Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: assessing IIS 5.0
From: "Butler, Theodore" <Theodore.Butler () EssexCorp com>
Date: Tue, 5 Sep 2006 17:00:03 -0400

Vijay,

I thought you were doing a risk evaluation, not simply identifying
vulnerabilities. There is a difference. The methodology is the same
rather its payment cards, networks, or widgets:  Threats, value and
vulnerabilities (and motivation of perpetrator) need to be accounted for
where possible to identify risk.  It's assumed as a given that all this
is mapped against policy and requirements as a backdrop to give you a
reference. These items should be gathered during the information
gathering aspect of the assessment. 

I agree it's presumptuous to assign risk without it being clearly
defined; however the argument here is that industry has already defined
it to be composed of the elements I've listed above. Therefore assigning
risk without attempting to account for environmental elements is
incomplete. That's the difference between doing vulnerability scans and
assessing risk. Risks accounts for the whole enchilada.  This is what
makes the world so beautiful, free speech and differences of view.

Here's some specific information on the Internal IP address disclosure
vulnerability in IIS 4.0 and 5.0.


 
http://archive.cert.uni-stuttgart.de/archive/bugtraq/2001/08/msg00127.ht
ml

Peace,
Ted

-----Original Message-----
From: Robert E. Lee [mailto:robert () outpost24 com] 
Sent: Tuesday, September 05, 2006 2:43 PM
To: Butler, Theodore
Cc: vijay.shetti () gmail com; pen-test () securityfocus com
Subject: Re: assessing IIS 5.0

On Tue, 5 Sep 2006 12:01:14 -0400
"Butler, Theodore" <Theodore.Butler () EssexCorp com> wrote:

The risk will be determined by the threat, and value of the associated
asset (web server and its content) coupled with its vulnerability.
Risk
= Threat x Vulnerability (likelihood of threat's success) x Cost(Value
to replace). The vulnerability is only one part and only you know the
other 2 aspects.

Vijay,

Unfortunately, that calculation isn't possible for a third party to
calculate and use in a vulnerability report. In reports, you will have
an easier time if you just clearly state the category of the problem and
the consequence of the problem.  In this case, IIS revealing the
internal IP address is a "systems configuration information disclosure,
affecting Confidentiality".

Without understanding the security policy of the system being evaluated
(IE, not provided, doesn't exist, etc), trying to assign a risk
value/rating is presumptuous and baseless if not clearly defined in your
report.  If they don't give you a policy, then you should define your
terms in your report so the reader can understand your logic behind
assigning the value.

For example, if you were evaluating the system for PCI/SDP, they place a
level 5 (Urgent) value to vulnerabilities affecting CIA system wide,
level 4 (Critical) value to vulnerabilities affecting C system wide, or
if sensitive content is being leaked (without defining sensitive), level
3 (Critical) value to vulnerabilities partial C of files or of security
configuration information, availability issues, and other misc policy
violations (such as being able to relay mail), level 2 (Medium) C
related to non-security systems configuration information (IP addresses,
server version information, etc), and level 1 (Low) to C related to open
ports. -- 

If the system audited is held to PCI/SDP policy standards this finding
could be a Level 2 (Medium) finding.

Best of luck,

Robert

-- 
Robert E. Lee
Chief Security Officer
http://www.outpost24.com
 
phone: +46-(0)455-612-320
fax  : +46-(0)455-13960
email: robert () outpost24 com

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault