Tag Archives: iis

Two IIS Information Disclosure Vulnerabilities

Severity: Medium

Summary:

  • These vulnerabilities affect: The IIS FTP service running on Windows Vista, 2008, 7, and 2008 R2
  • How an attacker exploits them: By sending specially crafted FTP commands or accessing a local log file
  • Impact: In the worst case, a local attacker can learn the credentials for a local account
  • What to do: Deploy the appropriate IIS update at your earliest convenience

Exposure:

Internet Information Services (IIS) is the popular Web and FTP server that ships with all server versions of Windows.

In a security bulletin released today as part of Patch Day, Microsoft describes two relatively minor information disclosure vulnerabilities that affect the popular web server and its optional FTP server.

The first is a local credential disclosure vulnerability due to an unprotected log file. Basically, a particular IIS log file stores the credentials for a configured user in clear text. If an attacker can already log into your IIS server, they can learn the credentials of your configured IIS users. Granted, if an attacker can already log into your IIS server, you have bigger problems to solve.

The second issue is an unspecified FTP command injection vulnerability. Microsoft doesn’t describe this flaw in much detail, only saying that an unauthenticated attacker can execute a limited set of FTP commands on IIS servers, by sending specially crafted FTP commands. The attack works even if you do not enable “anonymous” FTP access. According to Microsoft’s bulletin, a malicious client can leverage this vulnerability to “obtain information disclosure on a vulnerable system.” However, they don’t really say what information the attacker can disclose; whether it be access to the files on the FTP site or some other information. Since the IIS FTP service is not enabled by default, and Microsoft only rates this flaw as Moderate, it doesn’t sound that severe.

That said, we still recommend you download, test, and deploy Microsoft’s IIS updates at your earliest convenience.

Solution Path:

Microsoft has released IIS updates to correct these vulnerabilities. If you manage IIS servers, download, test, and deploy the corresponding update at your earliest convenience.

You’ll find links to the updates in the “Affected and Non-Affected Software” section for of Microsoft’s IIS security bulletin.

For All WatchGuard Users:

Since at least one of these attacks is a local-only threat, which a gateway appliance can’t prevent, we recommend you apply the updates described above.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

IIS FTP Service Buffer Overflow Vulnerability

Severity: High

8 February, 2011

Summary:

  • This vulnerability affects: The IIS FTP service running on Windows Vista, 2008, 7, and 2008 R2
  • How an attacker exploits it: By sending a specially crafted FTP command
  • Impact: In the worst case, an attacker gains complete control of your IIS server
  • What to do: Deploy the appropriate IIS update immediately, or let Windows Automatic Update do it for you

Exposure:

Internet Information Services (IIS) is the popular web and ftp server that ships with all server versions of Windows.

In a security bulletin released today as part of Patch Day, Microsoft describes a serious vulnerability that affects the optional FTP server that comes with the latest versions of IIS. Specifically, the IIS FTP service suffers from a buffer overflow vulnerability involving the way it handles a specially crafted FTP commands (or more specifically, specially encoded characters in an FTP response). By sending such a malformed FTP command, an attacker could exploit this vulnerability to either put your FTP server into a Denial of Service (DoS) state, or to gain complete control of it. An attacker does not have to authenticate to your FTP server to launch this attack.

However, IIS does not install or start the IIS FTP service by default. You are only vulnerable to this attack if you have specifically installed and started this service. That said, many administrators do enable IIS’s FTP service in order to give web administrators an easy way to update their web sites. If you are one of those administrators, you should consider this flaw a serious risk.

Researchers have already publicly released Proof-of-Concept (PoC) exploit code demonstrating the DoS version of this flaw. Whether or not you are using the IIS FTP service, we still recommend you download, test and install this update as soon as you can. Being a critical server update, we highly recommend you test it on non-production servers before pushing it to your real web site.

Solution Path:

Download, test, and deploy the appropriate IIS patches immediately, or let Windows Automatic Update do it for you.

For All WatchGuard Users:

This attack leverages seemingly normal FTP response traffic. You should apply the updates above.

Status:

Microsoft has released patches to fix this vulnerability

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

More alerts and articles: Log into the LiveSecurity Archive.

Microsoft Black Tuesday: A dozen bulletins fix 22 vulnerabilities (but not the zero day MHTML flaw)

As expected, Microsoft posted their first big patch day of 2011 today (the last one was small). Unfortunately, the dozen security updates they released do not fix the unpatched MHTML flaw, which I mentioned in last week’s early notification. Even so, the released updates fix many serious flaws. You should start upgrading as soon as you can.

According to their Bulletin Summary for February, Microsoft released 12 security updates, which fix 22 vulnerabilities in Windows, Internet Explorer (IE), Visio, and Internet Information Services (IIS). The highlights include:

  • A Critical, cumulative IE update
  • An Important IIS patch, which fixes a FTP-related code execution flaw
  • Nine updates for Windows and components that ship with it; two Critical and the rest Important
  • And an Important Visio update

As usual, you should install the Critical updates first, as they tend to fix vulnerabilities that remote attackers can leverage to execute code on affected machines. That said, Important updates often fix serious vulnerabilities too; though ones that typically require more user-interaction or affect services not installed by default. I recommend you take the Important updates just as seriously as you do the Critical ones.

As usual, Microsoft has arranged their Bulletin Summary in order of severity, so you could certainly install them in that order. Personally, though, I would install the IE update first, as the web is currently the biggest vector of attack. Next, I would consider installing the FTP-related IIS update. Microsoft only rates this update as Important, but I suspect they do so only because IIS doesn’t start the FTP service by default. However, if you do use the IIS FTP service, this update fixes a pretty significant flaw. After that, make your way through the Windows updates, starting with the Critical ones. Finally, finish off with the Visio patches, if you use that popular diagramming tool. As always, I recommend you test Microsoft’s patches on non-production machines before deploying them throughout your network – mostly when updating servers, such as IIS.

We will post more detailed information about these flaws, and how to fix them, in alerts posted to the WatchGuard Security Center, shortly. However, due to internal scheduling and travel, we will post these alerts later in the day than normal. Until then, I recommend you expand the “Affected Software and Download Location” section of the Summary to find solution information and get a head start with your patching. Corey Nachreiner, CISSP

Three IIS Flaws Allow Authentication Bypass, DoS, or Code Execution

Summary:

  • This vulnerability affects: IIS 5.1, 6.0, 7.0 and 7.5
  • How an attacker exploits it: By sending specially crafted HTTP requests or URLs
  • Impact: In the worst case, an attacker can gain complete control of your IIS server
  • What to do: Install Microsoft’s IIS update immediately, or let Windows Update do it for you

Exposure:

Microsoft’s Internet Information Services (IIS) is one of the most popular web servers used on the Internet. All server versions of Windows come with IIS, though some of its services may not start by default.

In a security bulletin released as part of Patch Day, Microsoft describes three vulnerabilities affecting IIS. The worst is a buffer overflow vulnerability involving the way IIS handles FastCGI enabled requests. By sending you IIS server a specially crafted HTTP request, an attacker could exploit this vulnerability to gain complete control of your IIS server. This flaw sounds quite bad, however a key mitigating factor limits its severity. FastCGI is not enabled by default on IIS server. You are only vulnerable to this flaw if you’ve specifically enabled it.

The two remaining flaws include a Denial of Service flaw that an attacker could leverage to crash your IIS server and an authentication bypass vulnerability that attackers could leverage to gain access to web resources that require authentication.

Though Microsoft only rates these flaws as Important, we recommend IIS administrator download, test and install the IIS update immediately.

Solution Path:

Microsoft has released IIS updates to fix this vulnerability. IIS administrators should download, test and deploy the corresponding update as soon as possible, or let Windows Update do it for you:

For All WatchGuard Users:

WatchGuard’s HTTP-Server proxy action allows you to control many aspects pertaining to the HTTP requests you accept to your web server. In some cases, this control can allow you to configure your proxies in ways that prevent certain types of attacks from succeeding. However, neither Microsoft, nor this flaw’s original discoverer, have disclosed enough technical detail about this flaw for us to say whether or not our proxy can help. If we do learn technical details that suggest our proxies do help, we’ll update this alert. However for now, Microsoft’s patches are your primary recourse.

Status:

Microsoft has released updates to correct this vulnerability.

References:

  • Microsoft Security Bulletin MS10-65

This alert was researched and written by Corey Nachreiner, CISSP.

Remote IIS Code Execution Flaw Affects Only Select Web Servers

Summary:

  • This vulnerability affects: IIS 6.0, 7.0 and 7.5
  • How an attacker exploits it: By sending a specially crafted HTTP request
  • Impact: In the worst case, an attacker can gain complete control of your IIS server
  • What to do: Install Microsoft’s IIS updates, or let Windows Update do it for you

Exposure:

Microsoft’s Internet Information Services (IIS) is one of the most popular web servers used on the Internet. All server versions of Windows come with IIS, though some of its services may not start by default.

In a security bulletin released as part of Patch Day, Microsoft describes an unpatched code execution vulnerability in IIS. The flaw has to do with IIS’ inability to allocate memory properly when handling certain types of authentication information received from a client. By sending a specially crafted HTTP request containing such authentication information, a remote attacker could exploit this vulnerability to execute code on your IIS server with the privileges of the IIS Worker Process Identity (WPI). According to Microsoft, WPI has the same privileges as a Windows’ Network Service account by default. However, in some cases, IIS administrators may give WPI administrative privileges to get their web applications to work. In these cases, the attacker could leverage this IIS vulnerability to gain complete control of your web server.

Though this vulnerability sounds extremely serious, a few mitigating factors significantly lessen its severity. First of all, your IIS server is only vulnerable to this flaw if you’ve installed an add on feature called Extended Protection for Authentication. This add on came with a non-security update referred to in this Microsoft Knowledge Base article. Furthermore, even if you’ve installed this update, Extended Protection for Authentication is not enabled by default; you’d actually have to enable the component first. Finally, even if you’ve installed and enabled this optional component, Microsoft claims only authenticated attackers can exploit this vulnerability. Meaning, only users with valid account on your website could exploit this flaw.

Though the mitigating factors above significantly limit the severity of this vulnerability to average IIS administrators, this flaw does pose a very high risk to the IIS administrators that do use Extended Protection for Authentication. Whether or not you’re one of those administrators, we still recommend you apply Microsoft’s IIS update as soon as possible.

Solution Path:

Microsoft has released IIS updates to fix this vulnerability. IIS administrators should download, test and deploy the corresponding update as soon as possible, or let Windows Update do it for you:

For All WatchGuard Users:

WatchGuard’s HTTP-Server proxy action allows you to control many aspects pertaining to the HTTP requests you accept to your web server. In some cases, this control can allow you to configure your proxies in ways that prevent certain types of attacks from succeeding. However, neither Microsoft, nor this flaw’s original discoverer, have disclosed enough technical detail about this flaw for us to say whether or not our proxy can help. If we do learn technical details that suggest our proxies do help, we’ll update this alert. However for now, Microsoft’s patches are your primary recourse.

Status:

Microsoft has released updates to correct this vulnerability.

References:

  • Microsoft Security Bulletin MS10-40

This alert was researched and written by Corey Nachreiner, CISSP.


Follow

Get every new post delivered to your Inbox.

Join 7,689 other followers

%d bloggers like this: