Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability

Kihaguru Gathura-2
Hi,

Following a scan of web server with Qualys Community Edition, a
vulnerability has been declared as below.
------------------------------------------------------------------------------------------------------------

Web Server Internal IP Address/Internal Network Name Disclosure
Vulnerability port 80/tcp


QID:
    86247
Category:
    Web server
CVE ID:
    CVE-2000-0649
Vendor Reference
    -
Bugtraq ID:
    1499
Service Modified:
    10/01/2018
User Modified:
    -
Edited:
    No
PCI Vuln:
    Yes

RESULTS:
    GET / HTTP/1.0



    HTTP/1.0 302 Found
    Date: Fri, 01 Mar 2019 15:08:31 GMT
    Server: OpenBSD httpd
    Connection: close
    Content-Type: text/html
    Content-Length: 419
    Location: https://192.168.1.101/


THREAT:
    Some Web servers contain a vulnerability giving remote attackers
the ability to attain your internal IP address or internal network
name.

    An attacker connected to a host on your network using HTTPS
(typically on port 443) could craft a specially formed GET request
from the Web server resulting in a 3XX Object Moved error message
containing the internal IP address or internal network name of the Web
server.

    A target host using HTTP may also be vulnerable to this issue.

    QID Detection Logic:
    The remote check for the web server internal IP address sends a
HTTP GET request to the target web server. The QID is flagged if a
"Content-location:" header or a 3xx redirect address in an HTTP
response contains an RFC1918 IP address.

    PCI DSS 3.2 requirement 1.3.7 "do not disclose private IP
addresses and routing information to unauthorized parties".
    This is a PCI Fail since confidential information about your
network is leaked.

IMPACT:
    Successful exploitation of this vulnerability results in the
disclosure of your internal IP address or internal network name, which
could then be used in further attacks against the target host.
SOLUTION:
    There are no patches available at this time. Please contact your
vendor for updates.

    Workaround:

    For IIS Web Server 6.x and prior:
    Check the Microsoft article on how to set the Hostname instead of
internal IP address for IIS.

    For IIS 7.0
    The release version of IIS7 by default includes the functionality
of masking the IP address. Refer to Removing an IIS server's IP
address from HTTP responses.

    For Apache Web Server:
    Modify the Apache configuration file as follows:
    - Set "ServerName" to a proper FQDN.
    or
    - Use module mod_rewrite to modify the 3xx error message returned
by the server.

    No workaround information is available for other Web servers at
this time. Refer to your vendor for an appropriate workaround.
COMPLIANCE:
    Not Applicable
EXPLOITABILITY:

    The Exploit-DB

    Reference:
        CVE-2000-0649
    Description:
        Microsoft IIS 2.0/3.0/4.0/5.0/5.1 - Internal IP Address
Disclosure - The Exploit-DB Ref : 20096
    Link:
        http://www.exploit-db.com/exploits/20096

ASSOCIATED MALWARE:
    There is no malware information for this vulnerability.

RESULTS:
    GET / HTTP/1.0



    HTTP/1.0 302 Found
    Date: Fri, 01 Mar 2019 15:08:31 GMT
    Server: OpenBSD httpd
    Connection: close
    Content-Type: text/html
    Content-Length: 419
    Location: https://192.168.1.101/
------------------------------------------------------------------------------------------------------------
Web server configuration as follows:

        # $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $

        server "xyz.com" {
                listen on * port 80
                location "/.well-known/acme-challenge/*" {
                        root "/acme"
                        request strip 2
                }
                location * {
                        block return 302 "https://$HTTP_HOST$REQUEST_URI"
                }
        }

        server "xyz.com" {
                listen on * tls port 443
                hsts
                tls {
                        certificate "/etc/ssl/xyz.com.fullchain.pem"
                        key "/etc/ssl/private/xyz.com.key"
                }
                location "/.well-known/acme-challenge/*" {
                        root "/acme"
                        request strip 2
                }
                location "/xyz.com/*" {
                        root "/"
                        fastcgi
                }
        }

Any indications on how to prevent the disclosure?

Regards,

Kihaguru.

Reply | Threaded
Open this post in threaded view
|

Re: Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability

Stuart Henderson
On 2019-03-01, Kihaguru Gathura <[hidden email]> wrote:

> RESULTS:
>     GET / HTTP/1.0
>
>     HTTP/1.0 302 Found
>     Date: Fri, 01 Mar 2019 15:08:31 GMT
>     Server: OpenBSD httpd
>     Connection: close
>     Content-Type: text/html
>     Content-Length: 419
>     Location: https://192.168.1.101/


>         server "xyz.com" {
>                 listen on * port 80
>                 location "/.well-known/acme-challenge/*" {
>                         root "/acme"
>                         request strip 2
>                 }
>                 location * {
>                         block return 302 "https://$HTTP_HOST$REQUEST_URI"
>                 }
>         }

In this case the redirect is coming from your configuration.
You have configured httpd to redirect http://whatever/path to
https://whatever/path, using the value of "whatever" exactly as
provided by the client.

It isn't an information disclosure though - the only way
this string is used in the redirect is if the client *already*
knows the address and has supplied it in the Host header.
If you don't want to use the client-supplied host header (which
in this case is an internal IP) in the redirect, don't use
$HTTP_HOST in the redirect string, use a fixed name instead.

There's another cases where httpd generates its own redirects
(not configurable): when you request a directory name without a
trailing /. In that case it always uses the value of the Host
variable to build it and there's no way to disable it.
But as before, it is only supplying the client with information
that the client already knows and supplied to the server.