AQTRONIX Security Advisory AQ-2003-02
=====================================

Topic: Microsoft IIS Logging Failure

Release date: 28 December 2003

Affected Systems: IIS 5.0 (previous versions not tested)
Not Affected Systems: IIS 6.0

Category: Failure to log certain activity, information disclosure
          without notice

Vendor URL: https://www.microsoft.com

Author: Parcifal Aertssen

This document (and updates) is available at:
https://www.aqtronix.com/Advisories/AQ-2003-02.txt


Introduction
============

The HTTP protocol consists of requests and responses. Requests are
sent from the clients (browsers) and they always start with a certain
keyword (verb). The most common request is a "GET" request, but there
are many more of these verbs, all of them are well documented within
the RFCs. But one of these verbs that Microsoft uses is not: it's the
"TRACK" request. The TRACK request returns the original request as an
entity (with a content-type of "message/http" and the returned body
contains your original request), just like a TRACE request. The TRACE
request is RFC compliant and well documented, the TRACK request is
not RFC compliant and not documented (only one page mentions this verb
in the MSDN library with no explanation).


Details
=======

Making an HTTP request with the verb TRACK is not being logged. This
makes it quite critical because it can be used to produce a lot of
traffic and to get the 'Server' header and other valuable information.
Furthermore because the TRACK request is the same as a TRACE request,
all known problems with TRACE requests also apply for this verb.
The most important issue with a TRACE request is cross-site
tracing (XST): a malicious web page or e-mail can send a TRACE/TRACK
request to another website (by using client side scripting) and by
analysing the response it can have access to your credentials and
your cookies on that site (think: session hijacking, passwords,...).
All unpatched and future exploits that work with a TRACE request,
should also work with the TRACK request but this time without being
logged, making it ideal for probing vulnerable IIS systems.

IIS 6 is not vulnerable. The IIS team probably found the bug and
removed it silently and didn't care about patching previous
versions of IIS because that's not part of their Trustworthy
Computing Initiative.


Exploit
=======

You can reproduce the problem using a tool like netcat and send the
following line, followed by two CRLF pairs:
TRACK / HTTP/1.0

You will see the response from IIS (just like a TRACE request), but
you won't find this in the IIS log files.


Vendor Response
================

I did not contact Microsoft about this vulnerability, because they
did not acknowledge me for my previous discovery. I found the ASP
Headers DoS (MS03-018) and received a private patch after 2 months.
They decided to release the patch in a cumulative one, even though
they had a patch ready. I thought this was a positive thing, the
less patches, the less work for me too. So I waited another 3 months
and still no word from Microsoft. When almost 6 months had passed,
I decided to go public, because I waited until "Microsoft could fix
the problem before malicious users even knew it existed", as it says
in their policy, they COULD have fixed it. One month later the
cumulative patch was released, but no acknowledgement for me. I told
Microsoft about their mistake and I told them I had other
vulnerabilities waiting, with no results, they simply ignored me.
So I decided to change my policy and release at least one advisory
without reporting anything to them.


Solution
========

Users running AQTRONIX WebKnight are protected from the first day
they installed it, people using Microsoft urlscan should add the
TRACK verb to the DenyVerbs section and make sure it is not in the
AllowVerbs section in the urlscan.ini file.

AQTRONIX WebKnight can be downloaded at:
https://www.aqtronix.com/webknight/


History
=======

2003.01.02 Found the vulnerability.
2003.05.29 Decided not to mail it to Microsoft
2003.12.28 Released initial advisory


Disclaimer
==========

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind.

AQTRONIX is not liable for any direct or indirect damages caused as a result
of using the information or demonstrations provided in any part of this
advisory.