Popular Web Servers

Webmaster's Concern

From a webmaster's perspective, the biggest security concern is that the web server can expose the local are network or the corporate intranet to the threats posed by the Internet. This may be in the form of virus, Trojans, hackers or compromise of information itself. It is often considered that software bugs present in large complex programs are the source of imminent security lapses. Web servers, being large complex devices do come with these inherent risks. Apart from this, the open architecture of some Web servers allows arbitrary scripts to be executed on the server's side of the connection in response to remote requests . Any CGI script installed at the site may contain bugs that are potential security holes.

Network Administrator's Concern

From a network administrator's perspective, a poorly configured web server poses another potential hole in the local network's security. While the objective of a web site is to provide controlled access to the network, too much of control can make a Web site impossible to use. In an intranet environment, the network administrator has to careful about configuring the web server such that legitimate users are recognized and authenticated and various groups of users assigned distinct access privileges.

End User 's Concern

Usually the end user does not perceive any immediate threat, as surfing the web appears both safe and anonymous. However, active content, such as ActiveX controls and Java applets, makes it possible for harmful applications such as viruses to invade the user's system. Besides, active content from a web browser can be a conduit for malicious software to bypass the firewall system and permeate the local area network.

The threat for the end user stems from the fact that the TCP/IP protocol was not designed with security as its foremost priority. Therefore, data can be compromised in terms of confidentiality, authentication, and integrity as it is transmitted across the Web. In essence the aspects of confidentiality, authentication, and integrity need to be guarded both on the client side and server side to the extent possible.

Risks

There are basically three overlapping types of risk:

1. Bugs /misconfiguration problems in the Web server that allow unauthorized remote users to:

   • Steal classified information.

   • Execute commands on the server host machine and modifying the system.

   • Retrieve host based information to assist them in compromising the system.

   • Launch denial-of-service attacks, rendering the machine temporarily unusable.

2. Browser-side risks

   • Active content that crashes the browser, damages the user's system, breaches the user's privacy, or merely creates a disturbance.

   • The misuse of personal information provided by the end-user.

3. Interception of network data sent from browser to server or vice versa via network eavesdropping. Eavesdroppers can operate from any point on the pathway between browser and server including:

   • The network on the browser's side of the connection.

   • The network on the server's side of the connection (including intranets ).

   • The end-user's Internet service provider (ISP).

   • The server's ISP or regional access provider.

Apache Vulnerability

• The Apache Week tracks the vulnerabilities in Apache Server. Even Apache has its share of bugs and fixes.

• For instance, consider the vulnerability which was found in the Win32 port of Apache 1.3.20.

  • Long URLs passing through the mod_negative, mod_dir and mode_autoindex modules could cause Apache to list directory contents.

  • The concept is simple but requires a few trial runs.

  • A URL with a large number of trailing slashes :

    • /cgi-bin /////////////////////////// / could produce directory listing of the original directory.

The purpose of discussing the various vulnerabilities of the web server here is to highlight how ingenious attackers can be in exploring the functionality of the various components that they are able to elicit an unexpected and previously unknown behavior of a piece of code. No matter how insignificant it is, a security breach can have far reaching implications if left unattended.

This is not the only issue in focus. The possibility of eliminating flawed coding practices and incorporating proper testing must not be ignored as security measures.

The Apache Week tracks the vulnerabilities in Apache Server. For instance, consider the vulnerability which was found in the Win32 port of Apache 1.3.20. Because of this, a client submitting a very long URI could cause a directory listing to be returned rather than the default index page. This was subsequently fixed in Apache httpd 1.3.22

Remote DoS via IPv6 : When a client requests that proxy ftp connect to an ftp server with IPv6 address, and the proxy is unable to create an IPv6 socket, an infinite loop occurs causing a remote Denial of Service. This has been fixed in Apache httpd 2.0.47

Remote DoS with multiple Listen directives : In a server with multiple listening sockets a certain error returned by accept () on a rarely access port can cause a temporary denial of service, due to a bug in the prefork MPM. This has been fixed in Apache httpd 2.0.47

APR remote crash : A vulnerability in the apr_psprintf function in the Apache Portable Runtime (APR) library allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long strings, as demonstrated using XML objects to mod_dav, and possibly other vectors. This has been fixed in Apache httpd 2.0.46

Basic Authentication DoS : A build system problem in Apache 2.0.40 through 2.0.45 allows remote attackers to cause a denial of access to authenticated content when a threaded server is used. This has been fixed in Apache httpd 2.0.46

Line feed memory leak DoS : Apache 2.0 versions before Apache 2.0.45 have a significant Denial of Service vulnerability. Remote attackers can cause a denial of service (memory consumption) via large chunks of linefeed characters , which causes Apache to allocate 80 bytes for each linefeed. This has been fixed in Apache httpd 2.0.45

MSDOS device names cause DoS : Apache versions before 2.0.44 on Windows do not correctly filter MS-DOS device names which can lead to denial of service attacks and remote code execution. This has been fixed in Apache httpd 2.0.44

Apache can serve unexpected files : On Windows platforms Apache could be forced to serve unexpected files by appending illegal characters such as '<' to the request URL. This has been fixed in Apache httpd 2.0.44

Rewrite rules that include references allow access to any file : The Rewrite module, mod_rewrite, can allow access to any file on the web server. The vulnerability occurs only with certain specific cases of using regular expression references in Rewrite Rule directives: If the destination of a Rewrite Rule contains regular expression references then an attacker will be able to access any file on the server. This has been fixed in Apache httpd 1.3.14

Attacks against IIS

• IIS is one of the most widely used Web server platforms on the Internet.

• Microsoft's Web Server has been the frequent target over the years .

• It has been attacked by various vulnerabilities. Examples include:

  1. ::$DATA vulnerability

  2. showcode.asp vulnerability

  3. Piggy backing vulnerability

  4. Privilege command execution

  5. Buffer Overflow exploits (IIShack.exe)

Simple HTML could not contribute much to the dynamic nature of interaction on the web. Therefore, dynamic capabilities were added by using Common Gateway Interface (CGI) applications. These applications ran on the server and generated dynamic content tailored to each request. This capability to process input and generate pages in real time greatly expanded the functional potential of a Web application.

However, as CGI programs were both discrete and resource intensive with each HTTP request, Microsoft introduced two distinct technologies to serve as the basis for Web applications: Active Server Pages (ASP) and the Internet Server Application Programming Interface (ISAPI).

ASP scripts are usually written in a human-readable scripting language like Visual Basic, and Microsoft asserts that the technology is largely language-neutral. The ASP interpreter is implemented as an ISAPI DLL.

ISAPI on the other hand is much less visible to end users. Quite naturally, Microsoft uses many ISAPI DLLs to extend IIS itself. ISAPI DLLs are binary files that are not exactly human-readable or given to human interpretation. However, if the user knows the name of an ISAPI DLL, it can be called via HTTP. They are capable of running inside or outside the IIS process (inetinfo.exe) and, once instantiated remain resident; thereby reducing the overhead of spawning a new process for a CGI executable to service each request.

Internet Information Services (IIS) has been consistently targeted for attacks. Server administrators have been overwhelmed by more than 100 vulnerabilities discovered in IIS web servers in just the last few years alone. It has been seen that when a web server is attacked, the attacker usually tries to run certain commands or access certain files.

For instance, one popular command that an attacker is likely to run during the course of the attack is cmd.exe. Another file that is likely to be of interest to an attacker on IIS is global.asa, which often contains passwords or other sensitive information. Previously, many exploits on IIS have involved traversing directories, viewing server-side scripts, or running a remote command.

::$DATA IIS Vulnerability

Microsoft's Internet Information Server (IIS) contained a vulnerability in how it handles the multiple data streams NTFS provides for each file. The $DATA vulnerability, published in mid-1998, resulted from an error in the way the Internet Information Server parsed file names. $DATA is an attribute of the main data stream (which holds the "primary content") stored within a file on NT File System (NTFS). By creating a specially constructed URL, it was possible to use IIS to access this data stream from a browser.

By doing so the attacker could display the code of the file containing that data stream and any data that the file held. This method could be used to display a script-mapped file that could normally be acted upon only by a particular Application Mapping. The contents of these files are not ordinarily available to users. However, in order to display the file, the file must reside on the NTFS partition and must have ACLs set to allow at least read access; the unauthorized user must also know the file name. By appending the string ::$DATA, a remote user could view the contents of a file that is normally set to be acted upon by an Application Mapping, such as Active Server Pages (ASP). The attacker, however, must previously have read access to this file to view its contents. This attack could allow a user to read potentially proprietary and compromising script source. This vulnerability affected Microsoft IIS versions earlier than 3.0.

Showcode.asp ^[1]

Showcode.asp is a script that allows a web developer to easily view the code for a number of examples included with Internet Information Server. It comes under several different guises, including showcode.asp, viewcode.asp, and codebrws.asp among others. Essentially it lets the developer view the code of a server-side script without executing it. The problem is that it does not just stop at that because with some manipulation of the URL it lets an attacker view any file on the same drive as the script. With a little playing around one can easily compromise an entire server and any sensitive information it contains.

Showcode.asp is included as an example with the Microsoft Data Access Components that are installed with a number of products or that can be installed individually. The default install location is C:\Program Files \Common Files \SYSTEM\MSADC. In a web server, that subdirectory is also mapped as a virtual directory named MSADC off the web root.

Showcode.asp takes a single argument indicating the name of the file that is to be viewed . Though the sample code was initially intended to view code samples in the MSADC directory, a malicious user can start prodding by taking a path with MSADC and then use directory traversal to move up the directory tree and on to any path on the same drive. The vulnerability occurred because the sample script failed to check for that double-dot in the script's argument thereby making it exploitable.

Piggy-backing privileged command execution on back-end database queries (MDAC/RDS)

MDAC is a package used to integrate Web and database services. It includes the RDS component that provides remote access to database objects through IIS. By exploiting vulnerabilities in RDS depending on the security posture of the website, attackers can send random SQL commands that manipulate the database or retrieve any desired information. In this specific case, the attacker can even gain administrative rights by embedding the shell () VBA command into the SQL command and execute any highly privileged system commands.

Buffer Overflow Vulnerabilities

A buffer is an area of memory within a program that has used to store data of some kind - for instance, information on the program's status, intermediate computational results, or input parameters. Before placing any data into a buffer, the program should always verify that the buffer is large enough to accommodate all of the data.

Otherwise, the data can overrun the buffer and overwrite neighboring data, having the effect of modifying the program while it's running. If the data that overruns the buffer is random data, it won't be valid program code, and the program will fail when it tries to execute the random data. On the other hand, if the data is valid program code, the program will execute the new code and perform some new function - one chosen by whoever supplied the data. Practically exploitable remote buffer overflows on Windows are rare, but on IIS, the exploit scene is different. The first was the .htr buffer overflow exploit against IIS 4, discovered by eEye Digital Security in June 1999. On IIS, the severity of buffer overflows are high because IIS runs under the SYSTEM account context, buffer overflow exploits often allow arbitrary commands to be run as SYSTEM on the target system.

Some of the buffer overflows that have been seen are:

• Internet Printing Protocol (IPP) buffer overflow

• Indexing services ISAPI extension buffer overflow

• Code Red Worm

• FrontPage 2000 server extension buffer overflow

IIS Components

• IIS relies heavily on a collection of DLLs that work together with the main server process, inetinfo.exe, to provide various capabilities.

• Example: Server side scripting, Content Indexing, Web Based printing etc.

• This architecture provides attackers with different functionality to exploit via malicious input.

IIS consists of several components. These include:

• Background Intelligent Transfer Service (BITS) server extension: BITS is a background file transfer mechanism used by applications such as Windows Updates and Automatic Updates.

• Common Files: On a dedicated Web server, these files are required by IIS and must always be enabled.

• File Transfer Protocol (FTP) Service: Allows the Web server to provide FTP services. This component is not required on a dedicated Web server. However, this may be enabled on a server that is only used for posting content, to support software such as Microsoft FrontPage 2002 without enabling FrontPage 2002 Server Extensions. Because the FTP credentials are always sent in plaintext, it is recommended to connect to FTP servers through a secured connection, such as those provided by IPSec or a VPN tunnel.

• FrontPage 2002 Server Extensions: Provides FrontPage support for administering and publishing Web sites. On a dedicated Web server, this must be disabled when no Web sites are using FrontPage Server Extensions.

• Internet Information Services Manager: Administrative interface for IIS. This is to be disabled when the Web server is not administered locally.

• Internet Printing: Provides Web-based printer management and allows printers to be shared by using HTTP. This component is usually not required on a dedicated Web server.

• NNTP Service: Distributes, queries, retrieves, and posts Usenet news articles on the Internet. This component is not required on a dedicated Web server.

• SMTP Service: Supports the transfer of electronic mail. This component is not required on a dedicated Web server.

• World Wide Web Service: Provides Internet services, such as static and dynamic content, to clients . This component is required on a dedicated Web server. If this component is not enabled, then all subcomponents are not enabled.

  • Active Server Pages: Provides support for Active Server Pages (ASP). Disable this component if none of the Web sites or applications on the Web server uses ASP.

  • Internet Data Connector: Provides support for dynamic content provided through files with .idc extensions.

  • Disable this component if none of the Web sites or applications on the Web server includes files with .idc extensions.

  • Remote Administration (HTML): Provides an HTML interface for administering IIS. Use IIS Manager instead to provide easier administration and to reduce the attack surface of the Web server. This component is not required on a dedicated Web server.

  • Remote Desktop Web Connection: Includes Microsoft ActiveX controls and sample pages for hosting Terminal Services client connections. Use IIS Manager instead to provide easier administration and to reduce the attack surface of the Web server. This component is not required on a dedicated Web server.

  • Server-Side Includes: Provides support for .shtm, .shtml, and .stm files. Disable this component if none of the Web sites or applications on the Web server includes files with these extensions.

  • WebDav Publishing: Web Distributed Authoring and Versioning (WebDAV) extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage resources on the Web. Disable this component on a dedicated Web server.

  • World Wide Web Service: Provides Internet services, such as static and dynamic content, to clients. This component is required on a dedicated Web server.

ISAPI DLL Buffer Overflows

• One of the most extreme security vulnerabilities associated with ISAPI DLLs is the buffer overflow.

• In 2001, IIS servers were ravaged by versions of the Code Red and Nimda worms which were both based on buffer overflow exploits.

^[1] Mark Burnett "Showcode.asp - A lesson in Internet Security"