Solved

ISA 2006 HTTPS publishing reveals PRIVATE IP assigned to the NIC

Posted on 2008-06-16
11
1,217 Views
Last Modified: 2012-06-22
I have an ISA 2006 server in a DMZ behind a PIX firewall.
The ISA server has a private IP assigned to it's NIC.
The PIX is NATing the private IP behind a public IP.
Everything works perfect how it should.

The ISA server is HTTPS publishing a LINUX APACHE server
When scanning the PUBLIC IP from the OUTSIDE of the network (via Internet) with Nessus, the scanner is able to determine the PRIVATE IP address of the ISA SERVER (not the published web server).

I've tested adjusting the firewall to NAT directly to the Apache Web server.  The same scan does NOT reveal the IP address.  This is definately something that the ISA 2006 server is leaking.

I have been unable to find any security procedures/fixes to stop this problem.
Ideas?

The fixes I've found for this type problem are related to IIS, but NOT ISA.

thanks.
0
Comment
Question by:mike_virgilio
  • 4
  • 3
11 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 21841915
What type of scan is being done that shows the private IP address of the ISA box?
0
 

Author Comment

by:mike_virgilio
ID: 21847030
When I scan the PUBLIC IP with Nessus (http://www.nessus.org/nessus/), it is able to get the PRIVATE IP address from the HTTPS port.    If I setup the webserver to be directly connected with a NAT and scan the published web server directly, it does NOT reveal the private IP.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 21847253
What happens if you run the same scan as just plain HTTP?

My thought is that ISA is putting a "via" type header in the HTTP stream and putting it's IP address.  Some proxy servers do this and in this case ISA is acting like a proxy server.

If you see the "leak" in plain HTTP, then you can look at the actual data stream with a packet sniffer and see what the ISA box is doing.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 57

Expert Comment

by:giltjr
ID: 21847298
0
 

Author Comment

by:mike_virgilio
ID: 21863011
After trying to adjust headers via ISA server, I was unable to fix the problem.  I DID come up with a solution by adjusting the service policies on the PIX to SPOOF the HTTP/HTTPS Server headers for inbound connections to the ISA public address (I'm using 8.0 software on Pix 515)
0
 
LVL 57

Expert Comment

by:giltjr
ID: 21864155
I would like a bit more on the solution, as I am confused.  I can see how the PIX can spoof the HTTP headers, but the headers for a https stream should be encrypted and the PIX would never be able to see them.  Can you provide more information on how you got the pix to change encrypted data?
0
 

Accepted Solution

by:
mike_virgilio earned 0 total points
ID: 21866188
The headers must be transmitted BEFORE the certificate exchange occurs

From PIX Configuration:
object-group service DM_INLINE_TCP_5 tcp
 port-object eq www
 port-object eq https

access-list outside_mpc extended permit tcp any host 57.14.22.434 object-group DM_INLINE_TCP_5

class-map outside-class1
 match access-list outside_mpc

policy-map type inspect http HTTP_Server-Spoof
 parameters
  spoof-server "www.mydomain.com"

policy-map outside-policy
 description chi-pubisa
 class outside-class1
  inspect http HTTP_Server-Spoof
=================
I did an additional test to make sure it was the HTTPS protocol leaking the IP.  I adjusted the PIX to ONLY spoof on HTTP. (NOT HTTPS)
After scanning, I WAS able to get the private IP again.
It SAYS HTTP in the description, but is detected on the HTTPS port.
---------------
Private IP address leaked in HTTP headers

Synopsis :

This web server leaks a private IP address through its HTTP headers.

Description :

This may expose internal IP addresses that are usually hidden or masked
behind a Network Address Translation (NAT) Firewall or proxy server.

There is a known issue with IIS 4.0 doing this in its default configuration.

See also :

http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP
See the Bugtraq reference for a full discussion.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin output :

This web server leaks the following private IP address : 192.168.110.14
CVE : CVE-2000-0649
BID : 1499

Nessus ID : 10759
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now