-
December 2nd, 2005, 06:34 PM
#1
Microsoft IIS 5.0/51./6.0 HTTP 401 Response Internal IP Disclosure
Microsofts IIS 5.0/5.1/6.0 Web servers seem to disclose their internal ip, when giving
a 401 HTTP response take a loook.
[11:05 PM ~]#nc -vv 127.0.0.1 267
localhost [127.0.0.1] 267 (?) open
OPTIONS / HTTP/1.0
HTTP/1.1 401 Unauthorized
Content-Length: 1656
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Basic realm="172.20.0.79"
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Sun, 06 Nov 2005 17:39:09 GMT
Connection: close
The basic realm is set to the internal IP
NOTE: Don't fret on the port 267 thing, the whole thing is through sslproxy.
-
December 2nd, 2005, 06:40 PM
#2
Tried it without authentication on ? Played around with the default error pages any? Isn't the realm configurable? I am pretty sure in Apache it is with AuthRealm...I would assume something similar exists for IIS (sorry I try really really hard to avoid IIS, so I haven't really played around with this part in IIS)...
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
December 2nd, 2005, 07:11 PM
#3
Further elaboration:
From httpd.conf:
AuthType Basic
AuthName "Whatever I want it to say"
AuthUserFile /etc/httpd/htpass
Require valid-user
Code:
/etc/init.d/httpd start
Starting httpd: [ OK ]
[root@localhost conf]# nc localhost 80
OPTIONS / HTTP/1.0
HTTP/1.1 401 Authorization Required
Date: Fri, 02 Dec 2005 18:09:13 GMT
Server: Apache/2.0.53 (Fedora)
WWW-Authenticate: Basic realm="Whatever I want it to say"
Content-Length: 491
Connection: close
Content-Type: text/html; charset=iso-8859-1
So wouldn't this be a configuration issue ? Granted I know I used Apache, but I would assume IIS would have similar functionality using .htaccess?
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
December 4th, 2005, 10:54 PM
#4
The realm (if specified) is also revealed in the popup window requesting authentication information.
my IIS 5.0 server replies with
HTTP/1.1 401 Access Denied
Server: Microsoft-IIS/5.0
Date: Sun, 04 Dec 2005 21:17:01 GMT
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Content-Length: 24
Content-Type: text/html
Error: Access is Denied.
Connection to host lost.
I have my system configured to use Kerbose authentiation and if the client is not capable then to fall back on NTLM. The realm has been replaced by the domain and is provided by the client (since this system is connected to several domains)
Review: http://www.owasp.org/columns/jlima/joelima2.html for more information on IIS authentication. It is not a great article, but the MS info is kinda spread... and this is simple and concise.
Lastly view:
http://www.microsoft.com/windows2000...p/apro9ael.htm
for information about modifying the realm settings in the metabase.
cheers,
catch
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|