[Intrusions] Would IIS auth prevent buffer overflow attac

Roger A. Grimes roger at banneretcs.com
Sat Aug 27 20:22:32 GMT 2005 

--See below.
--Sorry for the late reply, I've been transversing countries a lot these
days. 

-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Stephen Shepherd
Sent: Thursday, August 25, 2005 11:16 AM
To: intrusions at lists.sans.org
Subject: Re: [Intrusions] Would IIS auth prevent buffer overflow attac

This particular installation is IIS6.  I agree that auth would not limit
the exploit of other services. 
Assuming anonymous access is not allowed and the attacker could
successfully authenticate. However I am thinking that if Auth is enabled
then:

1.) w/o credentials the attack would have to be against the auth module
--again, all web requests are authenticated...either against a real
account or the IUSR account, so if all things are equal, buffer overflow
will be equally as likely against any encountered/involved
files/services.

2.) the server would be better protected against mindless worms that
just scan and exploit
--Maybe, maybe not. Overall, its probably easier to secure a completely
anonymous web site than one that requires real logon names and
passwords.
--Another good hint is to require a host header on your web site (ex.
www.example.com). Most worms and scanning tools work on IP addresses, so
requiring that all HTTP requests use the formal URL will decrease
many/most automated attacks.

You mention http.sys.  Are you saying that this driver pre-processes all
requests?  If that is the case both http.sys and the auth module would
be potential targets.  Correct?
--Yes, http.sys pre-processes all requests. Yes on both accounts, but
remember auth is being called regardless because IUSR account is
authenticating.

Roger

************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Consultant 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, CHFI, TICSA
*email: roger at banneretcs.com
*cell: 757-615-3355
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
************************************************************************
****

More information about the Intrusions mailing list