When ASP quickly became popular on the global website with its flexible, simple, practical and powerful features, some of its own flaws and vulnerabilities are threatening all website developers. In the previous article, some IIS system vulnerabilities and After the security issues of ASP, we will conduct a detailed discussion on the latest ASP and IIS security vulnerabilities in this issue. Please pay close attention to all ASP website developers and be vigilant.
Earlier this month, Microsoft was once again accused of not paying more attention to the security of its WEB server software. A flaw called illegal HTR request was found in Microsoft's popular product IIS SEVER 4.0. According to Microsoft, this flaw will cause any code to run on the server side in certain situations. But in the words of Firas Bushnaq, CEO of Internet security company eEye, which discovered the vulnerability, it is just the tip of the iceberg. Bushnaq said Microsoft has concealed some situations, such as hackers who can use this vulnerability to fully control the IIS server, and many e-commerce sites are based on this system.
The details of this IIS system vulnerability are listed below:
The latest security vulnerability of IIS
Affected systems:
Internet InformationServer4.0 (IIS4)
Microsoft Windows NT 4.0 SP3 Option Pack 4
Microsoft Windows NT 4.0 SP4 Option Pack 4
Microsoft Windows NT 4.0 SP5 Option Pack 4
Publication date: 6.8.1999
Microsoft has confirmed the vulnerability, but no patches are available yet.
Microsoft Security Announcement (MS99-019):
Topic: Abnormal HTR request vulnerability
Release time: 6.15.1999
summary:
Microsoft has confirmed a serious system vulnerability in its released WEB server product, Internet Information Server 4.0, which results in a denial of service attack on IIS servers, in which case it could cause any binary code to run on the server. . Patches for the vulnerability will be released in the near future, please pay close attention to all IIS users.
Vulnerability introduction:
IIS supports a variety of file types that require server-side processing, such as: ASP, ASA, IDC, and HTR. When a WEB user requests such files from the client, the corresponding DLL file will automatically process them. However, there were serious security vulnerabilities in ISM.DLL, a file responsible for processing HTR files. (Note: The HTR file itself is used to remotely manage user passwords)
The vulnerability contains an unverified buffer in ISM.DLL, which may pose two threats to the security operation of WEB servers. First, there is a threat from a service denial attack. A request to the .HTR file from an abnormal .HTR file will cause cache overflow, which will directly cause IIS crash. When this happens, there is no need to restart the server, but the IIS WEB server must be restarted. Another threat is even more headache-inducing, by using a well-built file request will be able to take advantage of standard cache overflow means to cause the bin code to run on the server side, in which case anything can happen! The vulnerability does not include .HTR files that provide functionality to manage user passwords.
Principle analysis:
There is an overflow in at least one IIS extension (for example: ASP, IDC, HTR). We speculate that overflow will occur when IIS passes the full URL to the DLL to process the extension. If the ISAPI DLL does not have the correct check limit range, causing an overflow from INETINFO.EXE, the user executes the binary code from the remote end. Attack method: Send the following HTTP request to IIS: GET/[overflow].htr HTTP/1.0, IIS will crash. The [overflow] here can be a 3K long code.
You may not be very familiar with .HTR files. In fact, IIS has the ability to let NT users change their passwords through the WEB directory /iisadmpwd/. And this function is implemented by a set of .HTR files and an extension DLL of ISAPI: ISM.DLL. When a complete URL is passed to ISM.DLL, there is no check for appropriate size limits, overflow will occur, causing the server to crash. HTR/ISM.DLL ISAPI is the default installation of IIS4.
Solution:
Since Microsoft has not released patches available for use, we can only do some emergency prevention.
1. Delete the .HTR extension from the list of ISAPI DLLs
On your NT desktop, click Start—> Programs—> Windows NT 4.0 Option Pack—> Mic
rosoft Internet Information Server—>Internet Service Manager; double-click Internet Information Server; right-click the computer name and select properties; select WWW service in the main properties drop-down menu and click the edit button; select the home directory folder and click Configure button, select the relevant mapping of .HTR in the Application Mapping list box, select Delete, and OK.
2. Install the patch provided by Microsoft, please pay close attention to the following websites
http://www.microsoft.com/security
http://www.microsoft.com/security/products/iis/CheckList.asp
Some friends may be puzzled. Why did I use two major spaces to focus on the security issues of IIS and ASP in the 17th and 18th issue of ASP. If you are a WEB developer and ASP programmer, I think you should be able to Understand my intention. We conduct network programming and develop interactive websites, of course, first of all, to develop and build our own websites, but these are all based on security. The security here includes ASP or other network applications that we have worked hard to develop. Code protection, ensuring the safe and normal operation of website servers, ensuring the security and authentication of user information, etc., when e-commerce becomes a truly extensive business operation method in the future, security is even more critical. Many of our friends are also the responsibility of network administrators as ASP programmers. Therefore, it is very important and necessary to be familiar with the operation of the system, understand system vulnerabilities in a timely manner, and solve security problems as soon as possible. Therefore, in this article At the end, the author will list some security suggestions on NT and IIS system configurations that he has compiled, hoping to help you.
1. Use the latest version of Microsoft Internet Information Server 4.0 and install the latest version of NT Service Pack5. Do not use FAT on the server's file system, but should use NTFS.
2. Set the web directories such as sample, scripts, iisadmin and msadc in IIS to prohibit anonymous access and restrict IP addresses. Before Microsoft provides patches, delete the application mapping related to ism.dll.
3. If possible, use the firewall mechanism. The simplest thing is to open a web service in the front desk and the directory is placed in the back desk. It is of course the best if one can serve one machine.
4. Important directories such as web directories, CGI directories, scripts directories and winnt directories should be set with the NTFS feature. The Winnt directory containing registry information only allows the administrator to fully control it, and the general user read-only permissions should not be used. Give. For all important files related to the system, except Administrator, other accounts should be set to read-only permissions, rather than everyone/full control.
5. Only open the services you need and block all ports that should not be opened, such as NetBios port 139, which is a typical dangerous port; how to prohibit these ports? In addition to using a firewall, NT's Tcp/IP settings also provide this function: open the control panel - network - protocol - TCP/IP - attributes - advanced - enable security mechanism - configuration, which provides TCP and UDP ports. Limit and IP protocol restriction functions.
6. The administrator's account should be set more complicatedly, and it is recommended to add special characters.
7. Change the TCP port of FTP and Telnet to non-standard ports. Usually I set it to the range of 10000~65000
8. Delete all shares that can be deleted, including printer sharing and hidden shares such as ICP$, Admin$, etc. Microsoft says that these special shared resources are important and cannot be deleted in most cases, but in fact, the machines placed on the Internet are large. Most do not need to be shared.
IPC$: It is suitable for remote management of computers and viewing shared resources. It is best not to use it online.
Admin$: Actually, it's c:/winnt, and there's no need to share it
C$: Users logged in to Admin and Backup-operator can access the C drive by //computer name/C$. Although it is limited to LAN, remote hackers also have ways to disguise themselves as logged-in users of LAN, so they should be turned off.
Print$: This is the directory where the printer driver is placed, and it is also a very dangerous entry like the one above.
Netlogon: This is the share that handles domain login requests. If your machine is the main domain controller and there are other machines in the domain that you want to log in, don't delete it, otherwise you can still delete it.
How to turn off these shares? Use Server Manager—>Share Directory—>Stop Sharing
9. Centrally manage the ASP directory and set detailed access permissions for the ASP program directory. It is generally recommended not to use read permissions.
10. Change the name of sam._ file under winnt
, Practice has proved that this file that may leak password can be deleted without deleting it.
11. For known NT security vulnerabilities, tests and checks should be done on your own machine. And install patches in a timely manner.
12. If necessary, use the SSL secure communication mechanism provided by IIS4.0 to prevent data from being intercepted online.