Jordan University of Science and Technology Department of Computer Engineering Cryptography and Networks Security Investigation Done By Omar Ibrahim Mohammad Bataineh 20010171035 Aysar Mohammad Rashed Yousef 20010171025 Supervised By: Dr. Lo’ai Tawalbeh Table of Contents Introduction 3 IIS Server 3 Web Security 3 Buffer Overflow 4 IIS Security Vulnerabilities 6 Remote Index Server ISAPI Extension Buffer Overflow 6 Heap Overflow Attack 9 Buffer Overrun in HTTP Header Handling 11 Buffer Overrun in Chunked Encoding Transfer 13 Glossary 15 2 Introduction: IIS Server: Microsoft Internet Information Server, or IIS, is the primary Web server for sites constructed on Microsoft Windows NT technology, and it represents a vast improvement over servers that simply use CGI to create content. IIS supports a new set of applications that use the Internet Server Application Programming Interface, or ISAPI. ISAPI applications can be executed by in a fashion similar to CGI, but they run in the same memory space as the Web server. Microsoft Active Server Pages, or ASP, is an example of an ISAPI application. Internet Information Server is available for both the Server and Workstation versions of Windows NT. IIS provides three primary services: File Transfer Protocol (FTP) and Gopher, which are file transfer services; and World Wide Web (WWW), which delivers Web pages to browsers and allows access to the functionality of Active Server Pages. For the purposes of Web development, WWW is the most important of the three services. So we can define the IIS server as follow: Internet Information Server (IIS): A Web server designed for use with Microsoft Windows NT Server. It provides WWW, FTP, and Gopher services. When Microsoft Corporation announced its server (IIS), then many different companies and programmers start use it to design web sites and web applications to allow the clients to do many different things on the internet such as shopping using credit card, file transfer from the server to your PC. The attackers (skilled programmers) start to attack this server using different methods of attacks. One of these succeed methods is using the buffer overflow attack on the IIS server. And these attacks are end successfully when eeye security team announces that Microsoft IIS server is attacked successfully using buffer overflow attack (see the web site www.eeye.com). eEye is the first one that discovers this security bug in ISS server and told Microsoft about this problem. Microsoft thanks eeye and then solved this problem by allowing the clients (the users of its IIS server) to download some patches. Web security: Security is often one of the last issues addressed by developers. It requires thinking about your applications in a different light from what you are accustomed to. As you build your applications, your goal is to make them as useful and easy to use as possible. When you consider security, however, the goal is often quite the opposite. You find yourself asking 3 questions such as "How can I be sure that these people cannot access this portion of my application?" or "How can I validate that the request coming into my application is from who I think it is, and not some person pretending to be someone else?" With Web applications, the issues of security are magnified because almost all communication to and from the application is performed across long connections. For this reason, one of the most important security issues in Web applications is authentication. Clients want to know whether the site they are looking at is indeed produced by the company it purports to be from, and servers often need to know the identity of a particular client, especially if the application is modifying data on behalf of a client (as with a bank account). The level of security required is very application dependent. Web applications that are simply informative may not care about client credentials and are happy to deal with all clients as anonymous users. Web applications that provide customized content may want to identify clients only if they want to be identified (for customization), and are otherwise happy to let anonymous clients browse the application at their leisure. Web applications that provide client services (stock portfolios, bank accounts, and so on) typically need to be much more careful about client identity and often require client authentication before any pages on the site can be displayed. As a Web application developer, you must be aware of the level of authentication required by your application and add only the security services necessary. Each additional security requirement of your application makes it more complex and may have significant impact on its design. Because internet applications vary from low level security requirement such as web page browsing to high level security requirement such as transactions involve money (shopping on the internet using your own credit card, file transferring in a secure manner). So any security holes (bugs) on the web server that run these applications (the applications that require high security environment) will produce very dangerous problems for the clients who perform these transactions. Buffer Overflow: A buffer is an area of memory used to hold data for processing. A buffer overflow happens when a program attempts to read or write data outside of the memory allocated for that data, usually affect buffer of fixed size. If the data being placed into the buffer is too large and its size is not checked then it will overflow the buffer. At that case, there are two possibilities: - 1. At best case the excess data is simply lost. 2. At worst case the excess data might overwrite other legitimate data. 4 Buffer overflow is a common and potentially very dangerous vulnerability in software, mostly affect C and C++ programs but it also can affect other languages. The hackers may exploit a buffer overflow to simply crash the system causing a denial of service. It also can be exploited remotely in server software in order to create denial of service execute code on the target system. Buffer overflow conditions are often found in sections of code that receive user input such as a program that ask the user to enter the user-name, and the password. There are many types of overflow in the user programs: - I. Stack overflow: this type of overflow occurs when data being copied is too big for the buffer on the stack. A skilled programmer can arrange for the return address to be overwritten with memory address of the code that attacker wishes to execute. II. Heap overflow: overwrite other variables held in the heap area causing the program to ‘misbehave’. Variables an attacker may want to change include filenames, access control data structures, usernames and passwords. As we mentioned above that buffer overflow attack is a common way that the attackers use it to run (execute) his/her own code especially on authorized remote points such as ftp servers, telnet. One way to avoid it is to avoid the usage of the C/C++ family languages (e.g. strcat, strlen, strcopy). 5 IIS Security Vulnerabilities In this paper we are going to highlight a number of Microsoft Internet Information Server vulnerabilities, representing the vulnerability technical details, scope, affected systems, and proposed solution for the vulnerability Remote Index Server ISAPI Extension Buffer Overflow Systems Affected: Microsoft Index Server 2.0 Indexing Service in Windows 2000 Microsoft Windows NT 4.0 Internet Information Services 4.0 Microsoft Windows 2000 Internet Information Services 5.0 Microsoft Windows XP beta Internet Information Services 6.0 beta Version. Technical Details: Internet Services Application Programming Interface (ISAPI ) extensions allow for additional functionality to be added to IIS. The ISAPI Index Server extension provides a hook to integrate Microsoft Index Server with IIS. A flaw exists in ISAPI Index Server extension query processing that may lead to Web page defacement and theft of sensitive or confidential information. The vulnerability is introduced during the IIS installation process, when two Index Server Dynamic Link Library (DLL) files are installed. Index Server itself does not need to be installed for attackers to exploit this vulnerability because these DLL files are mapped by IIS default installations. Among these installed Index Server extension is (idq.dll), which provides support for administrative scripts (.ida files) and Internet Data Queries (.idq files). Security vulnerability results because idq.dll contains an unchecked buffer in a section of code that handles input URLs. An attacker who could establish a web session with a server on which idq.dll is installed could conduct a buffer overrun attack and execute code on the web server. Idq.dll runs in the System context, so exploiting the vulnerability would give the attacker complete control of the server and allow him to take any desired action on it. The buffer overrun occurs before any indexing functionality is requested. As a result, even though idq.dll is a component of Index Server/Indexing Service, the service would not need to be running in order for an attacker to exploit the vulnerability. As long as the script mapping for .idq or .ida files were present and the attacker were able to establish a web session, he could exploit the vulnerability. 6 This was a serious vulnerability, and Microsoft urged all customers to take action immediately. Microsoft had developed a patch that solves this vulnerability –discussed later on-. If a customer does not want to install the patch, he/she can protect his/her system by removing the script mappings for .idq and .ida files via the Internet Services Manager in IIS. However, it is possible for these mappings to be automatically reinstated if additional system components are added or removed.