[Intrusions] Would IIS auth prevent buffer overflow attac

Stephen Shepherd drew600_1999 at yahoo.com
Thu Aug 25 15:15:54 GMT 2005 

This particular installation is IIS6.  I agree that
auth would not limit the exploit of other services. 
Assuming anonymous access is not allowed and the
attacker could successfully authenticate. However I am
thinking that if Auth is enabled then:

1.) w/o credentials the attack would have to be
against the auth module
2.) the server would be better protected against
mindless worms that just scan and exploit

Of course auth does not mitigate the need for patching
and monitoring of the server.  I am just thinking it
might help.  Especially if anonymous access to the web
site is not needed.  The time between patch and
exploit is shrinking and I am thinking this might buy
us a little better protection.

You mention http.sys.  Are you saying that this driver
pre-processes all requests?  If that is the case both
http.sys and the auth module would be potential
targets.  Correct?


-----Original Message-----

[Note: I'm far from an IIS security expert]

There are many other issues that the different forms
of authentication can address or risks that can be
increased or decreased depending on the authentication
you use, but overall, I don't think buffer overflow
risk would be impacted much.

First, you have to let me know if it is IIS 5 or IIS 6
you're talking about. In IIS 6, one driver does all
the initial testing (http.sys).
After years of hacking trying, it appears to be highly
resistant to buffer overflow attacks. After that it
depends more on the type of traffic, the services, and
the applications offered. After being examined by
Http.sys, the request gets handed off to the
appropriate web pool and application. If your web site
offers up more services (e.g.
ASP.NET, WebDAV, SQL, etc.) then the buffer overflow
might have additional chances to cause a buffer
overflow in more likely locations.

Authentication-wise, your web site is using
authentication even if you only use anonymous
authentication. It has an associated account
(IUSR_machine or otherwise) that goes through
authentication as if it were a normal user account.
IIS authentication applies and NTFS permissions apply.
Behind the scenes the authentication types used does
make some changes (because the different
authentication methods have different rights and are
slightly addressed differently), but the same files
are involved. 

Buffer overflow risk depends on the files involved and
the security principle accounts they are running in.

Important to IIS buffer overflows are the security
contexts the IIS system files are running in and the
web pool identity used. If a malicious hacker causes a
buffer overflow in IIS, they are going to get the
security rights of the process overflowed or the web
application pool identity. These don't change
automatically because of the authentication type you
use, but certainly reviewing them and making sure they
are secure can have a big affect on your IIS security.

Roger

-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf
Of Stephen Shepherd
Sent: Wednesday, August 24, 2005 7:47 PM
To: intrusions at lists.sans.org
Subject: [Intrusions] Would IIS auth prevent buffer
overflow attacks

If IIS authentication were enabled on a web server
would it prevent buffer overflow attacks unless the
attacker had valid credentials.
 
I would think that the web server would not process
the initial get request until it had successfully
authenticated the client??
 
Just curious if this would add any protection to a www
site..
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions

_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list