Microsoft IIS 5.0/51./6.0 HTTP 401 Response Internal IP Disclosure
Results 1 to 4 of 4

Thread: Microsoft IIS 5.0/51./6.0 HTTP 401 Response Internal IP Disclosure

  1. #1
    Senior Member
    Join Date
    Jun 2003
    Posts
    188

    Microsoft IIS 5.0/51./6.0 HTTP 401 Response Internal IP Disclosure

    Microsofts IIS 5.0/5.1/6.0 Web servers seem to disclose their internal ip, when giving
    a 401 HTTP response take a loook.

    [11:05 PM ~]#nc -vv 127.0.0.1 267
    localhost [127.0.0.1] 267 (?) open
    OPTIONS / HTTP/1.0


    HTTP/1.1 401 Unauthorized
    Content-Length: 1656
    Content-Type: text/html
    Server: Microsoft-IIS/6.0
    WWW-Authenticate: Basic realm="172.20.0.79"
    MicrosoftOfficeWebServer: 5.0_Pub
    X-Powered-By: ASP.NET
    Date: Sun, 06 Nov 2005 17:39:09 GMT
    Connection: close

    The basic realm is set to the internal IP

    NOTE: Don't fret on the port 267 thing, the whole thing is through sslproxy.

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Tried it without authentication on ? Played around with the default error pages any? Isn't the realm configurable? I am pretty sure in Apache it is with AuthRealm...I would assume something similar exists for IIS (sorry I try really really hard to avoid IIS, so I haven't really played around with this part in IIS)...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Further elaboration:

    From httpd.conf:
    AuthType Basic
    AuthName "Whatever I want it to say"
    AuthUserFile /etc/httpd/htpass
    Require valid-user
    Code:
    /etc/init.d/httpd start
    Starting httpd:                                            [  OK  ]
    [root@localhost conf]# nc localhost 80
    OPTIONS / HTTP/1.0
    
    HTTP/1.1 401 Authorization Required
    Date: Fri, 02 Dec 2005 18:09:13 GMT
    Server: Apache/2.0.53 (Fedora)
    WWW-Authenticate: Basic realm="Whatever I want it to say"
    Content-Length: 491
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
    So wouldn't this be a configuration issue ? Granted I know I used Apache, but I would assume IIS would have similar functionality using .htaccess?
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    Banned
    Join Date
    May 2003
    Posts
    1,004
    The realm (if specified) is also revealed in the popup window requesting authentication information.

    my IIS 5.0 server replies with

    HTTP/1.1 401 Access Denied
    Server: Microsoft-IIS/5.0
    Date: Sun, 04 Dec 2005 21:17:01 GMT
    WWW-Authenticate: Negotiate
    WWW-Authenticate: NTLM
    Content-Length: 24
    Content-Type: text/html

    Error: Access is Denied.

    Connection to host lost.
    I have my system configured to use Kerbose authentiation and if the client is not capable then to fall back on NTLM. The realm has been replaced by the domain and is provided by the client (since this system is connected to several domains)

    Review: http://www.owasp.org/columns/jlima/joelima2.html for more information on IIS authentication. It is not a great article, but the MS info is kinda spread... and this is simple and concise.

    Lastly view:
    http://www.microsoft.com/windows2000...p/apro9ael.htm
    for information about modifying the realm settings in the metabase.

    cheers,

    catch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •