[Intrusions] Would IIS auth prevent buffer overflow attacks
Roger A. Grimes
roger at banneretcs.com
Thu Aug 25 08:00:17 GMT 2005
[Note: I'm far from an IIS security expert]
There are many other issues that the different forms of authentication
can address or risks that can be increased or decreased depending on the
authentication you use, but overall, I don't think buffer overflow risk
would be impacted much.
First, you have to let me know if it is IIS 5 or IIS 6 you're talking
about. In IIS 6, one driver does all the initial testing (http.sys).
After years of hacking trying, it appears to be highly resistant to
buffer overflow attacks. After that it depends more on the type of
traffic, the services, and the applications offered. After being
examined by Http.sys, the request gets handed off to the appropriate web
pool and application. If your web site offers up more services (e.g.
ASP.NET, WebDAV, SQL, etc.) then the buffer overflow might have
additional chances to cause a buffer overflow in more likely locations.
Authentication-wise, your web site is using authentication even if you
only use anonymous authentication. It has an associated account
(IUSR_machine or otherwise) that goes through authentication as if it
were a normal user account. IIS authentication applies and NTFS
permissions apply. Behind the scenes the authentication types used does
make some changes (because the different authentication methods have
different rights and are slightly addressed differently), but the same
files are involved.
Buffer overflow risk depends on the files involved and the security
principle accounts they are running in.
Important to IIS buffer overflows are the security contexts the IIS
system files are running in and the web pool identity used. If a
malicious hacker causes a buffer overflow in IIS, they are going to get
the security rights of the process overflowed or the web application
pool identity. These don't change automatically because of the
authentication type you use, but certainly reviewing them and making
sure they are secure can have a big affect on your IIS security.
Roger
-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Stephen Shepherd
Sent: Wednesday, August 24, 2005 7:47 PM
To: intrusions at lists.sans.org
Subject: [Intrusions] Would IIS auth prevent buffer overflow attacks
If IIS authentication were enabled on a web server would it prevent
buffer overflow attacks unless the attacker had valid credentials.
I would think that the web server would not process the initial get
request until it had successfully authenticated the client??
Just curious if this would add any protection to a www site..
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list