Exploiting, Abusing, and Securing the FrontPage Server Extensions on Windows Server 2003

Июль 28, 2022

Главная
Информатика
Exploiting, Abusing, and Securing the FrontPage Server Extensions on Windows Server 2003

Содержание

2. FrontPage: 2003 Exploiting, Abusing, and Securing the FrontPage Server Extensions on Windows Server 2003 Mark Burnett
3. Background History of the FPSE Different names, same old holes What products include FPSE?
4. Risks Are the FPSE as insecure as everyone says? What are the real risks? Increased attack
5. Risks What are some greater risks? Confusing security model Running in-process with inetinfo.exe Relaxed NTFS permissions
6. The FPSE Files The same files? _vti_bin/shtml.dll _vti_bin/_vti_aut/author.dll _vti_bin/_vti_adm/admin.dll FPSE 2002 _vti_bin/owssvr.dll _vti_bin/_vti_adm/fpadmdll.dll
7. FPSE Directories _vti_bin – FPSE Binaries _private - _vti_cnf _vti_pvt _vti_script _vti_txt
8. Decoding vti_rpc Sending vti_rpc methods POST to FPSE binaries GET to owssvr.dll Multiple posts using CAML
9. Sample Output vermeer RPC packet method=list services:4.0.2.0 services_list= SR|msiis vti_usagevisitsbyweek UX|337 380 423 501 297 vti_usagebymonth
10. Cool vti_rpc Tricks Finding unprotected web sites Listing webs Other info gathering method=list+services:4.0.2.0000&service_name=
11. vti_rpc Exploits New exploits to be announced
12. Other Exploits New exploits to be announced
13. Updating the FPSE Finding product updates Confusing and inconsistent Manual fixes
14. Manual Fixes Htimage.exe and Imagemap.exe Microsoft’s solution Another Microsoft solution The real solution?
15. The Security Model Browse, Author, and Administer NTFS Permissions on web root Common Mistakes
16. Installing & Uninstalling Why are the directories there on a clean install? Why won’t they uninstall?
17. Moving the FPSE 1. Move the binaries 2. Update the registry 3. Update the metabase
18. Securing the FPSE The FPSE can be used safely if you: Secure user accounts Set proper
19. Advanced Techniques Mirror sites URLScan Rules Custom ISAPI filter FPSE neutered NTFS restrictions Remove directories Disable
20. FPSE Intrusions Spotting attacks Log entries Other trails FPSE vs. WebDAV
21. Snort Rules Updated Snort rules Logging FPSE authoring with Snort
22. FrontPage Tools Xfp.pl – FrontPage security scanner Fpseinfo.pl – FrontPage info gathering SecureFPSE.cmd – Harden FrontPage
23. Xfp.pl
24. Fpseinfo.pl Returns FPSE information - Web server platform - Anonymous user account - Site statistics -
26. Скачать презентацию

Слайд 2

FrontPage: 2003
Exploiting, Abusing, and Securing the FrontPage Server Extensions on Windows

Server 2003
Mark Burnett

Слайд 3

Background
History of the FPSE
Different names, same old holes
What products include FPSE?

Слайд 4

Risks
Are the FPSE as insecure as everyone says?
What are the real

risks?
Increased attack surface
Entry point
Information gathering
Running on system partition
Insufficient logging
Storing files within the web root

Слайд 5

Risks
What are some greater risks?
Confusing security model
Running in-process with inetinfo.exe
Relaxed NTFS

permissions
Cannot be secured without NTFS

Слайд 6

The FPSE Files
The same files?
_vti_bin/shtml.dll
_vti_bin/_vti_aut/author.dll
_vti_bin/_vti_adm/admin.dll
FPSE 2002
_vti_bin/owssvr.dll
_vti_bin/_vti_adm/fpadmdll.dll

Слайд 7

FPSE Directories
_vti_bin – FPSE Binaries
_private -
_vti_cnf
_vti_pvt
_vti_script
_vti_txt

Слайд 8

Decoding vti_rpc
Sending vti_rpc methods
POST to FPSE binaries
GET to owssvr.dll
Multiple posts using

CAML
Interpreting output

Слайд 9

Sample Output
vermeer RPC packet

method=list services:4.0.2.0
services_list=

SR|msiis
vti_usagevisitsbyweek
UX|337 380 423 501 297
vti_usagebymonth
UX|88 4195 2667

3497 90

vti_welcomenames

VX|Default.htm Default.asp Default.aspx

vti_adminurl

SR|/_vti_bin/_vti_adm/fpadmdll.dll

Слайд 10

Cool vti_rpc Tricks
Finding unprotected web sites
Listing webs
Other info gathering
method=list+services:4.0.2.0000&service_name=

Слайд 11

vti_rpc Exploits
New exploits to be announced

Слайд 12

Other Exploits
New exploits to be announced

Слайд 13

Updating the FPSE
Finding product updates
Confusing and inconsistent
Manual fixes

Слайд 14

Manual Fixes
Htimage.exe and Imagemap.exe
Microsoft’s solution
Another Microsoft solution
The real solution?

Слайд 15

The Security Model
Browse, Author, and Administer
NTFS Permissions on web root
Common Mistakes

Слайд 16

Installing & Uninstalling
Why are the directories there on a clean install?
Why

won’t they uninstall?
How do you remove them?

Слайд 17

Moving the FPSE
1. Move the binaries
2. Update the registry
3. Update the

metabase

Слайд 18

Securing the FPSE
The FPSE can be used safely if you:
Secure user

accounts
Set proper NTFS permissions
Set proper IIS permissions
Configure the registry defaults
Keep patched
Use SSL for authoring
Manage log files
Set IP Restrictions

Слайд 19

Advanced Techniques
Mirror sites
URLScan Rules
Custom ISAPI filter
FPSE neutered
NTFS restrictions
Remove directories
Disable authoring

Слайд 20

FPSE Intrusions
Spotting attacks
Log entries
Other trails
FPSE vs. WebDAV

Слайд 21

Snort Rules
Updated Snort rules
Logging FPSE authoring with Snort

Слайд 22

FrontPage Tools
Xfp.pl – FrontPage security scanner
Fpseinfo.pl – FrontPage info gathering
SecureFPSE.cmd –

Harden FrontPage Server Extensions
fpBlock – ISAPI filter for FrontPage IP restrictions

Слайд 23

Xfp.pl

Слайд 24

Fpseinfo.pl
Returns FPSE information
- Web server platform
- Anonymous user account
- Site statistics
-

Hidden directories
- More