Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Microsoft Urlscan Filter v3.0

From: "J. Oquendo" <sil () infiltrated net>
Date: Fri, 29 Aug 2008 10:33:50 -0500
On Fri, 29 Aug 2008, Jorge L. Vazquez wrote:


one of the thing that urlscan does, is that it protects your web server
from been fingerprinted, for example when using network scanners like
nmap or nikto to do a server fingerprint, I know for a fact that when
urlscan is intalled on the server, nmap fails to fingerprint the server,
and also nikto, the one that comes closest to detecting the type of
server is httprint, and what it does it takes an educated guess and it
gives you the porcentage of how sure it is, and again when urlscan
installed httprint says is sure about 50 and 60% which is not good
enough, so as you can see it would hurt you to install urlscan, and of
course if you don't know what type of server is running on port 80 makes
it much difficult to find exploits for something you don't know.

you may want to check out this arlticle
http://www.pctechtips.org/pentesting_webservers_httprint_nikto_nessus.htm

here you can see how nmap fails to properly identify the kind of server
running on port 80



Read it verbatim: "UrlScan version 3.0 is a security tool that
restricts the types of HTTP requests that Internet Information
Services (IIS) will process. By blocking specific HTTP requests,
UrlScan helps prevent potentially harmful requests from being
processed by web applications on the server."


This tangent on fingerprinting is moot in the sense that a
security wizard can deduct what kind of server is running
without the use of NMAP, Nessus, etc., I don't know about you,
but error pages do tell alot:

// BEGIN 

Server Error in '/Foo' Application.
Runtime Error

Description: An application error occurred on the server. The
current custom error settings for this application prevent the
details of the application error from being viewed remotely
(for security reasons). It could, however, be viewed by
browsers running on the local server machine.

Details: To enable the details of this specific error message
to be viewable on remote machines, please create a
<customErrors> tag within a "web.config" configuration file
located in the root directory of the current web application.
This <customErrors> tag should then have its "mode" attribute
set to "Off".

<!-- Web.Config Configuration File -->

<configuration>
    <system.web>
        <customErrors mode="Off"/>
    </system.web>
</configuration>

// END


If someone doing either pentesting or even intruding is not
competent enough to determine what kind of server spits out a
message like this, they need to go back and RTFM on security.
This rambling about "security through obscurity" a-la "oh
noehz!!! Better hide servertype is stupid and will only
protect against lowly attackers, not a determined structured
attack. Even from the lowly attacker, what's to stop even
them from running any and all known http exploits against a
server anyway? I see it done all the time on my servers,
idiots hacking away using IIS exploits against a FreeBSD
machine.

URLScan is nothing more than a slight of hand. It is
potentially possible that it will block known attacks, but
let history serve its purpose, how many IDS'/IPS' fell victim
to Unicode? There is always going to be a work around for
programs like URLScan. So here is an idea for you...

Internet --> Apache_as_a_Proxy --> IIS

With Apache running say mod_security to filter things out
before it hits your IIS server. Now, there is the potential
that kiddiots relying on fingerprinting will use Apache
exploits against IIS which would fail miserably.

See Ivan's ramblings on PCI he has a lot of informative
information regarding this.

http://blog.ivanristic.com/2008/02/pci-requirement.html
http://blog.ivanristic.com/2008/04/pci-council-rel.html

Quote: "ModSecurity, an open source intrusion detection and
prevention engine for web applications, may be just what
organizations need to fulfill PCI DSS compliance obligations
without the sticker shock."

http://pcianswers.com/2006/09/26/what-is-an-application-firewall/

No matter what you want to throw on a machine, it really
boils down to the engineering. I've seen IIS servers which
were tighter than a vise grip get compromised. One small
fumble and you're hit.

// Nutshell
URLScan is not a WAF
URLScan is a band-aid
Tangents on hiding your fingerprint are idiotic

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1)
CEH/CNDA, CHFI

"Experience hath shewn, that even under the best
forms (of government) those entrusted with power
have, in time, and by slow operations, perverted
it into tyranny." Thomas Jefferson

wget -qO - www.infiltrated.net/sig|perl

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB
Previous By Date Next
Previous By Thread Next

Current thread: