Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » NISR05032002B: Internal IP Addresses and IIS

NISR05032002B: Internal IP Addresses and IIS

by Nikola Strahija on March 5th, 2002 Microsoft's IIS offers web, ftp, mail and nntp services. If the server is protected by a firewall using Network Address Translation and the server uses a private internal IP address then, by making a malformed request to the web service it is possible for an attacker to discover this IP address. Whilst this won't come anywhere near to allowing an attacker to compromise a IIS server it will help them formulate further attacks.


This issue is similar to the issue
documented at
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q218180&id=KB;EN
-US;Q218180


Details
*******
By making certain requests to the web service with a blank Host HTTP
client header the server response will often contain the server's IP
address, for example when using the PROPFIND request method.

PROPFIND / HTTP/1.1
Host:
Content-Length: 0

The server will return a 207 Multi-Status response with certain
properties of the root page. The server's IP address will be revealed if
the HREF property. Using the WRITE or MKCOL method will return the
machine's IP address in the Location server HTTP header, though of
course if the server allows the WRITE and MKCOL methods then the server
has greater problems.

Only IIS 5 and 5.1 support the WebDAV methods so these methods only
affect these systems. IIS 5.x and 4.0 are both vulnerable to this issue
if Basic authentication is enabled. (see #NISR05032002A
http://www.nextgenss.com/advisories/iisauth.txt)




Fix Information
***************
To prevent internal IP address disclosure take the following steps.

Open a command prompt and change the current directory to
c:inetpubadminscripts or to where the adminscripts can be found.

Run the commands

adsutil set w3svc/UseHostName True
net stop iisadmin /y
net start w3svc

This will cause the IIS server to use the machine's host name rather
than its IP address.


Vendor Status
*************
Microsoft was informed of this issue. They didn't need to take any
action as a suitable work-around is available.



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »