Solved

ISA 2006 HTTPS publishing reveals PRIVATE IP assigned to the NIC

Posted on 2008-06-16
11
1,209 Views
Last Modified: 2012-06-22
I have an ISA 2006 server in a DMZ behind a PIX firewall.
The ISA server has a private IP assigned to it's NIC.
The PIX is NATing the private IP behind a public IP.
Everything works perfect how it should.

The ISA server is HTTPS publishing a LINUX APACHE server
When scanning the PUBLIC IP from the OUTSIDE of the network (via Internet) with Nessus, the scanner is able to determine the PRIVATE IP address of the ISA SERVER (not the published web server).

I've tested adjusting the firewall to NAT directly to the Apache Web server.  The same scan does NOT reveal the IP address.  This is definately something that the ISA 2006 server is leaking.

I have been unable to find any security procedures/fixes to stop this problem.
Ideas?

The fixes I've found for this type problem are related to IIS, but NOT ISA.

thanks.
0
Comment
Question by:mike_virgilio
  • 4
  • 3
11 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 21841915
What type of scan is being done that shows the private IP address of the ISA box?
0
 

Author Comment

by:mike_virgilio
ID: 21847030
When I scan the PUBLIC IP with Nessus (http://www.nessus.org/nessus/), it is able to get the PRIVATE IP address from the HTTPS port.    If I setup the webserver to be directly connected with a NAT and scan the published web server directly, it does NOT reveal the private IP.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 21847253
What happens if you run the same scan as just plain HTTP?

My thought is that ISA is putting a "via" type header in the HTTP stream and putting it's IP address.  Some proxy servers do this and in this case ISA is acting like a proxy server.

If you see the "leak" in plain HTTP, then you can look at the actual data stream with a packet sniffer and see what the ISA box is doing.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 57

Expert Comment

by:giltjr
ID: 21847298
0
 

Author Comment

by:mike_virgilio
ID: 21863011
After trying to adjust headers via ISA server, I was unable to fix the problem.  I DID come up with a solution by adjusting the service policies on the PIX to SPOOF the HTTP/HTTPS Server headers for inbound connections to the ISA public address (I'm using 8.0 software on Pix 515)
0
 
LVL 57

Expert Comment

by:giltjr
ID: 21864155
I would like a bit more on the solution, as I am confused.  I can see how the PIX can spoof the HTTP headers, but the headers for a https stream should be encrypted and the PIX would never be able to see them.  Can you provide more information on how you got the pix to change encrypted data?
0
 

Accepted Solution

by:
mike_virgilio earned 0 total points
ID: 21866188
The headers must be transmitted BEFORE the certificate exchange occurs

From PIX Configuration:
object-group service DM_INLINE_TCP_5 tcp
 port-object eq www
 port-object eq https

access-list outside_mpc extended permit tcp any host 57.14.22.434 object-group DM_INLINE_TCP_5

class-map outside-class1
 match access-list outside_mpc

policy-map type inspect http HTTP_Server-Spoof
 parameters
  spoof-server "www.mydomain.com"

policy-map outside-policy
 description chi-pubisa
 class outside-class1
  inspect http HTTP_Server-Spoof
=================
I did an additional test to make sure it was the HTTPS protocol leaking the IP.  I adjusted the PIX to ONLY spoof on HTTP. (NOT HTTPS)
After scanning, I WAS able to get the private IP again.
It SAYS HTTP in the description, but is detected on the HTTPS port.
---------------
Private IP address leaked in HTTP headers

Synopsis :

This web server leaks a private IP address through its HTTP headers.

Description :

This may expose internal IP addresses that are usually hidden or masked
behind a Network Address Translation (NAT) Firewall or proxy server.

There is a known issue with IIS 4.0 doing this in its default configuration.

See also :

http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP
See the Bugtraq reference for a full discussion.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin output :

This web server leaks the following private IP address : 192.168.110.14
CVE : CVE-2000-0649
BID : 1499

Nessus ID : 10759
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now