exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Corsaire Security Advisory 2003-02-24.1

Corsaire Security Advisory 2003-02-24.1
Posted Aug 10, 2004
Authored by Corsaire | Site corsaire.com

Corsaire Security Advisory - The ServerMask 2.0 product from Port80 fails to full obfuscate header fields as promoted in their functionality. Detailed exploitation given.

tags | exploit
advisories | CVE-2003-0105
SHA-256 | 7c87da8d19d481cd57af93b5bfb5090c438a002b7e201a42d24b3a916a318bc3

Corsaire Security Advisory 2003-02-24.1

Change Mirror Download

-- Corsaire Security Advisory --

Title: Port80 Software ServerMask inconsistencies
Date: 24.02.03
Application: Port80 Software ServerMask 2.2 and prior
Environment: IIS 4 / IIS 5 / IIS 5.1
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c030224-001


-- Scope --

The aim of this document is to clearly define some issues related to the
ServerMask product, as supplied by Port80 Software [1]


-- History --

Discovered: 20.02.03 (Martin O'Neal)
Vendor notified: 24.02.03
Document released: 10.08.04

The release process on this advisory has been drawn-out due to repeated
requests from Port80, on the basis that a revised product which resolved
the issues would be available shortly. However, after eighteen months of
waiting (during which time Port80 has continued to actively sell the
product) it has become clear that no such fix is imminent.

This advisory has been publicly released without a vendor fix being
immediately available because the issues identified are not critical,
and do not allow the host to be remotely compromised.


-- Overview --

The ServerMask product is marketed as a solution for improving the
security of Microsoft IIS servers by obfuscating header fields within
HTTP responses:

"ServerMask 2.0 removes or modifies unnecessary response data. The
software provides control over what Server header data, if any, is
visible in HTTP responses." [2]

In practise, ServerMask changes only a subset of the HTTP header fields,
leaving a number of responses unmodified. These remaining headers still
provide reliable clues to the server being Microsoft IIS.

The stated goal of the product, anonymisation, is therefore not fully
achieved as only a subset of identifying traits are obfuscated.


-- Analysis --

The ServerMask product is provided as an ISAPI filter for Microsoft IIS,
and works by intercepting requests to the server and rewriting the HTTP
header fields in responses.

The product rewrites some server headers, removes some unnecessary ones,
and reorders the remaining headers.

However, it leaves several obvious header fields unchanged that can be
used to identify the server as Microsoft IIS, including:

- ETag:
- HTTP Status Message
- Allow: header in response to OPTIONS request

As it stands, the ServerMask product provides at best only an incomplete
solution to anonymising the server, whilst adding an additional product
into the equation that must itself be maintained (and could potentially
contain exploitable flaws).


-- Proof of concept --

To reproduce these issues, all that is required is access to a telnet
client (or similar client providing equivalent functionality) and a
suitable web server using the ServerMask product. For the purposes of
this example Port80 Software's home site (www.port80software.com) is
used.


Issue#1 - Standard IIS format ETag header

>From a command prompt or shell, telnet, netcat or other similar client
should be used to connect to the web server on TCP port 80, e.g.

telnet www.port80software.com 80

The following extract should then be pasted into the session:

GET /images/H_horline.gif HTTP/1.1
Accept: */*
Connection: Keep-Alive
Host: www.port80software.com

The response received back should include:

HTTP/1.1 200 OK
Date: Mon, 24 Feb 2003 12:37:38 GMT
Server: Yes - We Use ServerMask
Last-Modified: Thu, 26 Sep 2002 00:07:29 GMT
ETag: "8e9dc0b3f064c21:9b0"
Accept-Ranges: bytes
Content-Length: 59
Content-Type: image/gif

The ETag header is the standard format returned by Microsoft IIS, and
can be considered unique to that product.


Issue#2 - 404 Status Message Format

A session should again be initiated to the web port on the target, e.g.

telnet www.port80software.com 80

The following request should then be used to attempt to retrieve a non-
existent file from the server:

GET /not.there HTTP/1.1
Accept: */*
Connection: Keep-Alive
Host: www.port80software.com

The response should include headers similar to the following:

HTTP/1.1 404 Object Not Found
Date: Mon, 24 Feb 2003 12:49:54 GMT
Server: Yes - We Use ServerMask
Content-Length: 15383
Connection: close
Content-Type: text/html

The HTTP status message on the first line ("404 Object Not Found") is
the standard format returned by Microsoft IIS, and differs from most
other vendors.


Issue#3 - Standard IIS Format Allow header

A new session should be initiated to the web-server:

telnet www.port80software.com 80

An OPTIONS request should then be sent to solicit a server response:

OPTIONS /images/H_horline.gif HTTP/1.1
Accept: */*
Connection: Keep-Alive
Host: www.port80software.com

The headers should include the Allow response to the OPTIONS request:

HTTP/1.1 200 OK
Date: Mon, 24 Feb 2003 13:05:07 GMT
Server: Yes - We Use ServerMask
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD

The Allow header is the standard format, content and order returned by
IIS.


-- Recommendations --

The ServerMask product should be revised and improved to provide full
control over modifying the values of all header fields, to prevent such
analysis revealing the nature of the underlying web-server.


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0105 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


-- References --

[1] http://www.port80software.com/products/servermask/
[2] http://www.port80software.com/products/servermask/faq.asp


-- Revision --

a. Initial release.
b. Minor revisions.
c. Minor revisions.
d. Revised to include CVE reference.
e. Minor revisions.


-- Distribution --

This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.


-- About Corsaire --
Corsaire are a leading information security consultancy, founded in 1997
and based in Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.

A free guide to selecting a security assessment supplier is available at
http://www.penetration-testing.com


Copyright 2003 Corsaire Limited. All rights reserved.



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close