-------------------------------------------------------------------------=
---

IRM Security Advisory No. 006

The configuration of Microsoft URLScan can be enumerated when =
implemented in
conjunction with RSA SecurID

Vulnerablity Type / Importance: Information Leakage / High

Problem discovered: July 18th 2003
Microsoft contacted: July 18th 2003
RSA contacted: August 11th 2003
Advisory published: August 13th 2003

-------------------------------------------------------------------------=
---


Abstract:

URLScan is an ISAPI filter, provided by Microsoft that performs various
checks on HTTP requests sent to a web server. It can  be configured to =
block
access to various file extensions, HTTP methods and potentially =
malicious
URL sequences. SecurID is a  product supplied by RSA Security to provide =
a
two-factor authentication mechanism to prevent unauthorised access to a
website. If the products are used together on the same web server and
configured in a certain way then it is possible to  enumerate the
configuration of URLScan and hence potentially uncover malicious file
extensions that may not be filtered by  the product.


Description:

Recently during a penetration test IRM identified a serious security
vulnerability when URLScan and SecurID are combined on  the same =
machine.

IRM requested the following URL from the target web server:

http://server/irm.ida

Contained within the page contents that were returned was the following
line:

<INPUT TYPE=3DHIDDEN NAME=3D"referrer"
VALUE=3D"Z2FZ3CRejected-By-UrlScanZ3EZ3FZ7EZ2Firm.ida">

Then IRM requested the URL shown below:

http://server/irm.htm

No line relating to URLScan was returned in the page contents.

The default urlscan.ini file contains the following line:

RejectResponseUrl=3D  ; UrlScan will send rejected requests to the URL
specified here. Default is /<Rejected-by-UrlScan>=20

This is where the 'referrer' value that is returned originates.

As the ISAPI extension '.ida' is associated with the Indexing service, =
which
was exploited by the infamous Code Red worm, the  engineer thought it =
was
likely to be in the filtered extensions list within the URLScan
configuration. A script was then  produced to test this theory =
(available on
the IRM website - http://www.irmplc.com/advisories.htm) and it was
demonstrated  that using this technique the configuration of URLScan =
could
be enumerated.

Microsoft were initially contacted, but were unable to reproduce the =
issue
using just URLScan. However, when RSA Security  were made aware of the
vulnerability they confirmed that it was related to the interaction =
between
the use of URLScan and  SecurID and provided a simple workaround to =
resolve
the problem.


Tested Versions:

Microsoft IIS 5
RSA ACE/Agent 5.0=20
URLScan 2.5 =20


Tested Operating Systems:

Microsoft Windows 2000


Vendor & Patch Information:

RSA Security were contacted on the 11th August and on 13th August =
provided a
workaround to resolve the issue.


Workarounds:

In Microsoft Internet Services Manager, the SecurID filter needs to be =
the
first in the global ISAPI filter list, above  URLScan.


Credits:

Research & Advisory: Andy Davis=20


Disclaimer:

All information in this advisory is provided on an 'as is'=20
basis in the hope that it will be useful. Information Risk Management=20
Plc is not responsible for any risks or occurrences caused=20
by the application of this information.


-------------------------------------------------------------------------=
---

Information Risk Management Plc.
22 Buckingham Gate=20
London=20
SW1E 6LB
+44 (0)207 808 6420

=20
=20