Web Service

Web Server Software is Microsoft-IIS/4.0

Security Issues

The web service on Microsoft's Internet Information Server 4.0 has a buffer overrun vulnerability when a 3000+ character long request is made for a .htr file. This vulnerability could allow a remote attacker to execute arbitary code and gain control of the computer. Ensure that the patch has been installed. If it hasn't - until the patch is installed remove .htr as a registered IIS file extention.

D:\Inetpub\wwwroot\ - this is the physical path of the web server root. By requesting a non-existent idc file it is possible to get this information.

Web server is also running Microsoft Proxy Server 2.

http://charon/_vti_bin/fpcount.exe?Page=default.htm|Image=3|Digits=15

Fpcount.exe has been found in the /_vti_bin/ directory. If, when the link above is followed , fifteen digits are displayed this version of fpcount.exe is from the FrontPage Server Extentions 97 package and it contains a buffer overrun that allows remote execution of arbitary code.

This should be deleted until a copy of the 98 version of FrontPage can be obtained.

http://charon/iissamples/issamples/query.asp

The query.asp page is the default sample search page for Index Server on IIS4. From here an attacker can perform searches for files of a certain type using "#filename=*.exe" or "#filename=*.asp". Ensure that Index Server has been configured not to return reults for searches such as these.

Server exhibits the ::$DATA bug.

This can allow an attacker to download the source of scripts, such as Active Sever pages or Perl scripts. This problem is fixed with service pack 4 or a post SP3 hotfix can be downloaded the Microsoft web site.

http://charon/iissamples/exair/search/advsearch.asp

The sample ExAir site contains a number of scripts that can cause a temporary situation where the inetinfo.exe process consumes 100 percent of the processor time for 90 secs. This only happens if the Index Server ISAPI dlls have not been loaded into memory. If they are not and this page or query.asp or search.asp Are accessed directly the script will loop.

The solution to this problem is to remove these files.

http://charon/iisadmpwd/aexp2.htr

From here an attacker can launch password attacks against the local machine or or proxied attacks against other machines on the network. More information can be found here

http://charon/iissamples/exair/howitworks/codebrws.asp

This sample script should be removed. It allows attackers to access files on the same volume as the IIS install outside of the web file system.

http://charon/msadc/samples/selector/showcode.asp

This sample script should be removed. It allows attackers to access files on the same volume as the IIS install outside of the web file system.