TOPIC: Microsoft IIS is vulnerable to log faking. ADVISORY NR: 200103 DATE: 18-11-01 VULNERABILITY FOUND AND WRITTEN BY: 1; (One Semicolon) CONTACT INFORMATION http://onesemicolon.cjb.net me@onesemicolon.cjb.net STATUS Microsoft was contacted on September 18, 2001 by emailing secure@microsoft.com. A reply was received saying Microsoft was unable to reproduce this using Notepad. I had only given the hex codes for Edit in MS-DOS. After letting this sit for a while I got the hex codes for another text editor. So I sent that to Microsoft on November 12, 2001. I did not receive a reply to this yet. DESCRIPTION Microsoft IIS is a web server. duh. ;) This vulnerability was tested to work using Windows 2000 and IIS 5.0 without changes to the logging settings. VULNERABILITY Log entries in the IIS logfile have the hex codes in a request translated to a character. /index%2easp becomes /index.asp and is shown as that in the logfile. The problem is that %0A becomes translated to a new line and %FF to what looks just like a space. Using these two you can successfully create two perfectly real looking log entries. /index.asp%FF200%FFHTTP/1.1%0A00:52:11%FF198.116.142.34%FFGET%FF/evilplaces here the request for /index.asp is ended with a 200 notice and HTTP/1.1 showing what version has been used HTTP wise. Then a new line (%0A) is started. At first I thought that getting the time right would become a difficult one. It turns out I was wrong. All logging is done using Greenwich time. All one needs to do is figure out the current time in London and they are done. Then the IP of the person who you wish to use follows. Then whatever you think they should be caught asking for. The %FF and %0A works when using MS-DOS's Edit. To make this work in WordPad which more likely will be used to view logs, replace %FF with %09. FIX No fix has been released for this problem as far as I know. PLEASE Maybe administrators of computers that use different webserver software could try all hexcodes and find out if their particular server is vulnerable to the same issue and then proceed to contact their manufacturer? I have already found another company's server software to be vulnerable to the same issue. Rather than people going around issuing many advisories for the same issue but different software company, it would be nice if the seperate companies could just be notified and be able to issue a patch for their particular program. FINAL NOTES These days logs are used very often to prove illegal activity. When logs cannot be trusted there is a serious problem: how else do you prove illegal activity? IIS 5.0 lets you set different logging formats. I used the settings that were put there by the IIS installation. For me this was W3C Extended Log File Format, which logged the following things: - Time (time) - Client IP Address (c-ip) - Method (cs-method) - URI Stem (cs-uri-stem) - Protocol Status (cs-status) - Protocol Version (cs-version)
