Home page logo

bugtraq logo Bugtraq mailing list archives

IRM 006: The configuration of Microsoft URLScan can be enumerated when implemented in conjunction with RSA SecurID
From: "IRM Advisories" <advisories () irmplc com>
Date: Thu, 14 Aug 2003 10:58:58 +0100


IRM Security Advisory No. 006

The configuration of Microsoft URLScan can be enumerated when implemented in
conjunction with RSA SecurID

Vulnerablity Type / Importance: Information Leakage / High

Problem discovered: July 18th 2003
Microsoft contacted: July 18th 2003
RSA contacted: August 11th 2003
Advisory published: August 13th 2003



URLScan is an ISAPI filter, provided by Microsoft that performs various
checks on HTTP requests sent to a web server. It can  be configured to block
access to various file extensions, HTTP methods and potentially malicious
URL sequences. SecurID is a  product supplied by RSA Security to provide a
two-factor authentication mechanism to prevent unauthorised access to a
website. If the products are used together on the same web server and
configured in a certain way then it is possible to  enumerate the
configuration of URLScan and hence potentially uncover malicious file
extensions that may not be filtered by  the product.


Recently during a penetration test IRM identified a serious security
vulnerability when URLScan and SecurID are combined on  the same machine.

IRM requested the following URL from the target web server:


Contained within the page contents that were returned was the following


Then IRM requested the URL shown below:


No line relating to URLScan was returned in the page contents.

The default urlscan.ini file contains the following line:

RejectResponseUrl=  ; UrlScan will send rejected requests to the URL
specified here. Default is /<Rejected-by-UrlScan> 

This is where the 'referrer' value that is returned originates.

As the ISAPI extension '.ida' is associated with the Indexing service, which
was exploited by the infamous Code Red worm, the  engineer thought it was
likely to be in the filtered extensions list within the URLScan
configuration. A script was then  produced to test this theory (available on
the IRM website - http://www.irmplc.com/advisories.htm) and it was
demonstrated  that using this technique the configuration of URLScan could
be enumerated.

Microsoft were initially contacted, but were unable to reproduce the issue
using just URLScan. However, when RSA Security  were made aware of the
vulnerability they confirmed that it was related to the interaction between
the use of URLScan and  SecurID and provided a simple workaround to resolve
the problem.

Tested Versions:

Microsoft IIS 5
RSA ACE/Agent 5.0 
URLScan 2.5  

Tested Operating Systems:

Microsoft Windows 2000

Vendor & Patch Information:

RSA Security were contacted on the 11th August and on 13th August provided a
workaround to resolve the issue.


In Microsoft Internet Services Manager, the SecurID filter needs to be the
first in the global ISAPI filter list, above  URLScan.


Research & Advisory: Andy Davis 


All information in this advisory is provided on an 'as is' 
basis in the hope that it will be useful. Information Risk Management 
Plc is not responsible for any risks or occurrences caused 
by the application of this information.


Information Risk Management Plc.
22 Buckingham Gate 
+44 (0)207 808 6420


  By Date           By Thread  

Current thread:
  • IRM 006: The configuration of Microsoft URLScan can be enumerated when implemented in conjunction with RSA SecurID IRM Advisories (Aug 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]