Intro
The server reveals its internal IP address when specifying a WebDAV PROPFIND request. Method Issue a PROPFIND request with a HTTP v1.1 empty Host header: telnet example.com 80 Trying 123.123.123.123... Connected to example.com. Escape character is '^]'. PROPFIND / HTTP/1.1 Host: HTTP/1.1 302 Redirect Content-Length: 140 Content-Type: text/html Location: / Server: Microsoft-IIS/6.0 Date: Tue, 08 Jun 2010 07:05:08 GMT Document Moved Object Moved This document may be found here Recommendation Reconfigure IIS to return the FQDN value instead: http://support.microsoft.com/kb/q218180/ Refs OSVDB 13431 Introduction
If a PPTP service has been detected, as part of the protocol the software (and/or hardware) vendor is meant to disclose this information. Generally the server hostname is also revealed, which may aid in an attack. Method There are many ways to determine this, but a simple scenario would be to create a new "dial-up" connection within Windows with a connection type of VPN -> PPTP and connect whilst running a Wireshark packet capture. By following the captured stream within Wireshark and looking at the protocol dissector, the vendor and hostname will be disclosed. Introduction
IIS + .NET may reveal sensitive information when an exception occurs. Often this information may include the system path to the webroot (i.e. C:\Inetpub\wwwroot) which may further aid in attacks where a malicious user may upload content, but is not sure where the file is located on the remote system. Method By requesting a document with an .ashx extention, the server reveals the path (e.g. D:\sites\secret\uploads). It also reveals the version of .NET in the footer, such as "Microsoft .NET Framework Version:1.1.4322.2407; ASP.NET Version:1.1.4322.2407". The Framework version can then be used to check for known vulnerabilities, such as NULL byte issues. Recommendation Within the Machine.config or Web.config file, specify a directive of "customErrors" of either "RemoteOnly" or "On". See also: http://msdn.microsoft.com/en-us/library/h0hfz6fc.aspx Introduction
The version of Outlook Web Access contains a URL redirection vulnerability. However, this would require user interaction to be abused such as embedded URL within an email that is clicked on. Method It is possible to provide an arbitrary "url" value. http://mail.[victim].com/exchweb/bin/auth/owalogon.asp?url=http://[attacker]/Exchange&reason=0 Recommendation Informational only. Microsoft expects this to be resolved in Exchange 2007. Introduction
The portal requires users submit a username and password to authenticate. This communication is not encrypted. Method Check the HTML source code on the form page, and examine whether the FORM ACTION is GET/POST to a HTTPS:// URI. Recommendation 1) Enable SSL and disable HTTP for the portal 2) Use two-factor tokens (one time password) for strong authentication. 3) Modify the HTML source to ensure the data is POST'ed to a HTTPS URL. 1.In Microsoft Windows, open Administrative Tools, and then click Internet Information Services (IIS) Manager.
IIS Manager appears. 2.Under Internet Information Services, expand Servername (local computer), expand Web Sites, right-click either Websitename or Default Website, and then click Properties. The Web Site Properties dialog box appears. 3.Click the Home Directory tab, and then click Configuration. The Application Configuration Settings dialog box appears. 4.Click the Debugging tab. 5.Change the radio button from "Send detailed ASP error messages to client" to "Send the following text error messages" and specify an error. Introduction
The FTP service reveals the Operating System type via the 'SYST' command. This is historically used to determine how to handle file types as many OSes format data differently. Method # telnet ftp.microsoft.com 21 Trying 64.4.30.33... Connected to ftp.microsoft.com. Escape character is '^]'. 220 Microsoft FTP Service USER anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. PASS [email protected] 230-Welcome to FTP.MICROSOFT.COM. Also visit http://www.microsoft.com/downloads. 230 User logged in. SYST 215 Windows_NT QUIT 221 Thank you for using Microsoft products. Connection closed by foreign host. Recommendation Informational. |
Archives
September 2017
Categories
All
|
|
|