Friday, 29 April 2011

Web Server Security - IIS Risks

IIS Risks
IIS is one of the most widely used Web server platforms on the Internet, with more exploits to it.
Dynamic capabilities were added by using Common Gateway Interface (CGI) applications. These applications run on the server and generate dynamic content different for each request. This capability to process input and generate pages in real time greatly expanded the functional potential of a Web application. Microsoft introduced two similar technologies to serve as the basis for Web applications: Active Server Pages (ASP) and the Internet Server Application Programming Interface (ISAPI). ASP scripts are usually written to be readable scripting language. The ASP interpreter is implemented as an ISAPI DLL. ISAPI on the other hand is much less visible to web surfers. Microsoft uses many ISAPI DLLs to extend IIS itself. ISAPI DLLs are binary files that are not visable to be read or given to human interpretation. However, if the user knows the name of an ISAPI DLL, you can call it trough HTTP. They are capable of running inside or outside the IIS process (inetinfo.exe) and, once instantiated remain resident; thereby reducing the overhead of spawning a new process for a CGI executable to service each request. Two popular files that may be runned when IIS is Hacked is cmd.exe and global.asa, which often contains passwords or other sensitive information. Some old popular exploits were: (Showcode.asp) it's a script that allows a web developer to easily view the code for a number of examples included with Internet Information Server. It comes under several different guises, including showcode.asp, viewcode.asp, and codebrws.asp among others. Essentially it lets the developer view the code of a server-side script without executing it. The problem is that it does not just stop at that because with some manipulation of the URL it lets an attacker view any file on the same drive as the script. Another one was (Piggy-backing privileged command execution on back-end database queries(MDAC/RDS)). MDAC is a package used to integrate Web and database services. It includes the RDS component that provides remote access to database objects through IIS. By exploiting vulnerabilities in RDS depending on the security posture of the website, attackers can send random SQL commands that manipulate the database or retrieve any desired information. In this specific case, the attacker can even gain administrative rights by embedding the shell () VBA command into the SQL command and execute any highly privileged system commands. IIS relies heavily on DLLs to provide various capabilities. Server side scripting, Content Indexing, Web Based printing are another way of exploiting IIS.

Thanks To Security Team.

No comments:

Post a Comment