---------------------------------------------------------------------------- IRM Security Advisory No. 006 The configuration of Microsoft URLScan can be enumerated when implemented in conjunction with RSA SecurID Vulnerablity Type / Importance: Information Leakage / High Problem discovered: July 18th 2003 Microsoft contacted: July 18th 2003 RSA contacted: August 11th 2003 Advisory published: August 13th 2003 ---------------------------------------------------------------------------- Abstract: URLScan is an ISAPI filter, provided by Microsoft that performs various checks on HTTP requests sent to a web server. It can be configured to block access to various file extensions, HTTP methods and potentially malicious URL sequences. SecurID is a product supplied by RSA Security to provide a two-factor authentication mechanism to prevent unauthorised access to a website. If the products are used together on the same web server and configured in a certain way then it is possible to enumerate the configuration of URLScan and hence potentially uncover malicious file extensions that may not be filtered by the product. Description: Recently during a penetration test IRM identified a serious security vulnerability when URLScan and SecurID are combined on the same machine. IRM requested the following URL from the target web server: http://server/irm.ida Contained within the page contents that were returned was the following line: <INPUT TYPE=HIDDEN NAME="referrer" VALUE="Z2FZ3CRejected-By-UrlScanZ3EZ3FZ7EZ2Firm.ida"> Then IRM requested the URL shown below: http://server/irm.htm No line relating to URLScan was returned in the page contents. The default urlscan.ini file contains the following line: RejectResponseUrl= ; UrlScan will send rejected requests to the URL specified here. Default is /<Rejected-by-UrlScan> This is where the 'referrer' value that is returned originates. As the ISAPI extension '.ida' is associated with the Indexing service, which was exploited by the infamous Code Red worm, the engineer thought it was likely to be in the filtered extensions list within the URLScan configuration. A script was then produced to test this theory (available on the IRM website - http://www.irmplc.com/advisories.htm) and it was demonstrated that using this technique the configuration of URLScan could be enumerated. Microsoft were initially contacted, but were unable to reproduce the issue using just URLScan. However, when RSA Security were made aware of the vulnerability they confirmed that it was related to the interaction between the use of URLScan and SecurID and provided a simple workaround to resolve the problem. Tested Versions: Microsoft IIS 5 RSA ACE/Agent 5.0 URLScan 2.5 Tested Operating Systems: Microsoft Windows 2000 Vendor & Patch Information: RSA Security were contacted on the 11th August and on 13th August provided a workaround to resolve the issue. Workarounds: In Microsoft Internet Services Manager, the SecurID filter needs to be the first in the global ISAPI filter list, above URLScan. Credits: Research & Advisory: Andy Davis Disclaimer: All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information. ---------------------------------------------------------------------------- Information Risk Management Plc. 22 Buckingham Gate London SW1E 6LB +44 (0)207 808 6420
