Detecting if SecureIIS from Eeye is installed

From: Sacha Faust (sachaat_private)
Date: Mon Jan 21 2002 - 19:09:30 PST

Next message: Chris Keladis: "Re: testing for IP address space leakage in NAT systems"

Previous message: Iván Arce: "Re: testing for IP address space leakage in NAT systems"
Next in thread: Ryan Permeh: "Re: Detecting if SecureIIS from Eeye is installed"
Reply: Ryan Permeh: "Re: Detecting if SecureIIS from Eeye is installed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is not something big and I don't consider it a bug but it's something
that migh be usefull
when trying to brake an IIS server. I don't have a copy of the software so I
don't know if this is cause by misconfiguration or something else.
While debugging after someone mentionned a problem with an early version of
Metis 1.1,
I saw that you can detect the presence of the SecureIIS product from Eeye by
issuing an HEAD request on any files or folder and looking at the return
data.
The SecureIIS will return HTTP error code 406 (Not Acceptable),
Content-Length: 1176 and Content-Type: text/html. It will also announce
itself in the reply message. Here is an example

E:\Metis>nc -v www.site.com 80
www.site.com [111.111.111.111] 80 (http) open
HEAD /

HTTP/1.1 406
Server: Microsoft-IIS/4.0
Date: Tue, 22 Jan 2002 02:23:42 GMT
Content-Type: text/html
Content-Length: 1176

<HTML>
<BODY text=#000000 vLink=#ff9900 link=#ff9900 bgColor=#ffffff>
<TABLE cellSpacing=5 cellPadding=3 width=400>
  <TBODY>
  <TR>
    <TD vAlign=center align=left width=400><FONT
face=Verdana,Arial,Helvetica
      size=2><FONT size=3><B>SecureIIS application firewall security
      alert</B></FONT><BR><BR><BR>HTTP Request caused a security alert,
please
      contact our web master if you are getting this alert in error.<BR><BR>
      <HR>
      <BR><B>What is SecureIIS</B><BR>SecureIIS offers websites
      running Microsoft Internet Information Server a broad range of
protection

      from common vulnerabilities, both known and unknown. Because SecureIIS
      does not protect against specific vulnerabilities, but classes of
      vulnerabilities, it allows for a much more far reaching layer of
security.

      <BR><BR>
      <HR>
      <BR>For more information on SecureIIS, please visit <A

href="http://www.eeye.com/SecureIIS/">http://www.eeye.com/SecureIIS/><B
R><BR><B><FONT
      color=#ff7000>eEye</FONT>Ö Digital Security</B> - <I>Vulnerability Is
      Over...</I></FONT></TD></TR></TBODY></TABLE></BODY></HTML>




---------
Sacha Faust
sachaat_private
Metis : http://www.ideahamster.org/tid.htm


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Chris Keladis: "Re: testing for IP address space leakage in NAT systems"
Previous message: Iván Arce: "Re: testing for IP address space leakage in NAT systems"
Next in thread: Ryan Permeh: "Re: Detecting if SecureIIS from Eeye is installed"
Reply: Ryan Permeh: "Re: Detecting if SecureIIS from Eeye is installed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 22 2002 - 11:52:54 PST