IIS logging issue

[onesemicolon () onesemicolon cjb net]

TOPIC: Microsoft IIS is vulnerable to log faking.
ADVISORY NR: 200103
DATE: 18-11-01
VULNERABILITY FOUND AND WRITTEN BY: 1; (One Semicolon)

CONTACT INFORMATION
http://onesemicolon.cjb.net
me () onesemicolon cjb net


STATUS
Microsoft was contacted on September 18, 2001 by emailing
secure () microsoft com. A reply was received saying Microsoft was unable to
reproduce this using Notepad. I had only given the hex codes for
Edit in MS-DOS. After letting this sit for a while I got the hex codes for
another text editor. So I sent that to Microsoft on November 12, 2001.
I did not receive a reply to this yet.


DESCRIPTION
Microsoft IIS is a web server. duh. ;)
This vulnerability was tested to work using Windows 2000 and IIS 5.0 without
changes to the logging settings.


VULNERABILITY
Log entries in the IIS logfile have the hex codes in a request translated
to a character.
/index%2easp becomes /index.asp and is shown as that in the logfile.
The problem is that %0A becomes translated to a new line and %FF to what
looks just like a space. Using these two you can successfully create two
perfectly real looking log entries.

/index.asp%FF200%FFHTTP/1.1%0A00:52:11%FF198.116.142.34%FFGET%FF/evilplaces
here the request for /index.asp is ended with a 200 notice and HTTP/1.1
showing what version has been used HTTP wise. Then a new line (%0A) is
started.
At first I thought that getting the time right would become a difficult
one. It turns out I was wrong. All logging is done using Greenwich time.
All one needs to do is figure out the current time in London and they are
done.
Then the IP of the person who you wish to use follows. Then whatever you
think they should be caught asking for.
The %FF and %0A works when using MS-DOS's Edit.
To make this work in WordPad which more likely will be used to view logs,
replace %FF with %09.


FIX
No fix has been released for this problem as far as I know.


PLEASE
Maybe administrators of computers that use different webserver software
could try all hexcodes and find out if their particular server is
vulnerable to the same issue and then proceed to contact their manufacturer?
I have already found another company's server software to be vulnerable to
the same issue. Rather than people going around issuing many advisories for
the same issue but different software company, it would be nice if the
seperate companies could just be notified and be able to issue a patch for
their particular program.


FINAL NOTES
These days logs are used very often to prove illegal activity. When logs
cannot be trusted there is a serious problem: how else do you prove
illegal activity?

IIS 5.0 lets you set different logging formats. I used the settings that
were put there by the IIS installation. For me this was W3C Extended
Log File Format, which logged the following things:
- Time (time)
- Client IP Address (c-ip)
- Method (cs-method)
- URI Stem (cs-uri-stem)
- Protocol Status (cs-status)
- Protocol Version (cs-version)