PDF Creator | PDF Converter | PDF Software | Create PDF Send posts as PDF to


Share/Bookmark

Windows Server Running IIS Fails PCI Compliance Scan

Web/IIS, etc.

Windows Server Running IIS Fails PCI Compliance Scan

Postby Ernie » Fri Oct 24, 2014 3:52 pm

If your web server is failing a PCI compliance scan because a specially crafted HTTP/1.0 GET request without a host header is causing it to divulge an internal private IP address, then read on.

Problem

In IIS 7 on Windows Server 2008 and higher, there is a vulnerability that will cause it to accept such a GET request and respond with the internal IP address as the realm for basic authentication. This does not happen with an HTTP/1.1 request.

More Information

In this example, the GET request was for /autodiscover/autodiscover.xml, which is in the Autodiscover application under the "Default Web Site" site in IIS 7.5 on Windows Server 2008 R2 Standard with Exchange Server 2010 sp3 Rollup 5 running the Client Access Server role.

You can test for the issue with openssl on Linux by running the following command:

    $ openssl s_client -host hostname.domain.tld -port 443
Substitute the actual hostname for hostname.domain.tld. The server will respond with a bunch of SSL information ending in "---" followed by a blank line. On that line, type or paste the following:

    GET /autodiscover/autodiscover.xml HTTP/1.0
    Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
    Accept-Language: en
    Connection: Keep- Alive
    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
    Pragma: no-cache
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Send a blank line at the end; the server will not respond until you do. An example of a response from a server affected by the vulnerability follows:

    HTTP/1.1 401 Unauthorized
    Content-Type: text/html
    Server: Microsoft-IIS/7.0
    WWW-Authenticate: Negotiate
    WWW-Authenticate: NTLM
    WWW-Authenticate: Basic realm="192.168.1.201"
    X-Powered-By: ASP.NET
    Date: Fri, 05 Sep 2014 16:25:59 GMT
    Connection: close
    Content-Length: 58

    You do not have permission to view this directory or page.read:errno=0

Resolution

To resolve the issue in this example, do the following:

    1. Open the IIS 7 console, expand Default Web Site and click on Autodiscover.
    2. Double-click Authentication.
    3. Right-click Basic Authentication and select Edit...
    4. In the Realmfield, type the server's public hostname in the format hostname.domain.tld and then click OK.
    5. If applicable (e.g.: on Windows SBS 2008), repeat the above process for the Microsoft-Server-ActiveSync and EWS websites in addition to Autodiscover.
Performing the same test in this example should now yield the following response:

    HTTP/1.1 401 Unauthorized
    Content-Type: text/html
    Server: Microsoft-IIS/7.0
    WWW-Authenticate: Negotiate
    WWW-Authenticate: NTLM
    WWW-Authenticate: Basic realm="hostname.domain.tld"
    X-Powered-By: ASP.NET
    Date: Fri, 05 Sep 2014 16:30:41 GMT
    Connection: close
    Content-Length: 58

    You do not have permission to view this directory or page.read:errno=0

http://techtips.fulori.com/2014/09/windows-server-running-iis-fails-pci.html
Ernie
Site Administrator
User avatar
Ernie

i'm still here

Site Admin
Site Admin
 
Posts: 206
Joined: Sat Nov 22, 2008 5:32 pm
Location: New Jersey
Highscores: 20
WordPress Blog: Visit User's Blog

Share/Bookmark

Similar topics


Return to Software

Who is online

Users browsing this forum: No registered users and 0 guests

cron