2 days ago, AQTRONIX Security Advisory released an alert regarding IIS logging failure which affect IIS 5.0, the document indicate that IIS 5.0 failure certain activity, information disclosure without notice, the HTTP VERB involved is 'TRACK' which equivalent to TRACE. You can get the full alert document here.
First, we look at what is HTTP TRACK and HTTP TRACE Definition -
The TRACE method is used to invoke a remote, application-layer loop- back of the request message. The final recipient of the request SHOULD reflect the message received back to the client as the entity-body of a 200 (OK) response. The final recipient is either the
origin server or the first proxy or gateway to receive a Max-Forwards value of zero (0) in the request (see section 14.31). A TRACE request MUST NOT include an entity.
TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information. The value of the Via header field is of particular interest, since it acts as a trace of the request chain. Use of the Max-Forwards header field allows the client to limit the length of the request chain, which is useful for testing a chain of proxies forwarding messages in an infinite loop.
If the request is valid, the response SHOULD contain the entire request message in the entity-body, with a Content-Type of "message/http". Responses to this method MUST NOT be cached.
For more info on HTTP RFC, click here.
Now, the issue here is IIS5.0 fail to log such request. but IIS6.0 capture such request in the log file. Here's the log entries when making one TRACE and TRACK request to IIS 6.0
192.168.1.XX TRACE / - 80 - 192.168.1.XX - 501 0 0
192.168.1.XX TRACK / - 80 - 192.168.1.XX - 501 0 0
For IIS 5.0, TRACK request is been ignored, only TRACE request being logged.
192.168.1.XX - 192.168.1.XX 80 TRACE / - 200 0 183
This enable user requesting info from your IIS 5.0 webserver without leaving any trace. however the impact will not be high as it only getting standard HTTP header information about your web server, which can be done via HTTP GET request as well. Sysadmin can fix this easily by deploying Urlscan which by default only allow 'GET, HEAD, POST' HTTP Verbs to be processed by IIS.
After Urlscan installed, you will get this entry in your urlscan log files when you make such request
Client at 192.168.1.XX: Sent verb 'TRACK', which is not specifically allowed. Request will be rejected.
IIS 6.0 include a new logging field for W3C Extended format "sc-substatus", This additional status give system administrator more detail about such HTTP request. Listed below are the new status code apply to IIS 6.0
Client Error 4xx
401.7 – Access denied by URL authorization policy on the Web server.
403.18 - Cannot execute requested URL in the current application pool.
403.19 - Cannot execute CGIs for the client in this application pool.
403.20 - Passport logon failed.
404.2* - Web service extension lockdown policy prevents this request.
404.3* - MIME map policy prevents this request.
Server Error 5xx
500.16 – UNC authorization credentials incorrect.
500.18 – URL authorization store cannot be opened.
503 - Service unavailable.
* - To minimize security risk, Clients only see general 404 error.
Effectively Using IIS Security - Level 200
12/3/2003 9:30 AM - 12/3/2004 11:00 AM
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032241468&Culture=en-US
IIS Debugging: Using the IIS Crash\Hang Agent to Debug IIS - Level 300
12/11/2003 9:30 AM - 12/11/2004 11:00 AM
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032241883&Culture=en-US
Using Integrated Authentication in IIS - Level 200
12/17/2003 11:30 AM - 12/17/2004 1:00 PM
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032242063&Culture=en-US
Security Enhancements for Internet Information Services 6.0 - Level 200
| 1/6/2004 9:30 AM - 1/6/2004 11:00 AM |
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032240688&Culture=en-US
Timezone: PST (Pacific Time)
I've posted 2 KB to support.microsoft.com last week, here's the detail -
IIS 6.0 Does Not Serve Dynamic Content
How To Set Up Isolated Ftp Site
This is a new effort by Microsoft, allowing MVP to submit knowledge based articles directly to the site. If you like to see certain IIS related KB and it's not already in the database, do ping me, I will try my best to come out one.
Great downloads ! If you missed PDC 2003 just like I do and you didn't get the DVD as well. For now, you can get it from MSDN online......
PDC 2003 Session Information, Slides and Source Code Available on MSDN
Get details on the over 140 sessions presented at PDC 2003, including slides and source code downloads for many of the sessions.
It will be valid for 6 months from now, you can also visit - SiteStream.com for PDC
who says you have to pay for PDC :)