Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows Net Apps :: bt884.txt

Configuration of Microsoft URLScan can be enumerated when implemented in conjunction with RSA SecurID


IRM Security Advisory No. 006

The configuration of Microsoft URLScan can be enumerated when =
implemented in
conjunction with RSA SecurID

Vulnerablity Type / Importance: Information Leakage / High

Problem discovered: July 18th 2003
Microsoft contacted: July 18th 2003
RSA contacted: August 11th 2003
Advisory published: August 13th 2003



URLScan is an ISAPI filter, provided by Microsoft that performs various
checks on HTTP requests sent to a web server. It can  be configured to =
access to various file extensions, HTTP methods and potentially =
URL sequences. SecurID is a  product supplied by RSA Security to provide =
two-factor authentication mechanism to prevent unauthorised access to a
website. If the products are used together on the same web server and
configured in a certain way then it is possible to  enumerate the
configuration of URLScan and hence potentially uncover malicious file
extensions that may not be filtered by  the product.


Recently during a penetration test IRM identified a serious security
vulnerability when URLScan and SecurID are combined on  the same =

IRM requested the following URL from the target web server:


Contained within the page contents that were returned was the following


Then IRM requested the URL shown below:


No line relating to URLScan was returned in the page contents.

The default urlscan.ini file contains the following line:

RejectResponseUrl=3D  ; UrlScan will send rejected requests to the URL
specified here. Default is /<Rejected-by-UrlScan>=20

This is where the 'referrer' value that is returned originates.

As the ISAPI extension '.ida' is associated with the Indexing service, =
was exploited by the infamous Code Red worm, the  engineer thought it =
likely to be in the filtered extensions list within the URLScan
configuration. A script was then  produced to test this theory =
(available on
the IRM website - and it was
demonstrated  that using this technique the configuration of URLScan =
be enumerated.

Microsoft were initially contacted, but were unable to reproduce the =
using just URLScan. However, when RSA Security  were made aware of the
vulnerability they confirmed that it was related to the interaction =
the use of URLScan and  SecurID and provided a simple workaround to =
the problem.

Tested Versions:

Microsoft IIS 5
RSA ACE/Agent 5.0=20
URLScan 2.5 =20

Tested Operating Systems:

Microsoft Windows 2000

Vendor & Patch Information:

RSA Security were contacted on the 11th August and on 13th August =
provided a
workaround to resolve the issue.


In Microsoft Internet Services Manager, the SecurID filter needs to be =
first in the global ISAPI filter list, above  URLScan.


Research & Advisory: Andy Davis=20


All information in this advisory is provided on an 'as is'=20
basis in the hope that it will be useful. Information Risk Management=20
Plc is not responsible for any risks or occurrences caused=20
by the application of this information.


Information Risk Management Plc.
22 Buckingham Gate=20
+44 (0)207 808 6420


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH