If your web server is failing a PCI compliance scan because a specially crafted HTTP/1.0 GET request without a host header is causing it to divulge an internal private IP address, then read on.
Problem
In IIS 7 on Windows Server 2008 and higher, there is a vulnerability that will cause it to accept such a GET request and respond with the internal IP address as the realm for basic authentication. This does not happen with an HTTP/1.1 request.
More Information
In this example, the GET request was for /autodiscover/autodiscover.xml, which is in the Autodiscover application under the "SBS Web Applications" site in IIS 7 on a Windows Small Business Server 2008 computer.
You can test for the issue with openssl on Linux by running the following command:
$ openssl s_client -host hostname.domain.tld -port 443Substitute the actual hostname for hostname.domain.tld. The server will respond with a bunch of SSL information ending in "---" followed by a blank line. On that line, type or paste the following:
GET /autodiscover/autodiscover.xml HTTP/1.0Send a blank line at the end; the server will not respond until you do. An example of a response from a server affected by the vulnerability follows:
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep- Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/7.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="192.168.1.201"
X-Powered-By: ASP.NET
Date: Fri, 05 Sep 2014 16:25:59 GMT
Connection: close
Content-Length: 58
You do not have permission to view this directory or page.read:errno=0
Resolution
To resolve the issue in this example, do the following:- Open the IIS 7 console, expand SBS Web Applications and click on Autodiscover.
- Double-click Authentication.
- Right-click Basic Authentication and select Edit...
- In the Realm field, type the server's public hostname in the format hostname.domain.tld and then click OK.
- If applicable (e.g.: on Windows SBS 2008), repeat the above process for the Microsoft-Server-ActiveSync and EWS websites in addition to Autodiscover.
Performing the same test in this example should now yield the following response:
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/7.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="hostname.domain.tld"
X-Powered-By: ASP.NET
Date: Fri, 05 Sep 2014 16:30:41 GMT
Connection: close
Content-Length: 58
You do not have permission to view this directory or page.read:errno=0
Hey Rob,
ReplyDeleteGreat article! I'm running SBS 2011 and don't have a SBS Web Applications. Should I be configuring these settings under Default Web Site?
In the Realm field, for a public hostname should I use remote.domain.ltd?
Thanks!
After about 5 permutations and as many securitymetrics scans, finally stumbled on what worked for us - autodiscover.domain.local
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteI originally posted a comment about your use of the Linux tool and if there are Windows tools - I found cygwin which allows a Windows user to run the linux command.
ReplyDelete