OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Windows 2003 IIS IP Binding - Bad default behaviour/security problem ...

From: Russ (Russ.CooperRC.ON.CA)
Date: Wed Aug 06 2003 - 09:38:40 CDT

Jannie Hanekom, Joseph P. Migliozzi, Tom Yergeau, Alun Jones, Brett Hill, and Mark Burnett all contributed to this summary. Thanks to all of the others who also responded.

Socket Pooling is the cause of the issues observed by David Connors. For IIS 5.0 you have to alter the value of the DisableSocketPooling entry in the Metabase;

How to Disable Socket Pooling in IIS 5.0
http://support.microsoft.com/default.aspx?scid=kb;EN-US;238131

In IIS 6.0, this entry has no effect. Instead, you have to use a new utility, called HTTPCFG.EXE, to alter the parameters of the HTTP.SYS driver;

http://support.microsoft.com/default.aspx?scid=kb;EN-US;813368

Some Related Articles:

IIS 5.0
http://www.isaserver.org/tutorials/The_Misery_of_IIS_50_Socket_Pooling.html

IIS 6.0
http://www.windowswebsolutions.com/Articles/Index.cfm?ArticleID=39536

ISA Server and Windows 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;331062

Here are some additional comments by various people;

Alun Jones said;
-----
Known variously as either "connection pooling", "socket pooling" or "address pooling", this is because the server, instead of binding to each of several addresses in turn, uses one socket, bound to the pseudo-address of 0.0.0.0, meaning "all addresses on this computer". It then parcels out incoming socket connections to whichever web site it is that they are destined for. It's a relatively common feature, and not just on Windows systems.
-----

Brett Hill said;
-----
Yes, the driver is always listening and it binds to all IP addresses by default just like IIS 5 did with socket pooling. You can disable this by configuring the IP inclusion list with the httpcfg tool in the tools folder.

However, you will then have to use this tool anytime you want to mess with IP addresses on the server as http.sys will then only listen to addresses configured with the tool. As I understand it, the primary purpose of the tool is to allow you to host another service using port 80 on the server other than IIS.

In the event of an exploit on http.sys, offhand, since the target isn't the website, it doesn't seem to matter if it's against an IP address that website is configured for or not, it would still be exploitable
-----

Mark Burnett said;
-----
One of the problems with IIS 4 was that each site had its own IP address and its own socket, which used up a lot of nonpaged RAM, limiting the number of sites that could be created on a single machine. IIS 5 and IIS 6 fix this by pooling sockets across all IP addresses assigned to the system, which also opens up port 80 on all assigned IP addresses.

This is the most efficient and scalable configuration, but is probably not the most secure configuration. Socket pooling is supposed to allow 2-3 times as many web sites using different IP addresses on a single server. It also prevents you from using port 80 for anything else but IIS.

You can disable socket pooling in IIS 5 by changing the metabase with this command:

adsutil.vbs set w3svc/DisableSocketPooling true

You can also set this property for specific web sites that you do not want pooled.

Since IIS 6 does not use the Winsock API like IIS 5 does, and therefore doesn't use sockets, the DisableSocketPooling metabase key has no effect (although it is still there for some reason). To accomplish the same thing in IIS 6, use the httpcfg tool (one of the Windows Support Tools):

httpcfg set iplisten -i <ip you want to listen on>:<port>
-----

Cheers,
Russ - NTBugtraq Editor

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to

http://www.trusecure.com/offer/s0100/

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo