Showing posts with label pci compliance. Show all posts
Showing posts with label pci compliance. Show all posts

Friday, September 5, 2014

Windows Server Running IIS Fails PCI Compliance Scan

If your web server is failing a PCI compliance scan because a specially crafted HTTP/1.0 GET request without a host header is causing it to divulge an internal private IP address, then read on.

Problem


In IIS 7 on Windows Server 2008 and higher, there is a vulnerability that will cause it to accept such a GET request and respond with the internal IP address as the realm for basic authentication. This does not happen with an HTTP/1.1 request.

More Information


In this example, the GET request was for /autodiscover/autodiscover.xml, which is in the Autodiscover application under the "SBS Web Applications" site in IIS 7 on a Windows Small Business Server 2008 computer.

 You can test for the issue with openssl on Linux by running the following command:
$ openssl s_client -host hostname.domain.tld -port 443
Substitute the actual hostname for hostname.domain.tld. The server will respond with a bunch of SSL information ending in "---" followed by a blank line. On that line, type or paste the following:
GET /autodiscover/autodiscover.xml HTTP/1.0
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep- Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* 
Send a blank line at the end; the server will not respond until you do. An example of a response from a server affected by the vulnerability follows:
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/7.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="192.168.1.201"
X-Powered-By: ASP.NET
Date: Fri, 05 Sep 2014 16:25:59 GMT
Connection: close
Content-Length: 58

You do not have permission to view this directory or page.read:errno=0

Resolution

To resolve the issue in this example, do the following:
  1. Open the IIS 7 console, expand SBS Web Applications and click on Autodiscover.
  2. Double-click Authentication.
  3. Right-click Basic Authentication and select Edit...
  4. In the Realm field, type the server's public hostname in the format hostname.domain.tld and then click OK.
  5. If applicable (e.g.: on Windows SBS 2008), repeat the above process for the Microsoft-Server-ActiveSync and EWS websites in addition to Autodiscover.
Performing the same test in this example should now yield the following response:
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/7.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="hostname.domain.tld"
X-Powered-By: ASP.NET
Date: Fri, 05 Sep 2014 16:30:41 GMT
Connection: close
Content-Length: 58

You do not have permission to view this directory or page.read:errno=0
Posted by at 4 comments:
Labels: , , , , , , , , , ,
Subscribe to: Comments (Atom)