How to disable reverse DNS resolution in IIS 6
I'm trying to resolve a low risk PCI vulnerability
Microsoft IIS 6.0 Log Injection Vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1582
Solution:
Ensure reverse DNS resolution is disabled in IIS if it not needed.
Now, from my reading http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/233c0fde-7315-479a-a7fb-2e9d00ff73fd.mspx?mfr=true
it appears that this only applies to SMTP and if I have disabled SMTP I should not have an issue correct? (FTP is also disabled fwiw)
I should note that the scan "evidence"
Service: (80) Microsoft-IIS/6.0
Evidence:
• Virtual Host: xxx.xxx.xxx.xxx
• Match: '6.0' is greater than or equal to '6.0'
• Match: '6.0' is less than '7.0
appears to only looking at IIS version number so I think this is a false positive, but I do want to double check.
Microsoft IIS 6.0 Log Injection Vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1582
Solution:
Ensure reverse DNS resolution is disabled in IIS if it not needed.
Now, from my reading http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/233c0fde-7315-479a-a7fb-2e9d00ff73fd.mspx?mfr=true
it appears that this only applies to SMTP and if I have disabled SMTP I should not have an issue correct? (FTP is also disabled fwiw)
I should note that the scan "evidence"
Service: (80) Microsoft-IIS/6.0
Evidence:
• Virtual Host: xxx.xxx.xxx.xxx
• Match: '6.0' is greater than or equal to '6.0'
• Match: '6.0' is less than '7.0
appears to only looking at IIS version number so I think this is a false positive, but I do want to double check.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Russell - LFI is exactly what the PCI scan is warning about. "If you don't have logs that are viewed as HTML then this is false positive for you" is just what I needed to know thx.
fwiw rovastar owasp rates log injection as High with a likelyhood of exploit as very high https://www.owasp.org/index.php/Log_injection
also fwiw, my server is still running server2003 & IIS 6 so warnings from 2003 are quite relevant.
and finally fwiw, whether PCI scan provider is useless or not, it's a requirement for compliance and I have to deal with it - and understand what the results are.
fwiw rovastar owasp rates log injection as High with a likelyhood of exploit as very high https://www.owasp.org/index.php/Log_injection
also fwiw, my server is still running server2003 & IIS 6 so warnings from 2003 are quite relevant.
and finally fwiw, whether PCI scan provider is useless or not, it's a requirement for compliance and I have to deal with it - and understand what the results are.
Good standards you have there! I think you might have been one of the people that would have passed my pen-tests. Being cautious is being safe. If I could get every administrator to stay PCI complient my job would be done.
A lot of people don't even use PCI unless forced to conform to the standards or your in the business field and have no choice but to protect your investment, either way it's a good habit.
A lot of people don't even use PCI unless forced to conform to the standards or your in the business field and have no choice but to protect your investment, either way it's a good habit.
Log injections for covering up tracks is different to injecting http into logs like in this case. You cannot modifiy existing stuff in the exploit that is the high severity that OWASP are refering too.
To be honest there is no indiction that this is expliotable still.
That is my objection to autoscans versus a human pen tester.
have you followed the method and made stuff appear in logs?!?! Like I I linked to what teh problem is claimed to be you need to read through this and understand if it is possible or not.
Personally i doubt it is but it is not for me to check. Many old claimed vulns are not actually a problem and that is an issue with sites like CVE.
I find it strange that anyone can say the warning is still valid if they cannot actually expolit anything.
To be honest there is no indiction that this is expliotable still.
That is my objection to autoscans versus a human pen tester.
have you followed the method and made stuff appear in logs?!?! Like I I linked to what teh problem is claimed to be you need to read through this and understand if it is possible or not.
Personally i doubt it is but it is not for me to check. Many old claimed vulns are not actually a problem and that is an issue with sites like CVE.
I find it strange that anyone can say the warning is still valid if they cannot actually expolit anything.
You missed the fact he is running a older version of IIS. I wouldn't argue about vulnerability scanning. I you use a make a tool that only checks for version and reports possibility it is not doing what is supposed to be designed for if it is a static analysis tool. Arguing after the fact about possibilitys of exploiting a old vulnerability is a futile mistake. Not everyone patches system or is security conscious....
"I find it strange that anyone can say the warning is still valid if they cannot actually expolit anything."
Your slander will get you in trouble one if this days, just saying... You really need to think about that one. Just because you can't get it to nor understand it does not mean it doesn't work or exist. That I'd all I am going add here. Have a good day.
"I find it strange that anyone can say the warning is still valid if they cannot actually expolit anything."
Your slander will get you in trouble one if this days, just saying... You really need to think about that one. Just because you can't get it to nor understand it does not mean it doesn't work or exist. That I'd all I am going add here. Have a good day.
Russel, Thanks for the informaiton, but one thing remains... How to disable reverse DNS resolution in IIS 6. I have several web servers that use a log analyzer so this issue is quite real. I have searched the web and am just not satisfied with the results.
This link: http://support.microsoft.com/kb/245574 is the closest I have found. Can you advise on this?
This link: http://support.microsoft.com/kb/245574 is the closest I have found. Can you advise on this?
Hi outflowTech,
Thanks for asking! There are a few ways to disable reverse DNS lookup, but I will tell you the one you are directly looking for. In IIS 6.0 Reverse DNS Lookup is enabled and disabled from IIS Manager here's how.
1.) Open IIS Manager with administrator powers. Easy way is using runas command. Example; runas /User:administrator-accoun
2.) Select Delivery tab, and click Advanced.
3.) Unselect "Perform reverse DNS Lookup on incoming messages", accept changes and your done. If that does not do it for you I have a few more ways. Hope that helps you.
Russ, out.
Thanks for asking! There are a few ways to disable reverse DNS lookup, but I will tell you the one you are directly looking for. In IIS 6.0 Reverse DNS Lookup is enabled and disabled from IIS Manager here's how.
1.) Open IIS Manager with administrator powers. Easy way is using runas command. Example; runas /User:administrator-accoun
2.) Select Delivery tab, and click Advanced.
3.) Unselect "Perform reverse DNS Lookup on incoming messages", accept changes and your done. If that does not do it for you I have a few more ways. Hope that helps you.
Russ, out.
Woops! Check it again. Missed a few steps. Just in the beginning.
Select "SMTP Virtual Server" after opening IIS Manager and select properties then continue with above steps.
Select "SMTP Virtual Server" after opening IIS Manager and select properties then continue with above steps.
Russ,
Thanks for the clarification, but it doesn't quite get it. The issue is not with the SMTP reverse lookup as I don't have SMTP installed, it is with IIS and how it writes visitor data to the web site log file. Some part of IIS does a reverse DNS lookup when writing a client IP address into the server log file to write in the host name. On this low risk log injection vulnerability (for PCI compliance) it states as a solution to disable reverse DNS resolution in IIS 6 to solve this issue.
Hope this helps (you can see the link at the top of this threat for more details on this issue - but here it is again... http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1582).
Best,
Josh
Thanks for the clarification, but it doesn't quite get it. The issue is not with the SMTP reverse lookup as I don't have SMTP installed, it is with IIS and how it writes visitor data to the web site log file. Some part of IIS does a reverse DNS lookup when writing a client IP address into the server log file to write in the host name. On this low risk log injection vulnerability (for PCI compliance) it states as a solution to disable reverse DNS resolution in IIS 6 to solve this issue.
Hope this helps (you can see the link at the top of this threat for more details on this issue - but here it is again... http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1582).
Best,
Josh
Ah! I thought you where talking about the DoS vulnerability through smtp. In fact, the link you give helps out a lot! This gives me details I need to know about the problem in sharp detail. Enabling domain lookups in any part of your iis configuration automatically requires "Reverse DNS Lookup" to be enabled. So be sure you dont need this enabled before you continue. You will know As it things will break/complain.
Seeing as this is the cause. You will need to do these steps to disable "Reverse DNS Lookup" for IIS 6.0.
1.) Open a command prompt
2.) Change directory to your adminscripts directory (c:\inetpub\AdminScripts or wherever you have them on your server).
3.) Input this command assuming you already have adSutil.vbs there.
cscript adsutil.vbs set /w3svc/EnableReverseDNS "FALSE"
This in effect shuts off "Reverse DNS Lookup" on all websites on IIS. If you want it do just one site you will change it to something like
cscript adsutil.vbs set /w3svc/1/Root/EnableRevers
Where "1" is your default website and Also logs to the directory of W3SVC1. It's been a while since I had IIS 6.0 so if you have any further problems related to this give me a holler and I'll see what I can do. Hope this info helps you solve your problem.
cscript adsutil.vbs set /w3svc/EnableReverseDNS "FALSE"
This should disable Reverse DNS Resolution on your server and also help reduce server load from the lack of reverse dns resolution being done.
Take note that since this log injection is caused by cross site injections(XSS) you should be filtering your user inputs and variables anywhere it can be entered/queried from the address bar for good practice and security.
A attempt to attack this vulnerability would look similar to these examples.
/?query=<script>alert("vul
Seeing as this is the cause. You will need to do these steps to disable "Reverse DNS Lookup" for IIS 6.0.
1.) Open a command prompt
2.) Change directory to your adminscripts directory (c:\inetpub\AdminScripts or wherever you have them on your server).
3.) Input this command assuming you already have adSutil.vbs there.
cscript adsutil.vbs set /w3svc/EnableReverseDNS "FALSE"
This in effect shuts off "Reverse DNS Lookup" on all websites on IIS. If you want it do just one site you will change it to something like
cscript adsutil.vbs set /w3svc/1/Root/EnableRevers
Where "1" is your default website and Also logs to the directory of W3SVC1. It's been a while since I had IIS 6.0 so if you have any further problems related to this give me a holler and I'll see what I can do. Hope this info helps you solve your problem.
cscript adsutil.vbs set /w3svc/EnableReverseDNS "FALSE"
This should disable Reverse DNS Resolution on your server and also help reduce server load from the lack of reverse dns resolution being done.
Take note that since this log injection is caused by cross site injections(XSS) you should be filtering your user inputs and variables anywhere it can be entered/queried from the address bar for good practice and security.
A attempt to attack this vulnerability would look similar to these examples.
/?query=<script>alert("vul
Russell,
Thanks - that's perfect.
Do you by chance know what things in IIS use the reverse DNS lookup (so me and others can decide on whether to turn this off or not).
Again, thanks!
Best,
Josh
Thanks - that's perfect.
Do you by chance know what things in IIS use the reverse DNS lookup (so me and others can decide on whether to turn this off or not).
Again, thanks!
Best,
Josh
Well pretty much anything that does a host lookup.
Only Smtp, server-side Remote_Host environment variable, and anything that needs to resolve a ip to a hostname using the domain. Just means that if you turn It off things like your logs will display ip addresses instead of hostnames, really. Not really important to have on. You will most likely want it off because of the server speed gains if you have a lot of traffic.
Only Smtp, server-side Remote_Host environment variable, and anything that needs to resolve a ip to a hostname using the domain. Just means that if you turn It off things like your logs will display ip addresses instead of hostnames, really. Not really important to have on. You will most likely want it off because of the server speed gains if you have a lot of traffic.
This is to do if you have logs files see here:
http://www.securityfocus.com/archive/1/313867
But if you are not sharing the log files online don't worry about it but read through to understand.
I don't even know if that is still valid it is from 2003 and is so obscure anyway....
And yes *all* your security scan does is look for the version number of IIS and report *anything* that ever was a ever a problem. it is no way intelligent.