Mailing List Archive

IIS Service Pack - 404
Hi Guys..

The 404 service pack detection method seems to be pretty useless against
IIS6.

We did a quick check to see if there was an obvious way to use IIS to
determine if we were facing an SP1 or SP0

With very limited testing, we found that while SP0 correctly follows
RFC2616 using CR LF as an end of line marker, SP1 will also honor just
NL as an end of line marker.

This gives us a fairly trivial way to distinguish between SP0 and SP1:

-snip-
intwocrastic:~$ perl -e ‘print “HEAD / HTTP/1.0\n\r\n”;’ | nc -v iis6_sp0 80
HTTP/1.1 400 Bad Request
...

intwocrastic:~$ perl -e ‘print “HEAD / HTTP/1.0\n\r\n”;’ | nc -v iis6_sp1 80
HTTP/1.1 200 OK
...

-snip-

For now i have added this as a diff to iis_ver_check.nasl (.diff and
.nasl attached)

It seems to work reliably on all of the boxes i have tested it on, but i
suspect it could get mixed results with inline filtering devices
mangling inline content..

Please let me know if it fails horribly :>

/mh

-snip=
--- iis_ver_check.nasl 2006-05-17 13:41:29.000000000 +0200
+++ iis_ver_check_mh.nasl 2007-01-08 21:58:04.000000000 +0200
@@ -22,6 +22,9 @@
return values (Content-Length) within the IIS Servers 404 error message.
As such, the test can not be totally reliable and should be manually
confirmed.

+Caveat2: To determine IIS6 patch levels a simple test is done based on
strict RFC2616
+compliance. It appears as if IIS6-SP1 will accept CR as an end of line
marker instead of
+both CR & LF.

Solution: Ensure that the server is running the latest stable Service Pack
Risk factor : High";
@@ -105,10 +108,21 @@

if(v6)
{
- if (2166 == cl)
- ver = ver + string("Microsoft IIS 6.0 - SP0\n");

- if (1635 == cl)
- ver = ver + string("Microsoft IIS 6.0 - w2k3 build 3790\n");
+ #if (2166 == cl)
+ #ver = ver + string("Microsoft IIS 6.0 - SP0\n");

+ #if (1635 == cl)
+ #ver = ver + string("Microsoft IIS 6.0 - w2k3 build
3790\n");
+
+ a = string("HEAD / HTTP/1.0\n\r\n");
+ soc = http_open_socket(port);
+ if(soc)
+ {
+ send(socket:soc, data: a);
+ r = recv(socket:soc, length:4096);
+ if(r =~ "200 OK") ver = ver + string("Microsoft IIS 6.0
- SP1\n");
+ if(r =~ "400 Bad Request") ver = ver +
string("Microsoft IIS 6.0 - SP0\n");
+ }
+
}

if ( ver != "The remote IIS server *seems* to be " )
security_note(port:port, data:ver);

-snip-


--
Haroon Meer, SensePost Information Security
PGP: http://www.sensepost.com/pgp/haroon.txt
Tel: +27 83786 6637