-- Corsaire Security Advisory -- Title: Port80 Software ServerMask inconsistencies Date: 24.02.03 Application: Port80 Software ServerMask 2.2 and prior Environment: IIS 4 / IIS 5 / IIS 5.1 Author: Martin O'Neal [martin.oneal@corsaire.com] Audience: General distribution Reference: c030224-001 -- Scope -- The aim of this document is to clearly define some issues related to the ServerMask product, as supplied by Port80 Software [1] -- History -- Discovered: 20.02.03 (Martin O'Neal) Vendor notified: 24.02.03 Document released: 10.08.04 The release process on this advisory has been drawn-out due to repeated requests from Port80, on the basis that a revised product which resolved the issues would be available shortly. However, after eighteen months of waiting (during which time Port80 has continued to actively sell the product) it has become clear that no such fix is imminent. This advisory has been publicly released without a vendor fix being immediately available because the issues identified are not critical, and do not allow the host to be remotely compromised. -- Overview -- The ServerMask product is marketed as a solution for improving the security of Microsoft IIS servers by obfuscating header fields within HTTP responses: "ServerMask 2.0 removes or modifies unnecessary response data. The software provides control over what Server header data, if any, is visible in HTTP responses." [2] In practise, ServerMask changes only a subset of the HTTP header fields, leaving a number of responses unmodified. These remaining headers still provide reliable clues to the server being Microsoft IIS. The stated goal of the product, anonymisation, is therefore not fully achieved as only a subset of identifying traits are obfuscated. -- Analysis -- The ServerMask product is provided as an ISAPI filter for Microsoft IIS, and works by intercepting requests to the server and rewriting the HTTP header fields in responses. The product rewrites some server headers, removes some unnecessary ones, and reorders the remaining headers. However, it leaves several obvious header fields unchanged that can be used to identify the server as Microsoft IIS, including: - ETag: - HTTP Status Message - Allow: header in response to OPTIONS request As it stands, the ServerMask product provides at best only an incomplete solution to anonymising the server, whilst adding an additional product into the equation that must itself be maintained (and could potentially contain exploitable flaws). -- Proof of concept -- To reproduce these issues, all that is required is access to a telnet client (or similar client providing equivalent functionality) and a suitable web server using the ServerMask product. For the purposes of this example Port80 Software's home site (www.port80software.com) is used. Issue#1 - Standard IIS format ETag header >From a command prompt or shell, telnet, netcat or other similar client should be used to connect to the web server on TCP port 80, e.g. telnet www.port80software.com 80 The following extract should then be pasted into the session: GET /images/H_horline.gif HTTP/1.1 Accept: */* Connection: Keep-Alive Host: www.port80software.com The response received back should include: HTTP/1.1 200 OK Date: Mon, 24 Feb 2003 12:37:38 GMT Server: Yes - We Use ServerMask Last-Modified: Thu, 26 Sep 2002 00:07:29 GMT ETag: "8e9dc0b3f064c21:9b0" Accept-Ranges: bytes Content-Length: 59 Content-Type: image/gif The ETag header is the standard format returned by Microsoft IIS, and can be considered unique to that product. Issue#2 - 404 Status Message Format A session should again be initiated to the web port on the target, e.g. telnet www.port80software.com 80 The following request should then be used to attempt to retrieve a non- existent file from the server: GET /not.there HTTP/1.1 Accept: */* Connection: Keep-Alive Host: www.port80software.com The response should include headers similar to the following: HTTP/1.1 404 Object Not Found Date: Mon, 24 Feb 2003 12:49:54 GMT Server: Yes - We Use ServerMask Content-Length: 15383 Connection: close Content-Type: text/html The HTTP status message on the first line ("404 Object Not Found") is the standard format returned by Microsoft IIS, and differs from most other vendors. Issue#3 - Standard IIS Format Allow header A new session should be initiated to the web-server: telnet www.port80software.com 80 An OPTIONS request should then be sent to solicit a server response: OPTIONS /images/H_horline.gif HTTP/1.1 Accept: */* Connection: Keep-Alive Host: www.port80software.com The headers should include the Allow response to the OPTIONS request: HTTP/1.1 200 OK Date: Mon, 24 Feb 2003 13:05:07 GMT Server: Yes - We Use ServerMask Content-Length: 0 Allow: OPTIONS, TRACE, GET, HEAD The Allow header is the standard format, content and order returned by IIS. -- Recommendations -- The ServerMask product should be revised and improved to provide full control over modifying the values of all header fields, to prevent such analysis revealing the nature of the underlying web-server. -- CVE -- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2003-0105 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. -- References -- [1] http://www.port80software.com/products/servermask/ [2] http://www.port80software.com/products/servermask/faq.asp -- Revision -- a. Initial release. b. Minor revisions. c. Minor revisions. d. Revised to include CVE reference. e. Minor revisions. -- Distribution -- This security advisory may be freely distributed, provided that it remains unaltered and in its original form. -- Disclaimer -- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information. -- About Corsaire -- Corsaire are a leading information security consultancy, founded in 1997 and based in Surrey, UK. Corsaire bring innovation, integrity and analytical rigour to every job, which means fast and dramatic security performance improvements. Our services centre on the delivery of information security planning, assessment, implementation, management and vulnerability research. A free guide to selecting a security assessment supplier is available at http://www.penetration-testing.com Copyright 2003 Corsaire Limited. All rights reserved.