IIS Security Alert - IIS 安全警报

2 days ago, AQTRONIX Security Advisory released an alert regarding IIS logging failure which affect IIS 5.0, the document indicate that IIS 5.0 failure certain activity, information disclosure without notice, the HTTP VERB involved is 'TRACK' which equivalent to TRACE. You can get the full alert document here.

First, we look at what is HTTP TRACK and HTTP TRACE Definition -
The TRACE method is used to invoke a remote, application-layer loop- back of the request message. The final recipient of the request SHOULD reflect the message received back to the client as the entity-body of a 200 (OK) response. The final recipient is either the

origin server or the first proxy or gateway to receive a Max-Forwards value of zero (0) in the request (see section 14.31). A TRACE request MUST NOT include an entity.

TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information. The value of the Via header field is of particular interest, since it acts as a trace of the request chain. Use of the Max-Forwards header field allows the client to limit the length of the request chain, which is useful for testing a chain of proxies forwarding messages in an infinite loop.

If the request is valid, the response SHOULD contain the entire request message in the entity-body, with a Content-Type of "message/http". Responses to this method MUST NOT be cached.

For more info on HTTP RFC, click here.

Now, the issue here is IIS5.0 fail to log such request. but IIS6.0 capture such request in the log file. Here's the log entries when making one TRACE and TRACK request to IIS 6.0
192.168.1.XX TRACE / - 80 - 192.168.1.XX - 501 0 0
192.168.1.XX TRACK / - 80 - 192.168.1.XX - 501 0 0

For IIS 5.0, TRACK request is been ignored, only TRACE request being logged.
192.168.1.XX -  192.168.1.XX 80 TRACE / - 200 0 183

This enable user requesting info from your IIS 5.0 webserver without leaving any trace. however the impact will not be high as it only getting standard HTTP header information about your web server, which can be done via HTTP GET request as well. Sysadmin can fix this easily by deploying Urlscan which by default only allow 'GET, HEAD, POST' HTTP Verbs to be processed by IIS.

After Urlscan installed, you will get this entry in your urlscan log files when you make such request
Client at 192.168.1.XX: Sent verb 'TRACK', which is not specifically allowed. Request will be rejected.

Published Tue, Dec 30 2003 12:02 by bernard
Filed under:

Comments

# IIS 6.0

Tuesday, December 30, 2003 12:35 PM by TrackBack

# re: IIS Security Alert - IIS 安全警报

so nothing to worry ? I have urlscan in my Iis server.

Tuesday, December 30, 2003 12:59 PM by bernard

# re: IIS Security Alert - IIS 安全警报

it should be fine as I mentioned before.

Monday, January 05, 2004 8:46 AM by bernard