Privilege command execution

    5. Buffer Overflow exploits (IIShack.exe)
Let us look at some of the technology that forms the basis of web applications.
Simple HTML could not contribute much to the dynamic nature of interaction on the web. Therefore, dynamic capabilities were added by using Common Gateway Interface (CGI) applications. These applications ran on the server and generated dynamic content tailored to each request. This capability to process input and generate pages in real time greatly expanded the functional potential of a Web application.
However, as CGI programs were both discrete and resource intensive with each HTTP request, Microsoft introduced two distinct technologies to serve as the basis for Web applications: Active Server Pages (ASP) and the Internet Server Application Programming Interface (ISAPI).
ASP scripts are usually written in a human-readable scripting language like Visual Basic, and Microsoft asserts that the technology is largely language-neutral. The ASP interpreter is implemented as an ISAPI DLL.
ISAPI on the other hand is much less visible to end users. Quite naturally, Microsoft uses many ISAPI DLLs to extend IIS itself. ISAPI DLLs are binary files that are not exactly human-readable or given to human interpretation. However, if the user knows the name of an ISAPI DLL, it can be called via HTTP. They are capable of running inside or outside the IIS process (inetinfo.exe) and, once instantiated remain resident; thereby reducing the overhead of spawning a new process for a CGI executable to service each request.



Internet Information Services (IIS) has been consistently targeted for attacks. Server administrators have been overwhelmed by more than 100 vulnerabilities discovered in IIS web servers in just the last few years alone. It has been seen that when a web server is attacked, the attacker usually tries to run certain commands or access certain files.
For instance, one popular command that an attacker is likely to run during the course of the attack is cmd.exe. Another file that is likely to be of interest to an attacker on IIS is global.asa, which often contains passwords or other sensitive information. Previously, many exploits on IIS have involved traversing directories, viewing server-side scripts, or running a remote command.

Threat
Some of the popular vulnerabilities have been:
::$DATA IIS Vulnerability
Microsoft's Internet Information Server (IIS) contained a vulnerability in how it handles the multiple data streams NTFS provides for each file. The $DATA vulnerability, published in mid-1998, resulted from an error in the way the Internet Information Server parsed file names. $DATA is an attribute of the main data stream (which holds the "primary content") stored within a file on NT File System (NTFS). By creating a specially constructed URL, it was possible to use IIS to access this data stream from a browser.
By doing so the attacker could display the code of the file containing that data stream and any data that the file held. This method could be used to display a script-mapped file that could normally be acted upon only by a particular Application Mapping. The contents of these files are not ordinarily available to users. However, in order to display the file, the file must reside on the NTFS partition and must have ACLs set to allow at least read access; the unauthorized user must also know the file name. By appending the string ::$DATA, a remote user could view the contents of a file that is normally set to be acted upon by an Application Mapping, such as Active Server Pages (ASP). The attacker, however, must previously have read access to this file to view its contents. This attack could allow a user to read potentially proprietary and compromising script source. This vulnerability affected Microsoft IIS versions earlier than 3.0.
Showcode.asp
Showcode.asp is a script that allows a web developer to easily view the code for a number of examples included with Internet Information Server. It comes under several different guises, including showcode.asp, viewcode.asp, and codebrws.asp among others. Essentially it lets the developer view the code of a server-side script without executing it. The problem is that it does not just stop at that because with some manipulation of the URL it lets an attacker view any file on the same drive as the script. With a little playing around one can easily compromise an entire server and any sensitive information it contains.
Showcode.asp is included as an example with the Microsoft Data Access Components that are installed with a number of products or that can be installed individually. The default install location is C:\Program Files \Common Files \SYSTEM\MSADC. In a web server, that subdirectory is also mapped as a virtual directory named MSADC off the web root.
Showcode.asp takes a single argument indicating the name of the file that is to be viewed. Though the sample code was initially intended to view code samples in the MSADC directory, a malicious user can start prodding by taking a path with MSADC and then use directory traversal to move up the directory tree and on to any path on the same drive. The vulnerability occurred because the sample script failed to check for that double-dot in the script's argument thereby making it exploitable.
Piggy-backing privileged command execution on back-end database queries (MDAC/RDS)
MDAC is a package used to integrate Web and database services. It includes the RDS component that provides remote access to database objects through IIS. By exploiting vulnerabilities in RDS depending on the security posture of the website, attackers can send random SQL commands that manipulate the database or retrieve any desired information. In this specific case, the attacker can even gain administrative rights by embedding the shell () VBA command into the SQL command and execute any highly privileged system commands.
Buffer Overflow Vulnerabilities
A buffer is an area of memory within a program that has used to store data of some kind - for instance, information on the program's status, intermediate computational results, or input parameters. Before placing any data into a buffer, the program should always verify that the buffer is large enough to accommodate all of the data.
Otherwise, the data can overrun the buffer and overwrite neighboring data, having the effect of modifying the program while it's running. If the data that overruns the buffer is random data, it won't be valid program code, and the program will fail when it tries to execute the random data. On the other hand, if the data is valid program code, the program will execute the new code and perform some new function - one chosen by whoever supplied the data. Practically exploitable remote buffer overflows on Windows are rare, but on IIS, the exploit scene is different. The first was the .htr buffer overflow exploit against IIS 4, discovered by eEye Digital Security in June 1999. On IIS, the severity of buffer overflows are high because IIS runs under the SYSTEM account context, buffer overflow exploits often allow arbitrary commands to be run as SYSTEM on the target system.
Some of the buffer overflows that have been seen are:

  • Internet Printing Protocol (IPP) buffer overflow

  • Indexing services ISAPI extension buffer overflow

  • Code Red Worm

  • FrontPage 2000 server extension buffer overflow

0 comments:

Post a Comment