Internal IP Addresses and IIS

March 4th, 2002

NGSSoftware Insight Security Research Advisory

Name: Internal IP Addresses and IIS

Systems Affected: Microsoft IIS 4/5/5.1

Platforms: Windows NT/2000/XP

Severity: Low Risk

Vendor URL: http://www.microsoft.com/

Author: David Litchfield (david@nextgenss.com)

Date: 4th March 2002

Advisory number: #NISR05032002B

Advisory URL: http://www.nextgenss.com/advisories/iisip.txt

Issue: Possible to discover internal IP addresses used

by IIS Servers

Description

***********

Microsoft’s Internet Information Server offers web, ftp, mail and nntp services. If the server is protected by a firewall using Network Address Translation and the server uses a private internal IP address then, by making a malformed request to the web service it is possible for an attacker to discover this IP address. Whilst this won’t come anywhere near to allowing an attacker to compromise a IIS server it will help them formulate further attacks.

Details

*******

By making certain requests to the web service with a blank Host HTTP client header the server response will often contain the server’s IP address, for example when using the PROPFIND request method.

PROPFIND / HTTP/1.1

Host:

Content-Length: 0

The server will return a 207 Multi-Status response with certain properties of the root page. The server’s IP address will be revealed if the HREF property. Using the WRITE or MKCOL method will return the machine’s IP address in the Location server HTTP header, though of course if the server allows the WRITE and MKCOL methods then the server has greater problems.

Only IIS 5 and 5.1 support the WebDAV methods so these methods only affect these systems. IIS 5.x and 4.0 are both vulnerable to this issue if Basic authentication is enabled. (see #NISR05032002A

http://www.nextgenss.com/advisories/iisauth.txt)

Fix Information

***************

To prevent internal IP address disclosure take the following steps.

Open a command prompt and change the current directory to c:\inetpub\adminscripts or to where the adminscripts can be found.

Run the commands

adsutil set w3svc/UseHostName True

net stop iisadmin /y

net start w3svc

This will cause the IIS server to use the machine’s host name rather than its IP address.

Section Navigation


Customer Testimonials

Read what some of our satisfied customers are saying about us.

Speaking Events

We regularly present and speak at international security conferences throughout the world.

Informática 2009, Havana

OWASP AppSec Europe 2008

AusCERT 2008

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls


Red Herring 100

Red Herring 100

NGSSoftware named as winners in the Red Herring 100.

SLBA 2008

South London Business Awards 2008

David Litchfield named as 'Entrepreneur of the Year' at the South London Business Awards 2008.

Queen's Award 2007

Queens Award 2007

NGSSoftware are delighted to announce that we are winners of the Queen's Award for Enterprise: International Trade 2007.

SC Awards 2008

SC Magazine Awards 2008

NGSSoftware wins 'Best Security Company'.

ITA 2008

International Trade Awards 2008

NGSSoftware South-East England Regional Winners at 2008 International Trade Awards.