headers
Chris Davis | 3 Mar 2003 17:23

host header names as security devices

The IIS "host header name" setting provides virtual naming capability for a
single IP/port assignment.  I am curious if the use of a host header name
adds any security against IP address range port 80 scanners that attempt to
exploit target hosts.

In the event of an HTTP request sent to the IP address (rather than to the
hostname) of an IIS server running a web site configured with an IIS host
header name, in absence of a default site, the IIS server will return "No
web site is configured at this address" because the HTTP request did not
match a configured host header name and there was no default site to return.

Does IIS short circuit all the ISAPI filtering and such in this case where
the request does not match a configured host header name and no default site
exists?  If so, then are unpatched/unknown vulnerabilities not exploitable
when a request is made by IP address rather than host name since the request
may not make it to the ISAPI filters that have buffer overflows (or
encoding%20issues or other vulnerabilities)?

If IIS does short circuit the ISAPI filtering of the request, it seems that
use of host header names (while disabling the default site) can act as an
impediment to automated scanners that scan IP ranges trying exploits without
knowing hostnames.

(The IIS lockdown tool will filter requests with cmd.exe and root.exe and
*.dll and *.ida and such, which you would still want to use to prevent
attacks that do use your configured host header name.  In addition to the
IIS lockdown tool's features, the possible host header name ISAPI
short-circuit might add a security layer that excludes all IP block scanner
requests that attempt exploits from the possibility of success.)
(Continue reading)

Permalink | Reply | 0 comments |
headers
Sandy Ryan | 3 Mar 2003 17:47

code red---- on system that is already (and has been) patched


well - I doubt that the log is right - because I think the 200 implies 
that its not infected - by when my customer sees his report - and path 
taken through the site he sees worm.com

here's the log (simplified to get through the moderator)
GET /default.ida 

NN----NN%u9090%u6858%ucbd3%u7801...%u9090%u9090%u8190%u00c3%u0003%u8b00%
u531b%u53ff%u0078%u0000%u00=a 200 0 206 4039 266 HTTP/1.0 [you know the 
url]- - -
Permalink | Reply | 0 comments |
headers
Marc Fossi | 3 Mar 2003 20:16
Picon
Favicon

SecurityFocus Microsoft Newsletter #127

SecurityFocus Microsoft Newsletter #127
---------------------------------------

This Issue is sponsored by: SPI Dynamics

ALERT: How a Hacker Launches a SQL Injection Attack Step-by-Step It's as
simple as placing additional SQL commands into a Web Form input box giving
hackers complete access to all your backend systems!  Firewalls and IDS
will not stop such attacks because SQL Injections are NOT seen as
intruders.  Download this *FREE* white paper from SPI Dynamics for a
complete guide to protection!

http://www.spidynamics.com/mktg/sqlinjection30
-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Intrusion Prevention Systems: the Next Step in the Evolution...
     2. U.S. Information Security Law, Part One
     3. The Consequences of Criminalizing Crypto
     4. Media Gone Mad
     5. SecurityFocus DPP Program
     6. InfoSec World Conference and Expo/2003(March10-12,2003,Orlando,FL)
II. MICROSOFT VULNERABILITY SUMMARY
     1. TCPDump Malformed ISAKMP Packet Denial Of Service Vulnerability
     2. PlatinumFTPServer Directory Traversal Variant Vulnerability
     3. Mambo Site Server Cookie Validation Vulnerability
     4. Microsoft Internet Explorer Self Executing HTML File Vulnerability
     5. AMX Mod Remote 'amx_say' Format String Vulnerability
     6. Apache Web Server MIME Boundary Information Disclosure...
     7. Apple QuickTime/Darwin Streaming Server Command Execution...
(Continue reading)

Permalink | Reply | 0 comments |
headers
Mike Heitz | 3 Mar 2003 20:29

RE: code red---- on system that is already (and has been) patched

I'm not 100% sure Sandy, but when I see Code Red hits (my server is
patched, and patched on top of patched...) I see a 404 reply instead of
a 200...

mike heitz ** sr it manager ** UPSHOT
312-943-0900 x5190

-----Original Message-----
From: Sandy Ryan [mailto:sryan <at> seewolf.com] 
Sent: Monday, March 03, 2003 10:47 AM
To: focus-ms <at> securityfocus.com
Subject: code red---- on system that is already (and has been) patched

well - I doubt that the log is right - because I think the 200 implies 

that its not infected - by when my customer sees his report - and path 

taken through the site he sees worm.com

here's the log (simplified to get through the moderator)

GET /default.ida 

NN----NN%u9090%u6858%ucbd3%u7801...%u9090%u9090%u8190%u00c3%u0003%u8b00%

u531b%u53ff%u0078%u0000%u00=a 200 0 206 4039 266 HTTP/1.0 [you know the 

url]- - -
(Continue reading)

Permalink | Reply | 0 comments |
headers
Levinson, Karl | 3 Mar 2003 22:17

RE: code red---- on system that is already (and has been) patched

My understanding is that code 200 is exactly what you get in response to
Code Red's GET /DEFAULT.IDA request, if you have installed the relevant
security patch but have not yet removed the relevant script mappings from
IIS.  More information:

http://securityadmin.info/faq.htm#iislogs2
http://securityadmin.info/faq.htm#iislogs

Note that usually a HTTP code 200 is a disturbing code to see in the context
of a worm, as it normally represents the successful execution of the attack
command.  In this case, however, the code 200 is inconclusive and does not
in itself prove the success or failure of the attack.  [Similarly, an HTTP
502 doesn't always prove that a particular attack failed.]

On the other hand, successful attacks from Nimda, Code Red, Sadmind, etc.
will all show code 200's in the logs.

As your customer might already know, just installing patches does not by
itself make your server secure.  Your customer would want to consider also
setting the correct settings, deleting the correct files, setting the
appropriate file permissions, disabling services, etc.  Installing patches
may protect you from many of today's exploits, but not the exploits
discovered tomorrow.  The Baseline Security guidelines for Windows and IIS
from www.microsoft.com/technet/security are one place to start, and/or the
instructions at http://securityadmin.info/faq.htm#harden

HTH

- karl
(Continue reading)

Permalink | Reply | 0 comments |
headers
Kurt Keys | 3 Mar 2003 22:19

RE: code red---- on system that is already (and has been) patched

On the following web-site a list of HTTP Status codes is found. For a code 200 it says:
200 OK 
The request has succeeded. The information returned with the response is dependent on the method used in
the request, for example: 

GET an entity corresponding to the requested resource is sent in the response; 

HEAD the entity-header fields corresponding to the requested resource are sent in the response without
any message-body; 

POST an entity describing or containing the result of the action; 

TRACE an entity containing the request message as received by the end server. 

Respectfully,

Kurt M. Keys
_______________________________
Kurt M. Keys
Information Security Specialist
San Diego Data Processing Corporation
858-581-7844
kkeys <at> sddpc.org
_______________________________
Bill Martin 
Information Security Officer 
San Diego Data Processing Corporation
858-581-9726 
bmartin <at> sddpc.org 
_______________________________
(Continue reading)

Permalink | Reply | 0 comments |
headers
Dill, Stephen | 3 Mar 2003 23:24
Favicon

RE: code red---- on system that is already (and has been) patched

In a nutshell, if a 200 reply was logged for a "code red" request, then your
server received the request and processed it as a vulnerable system should.

Symantec has a little utility (I don't work for them.  Just a happy user.)
that will check for the vulnerabiltiy and if found to be vulnerable, look
for the worm.

http://www.sarc.com/avcenter/fixcodered.zip

If system is found to be vulnerable, I suggest disconnect, clean (if
infected), patch, reboot, check again, and if everything looks good,
reconnect.

-----Original Message-----
From: Mike Heitz [mailto:mikeheitz <at> upshotmail.com]
Sent: Monday, March 03, 2003 2:30 PM
To: Sandy Ryan; focus-ms <at> securityfocus.com
Subject: RE: code red---- on system that is already (and has been)
patched

I'm not 100% sure Sandy, but when I see Code Red hits (my server is
patched, and patched on top of patched...) I see a 404 reply instead of
a 200...

mike heitz ** sr it manager ** UPSHOT
312-943-0900 x5190

-----Original Message-----
From: Sandy Ryan [mailto:sryan <at> seewolf.com] 
Sent: Monday, March 03, 2003 10:47 AM
(Continue reading)

Permalink | Reply | 1 comment |
headers
Mike Heitz | 3 Mar 2003 22:27

RE: code red---- on system that is already (and has been) patched

So, in this instance, since Sandy is seeing a 200 level response, does
that mean her system is in fact infected? Wouldn't a 200 level response
indicate that the server is responding positively to the query? My 404
leads me to believe that the request is being cut off right there...
"sorry pal, page not found"...

Or am I reading this the wrong way?

mike heitz ** sr it manager ** UPSHOT
312-943-0900 x5190

-----Original Message-----
From: Kurt Keys [mailto:kkeys <at> sddpc.org] 
Sent: Monday, March 03, 2003 3:19 PM
To: focus-ms <at> securityfocus.com; sryan <at> seewolf.com; Mike Heitz
Subject: RE: code red---- on system that is already (and has been)
patched

On the following web-site a list of HTTP Status codes is found. For a
code 200 it says:
200 OK 
The request has succeeded. The information returned with the response is
dependent on the method used in the request, for example: 

GET an entity corresponding to the requested resource is sent in the
response; 

HEAD the entity-header fields corresponding to the requested resource
are sent in the response without any message-body;
(Continue reading)

Permalink | Reply | 0 comments |
headers
Leonard.Ong | 4 Mar 2003 04:30
Picon

RE: 5 security questions


At the moment, standards for smartcard is not yet common.  In this situation, you may have to rely on APIs,
software from that smartcard manufacturer.  There are some books on smartcard that you may want to look at.

Auto-logout is a software feature, the card-reader and the OS does not really care about it.

Leonard
Permalink | Reply | 0 comments |
headers
Sandy Ryan | 4 Mar 2003 01:44

RE: code red---- on system that is already (and has been) patched

Well this is getting weirder - as the log file says it get /default.ida -
200 means request complete - wouldn't I find (by doing a system search)
default.ida?

Well I don't
Others files that are not found when searching
Root.exe
Admin.dll (in the root directories)
Any  .eml or .nws files
And when I ran the code red 2 removal tool - it said nothing to remove.

There are other logs that showed the system was being scanned looking for
/c+ and /cmd.exe but those had a 404 indicator or a 500 - it was only the
get /default.ida that had the 200 indicator... and it happened on one day 6
times. Since that day it hasn't showed up.... 

Strange and mysterious.

Thanks for all your help

Sandy Ryan

-----Original Message-----
From: Nunzio Morretti [mailto:nmorretti <at> mathsoft.com] 
Sent: Monday, March 03, 2003 4:18 PM
To: 'Mike Heitz'; Sandy Ryan; 'focus-ms <at> securityfocus.com'
Subject: RE: code red---- on system that is already (and has been) patched

Response 200 is an "OK-Request completed"
(Continue reading)

Permalink | Reply | 0 comments |

Gmane