« Previous Next »

• 04-14-2009, 8:11 PM

  mcm1303 Joined on 04-14-2009, 11:29 PM Posts 4

  IIS 6 reveals NAT address Reply Contact Hi, I've got this problem on my WIN 2003 Server, SP2, running IIS 6.  You can determine it's NAT IP Address by doing the following: > telnet my.host.com 80 GET / HTTP/1.0 (press return twice) and voila, the NAT address appears in the header: Content-Location: http://192.168.xxx.xxx/index.html.  There's a KB article 834141 that Microsoft wrote that attempts to address this problem.  In that document they describe updating the MetaBase.xml  using AdsUtil.vbs to manipulate SetHostName and UseHostName variables.  However the problem persists.  The document further states that redirects will cause the problem to recur in spite of the fix, but I don't redirect any pages and I don't have redirected error messages.  I also read an interesting web page that described how certain configurations in the MetaBase.xml can cause the leak to recur.  The page below, for example, shows how a Cold Fusion installation, by placing Wildcards in the MetaBase.xml can cause the problem to recur.  However, I don't have any wildcards in my MetaBase.xml for my ISAPI filter (the only one I'm running is for .NET) but here's the article for any that are interested: http://blogs.msdn.com/asiatech/archive/2009/03/13/why-private-ip-address-is-still-leaked-on-iis-server-even-after-applying-fix-834141.aspx So, is your IIS 6 doing this as well?  You may think it's secure but I think one thing that you may not realize is often people test their server by using this command in telnet: telnet my.host.com 80 GET / HTTP/1.0\r\n Host: my.host.com\r\n (where \r\n are carriage-return and linefeed).  Using the above syntax, IIS does NOT reveal the NAT address.  Only when you use the syntax from the beginning of this post is it possible to get IIS 6.0 to reveal the NAT address. Because it seems that there are so many ways in which this problem can be made to recur, I believe the best solution is to filter it out with an ISAPI filter that fixes the header.  I say this because you think you are protected, then, say you install Cold Fusion or you do a redirect and suddenly the problem is back.  Anybody else experience what I'm trying to deal with here?  Any solutions?  Thanks, Marlin

  Tags: IIS 6.0 834141 NAT

• 04-14-2009, 11:57 PM

  In reply to

  lextm Joined on 10-22-2008, 12:18 AM Shanghai, PRC Posts 1,430

  Re: IIS 6 reveals NAT address Reply Contact Hi Marlin, Thank you for visiting our team blog. About KB834141, you may notice that 2 steps are necessary, Step 1, install the hotfix. Step 2, pick up one from the options. Can you confirm that you changed settings like this? Regards, Lex Li Support Engineer at Microsoft --------------------------- This posting is provided "AS IS" with no warranties, and confers no rights.

• 04-15-2009, 4:55 PM

  In reply to

  mcm1303 Joined on 04-14-2009, 11:29 PM Posts 4

  Re: IIS 6 reveals NAT address Reply Contact lextm, I posed your question to the people assisting me with trying to resolve the problem and they said: (actual site names and IP addresses have been obscurred for security purposes) ----------Response------------------- I can confirm that this particular hotfix was integrated into SP2. In addition to this I have also confirmed that the proper IIS metabase values have been set as follows for site ID '45' or '*my.site.com*'. They are as follows: ID: 2154 Name: SetHostName Data Type: String Data: my.site.com After doing a bit more research and speaking to other senior level techs I can confirm this is an expected action that is by design. You can see why in the same article that you have referenced from MSDN.com. http://blogs.msdn.com/asiatech/archive/2009/03/13/why-private-ip-address-is-still-leaked-on-iis-server-even-after-applying-fix-834141.aspx <snip> if an HTTP request that does not include an HTTP:Host header value is sent to IIS, and there is an ISAPI filter configured in IIS that makes a call to GetServerVariables(servername) during the SF_NOTIFY_PREPROC_HEADERS event, the IP address will always be returned instead of the server's hostname (or the value set in SetHostName). This is because PREPROC_HEADERS is called before IIS has read the configuration data (in this case either UseHostName or SetHostName), therefore there is no other choice but to return the IP address. This behavior only occurs if the HTTP request doesn't send an HTTP:Host header value; if the request contains a Host value, then SERVER_NAME will contain the value of the client's Host header. <snip> Since your telnet request does not include the HTTP:Host header value as expected it has not choice but to return the only IP address it knows, the private IP address. Since this is all done before the metabase.xml is ever read in you can not specify any HTTP errors. To resolve the problem you can reconfigure your environment to a no-NAT configuration. Alternatively, that same article mentions <SNIP> write an ISAPI filter that blocks and rejects any incoming HTTP requests that do not include an HTTP:Host header. <SNIP> ------------------------------------------ So while a hotfix was not applied, SP2 is supposed to have what the hotfix would have done.  I don't fully understand the part above that talks about the ISAPI filter that calls GetServerVariables.  I am running ASP and I DO have ASP.NET installed, but I'm not currently using it for anything specific, so if I thought it would help resolve the issue I could uninstall ASP.NET What seems kind of funny to me is our support team says above that KB 834141 does not work.  (unless you include the host name.  But if I'm a determined attacker, I'm going to use whatever technique works and not use proper protocol).

• 04-16-2009, 5:00 PM

  In reply to

  wadeh Joined on 04-19-2005, 10:17 PM Posts 112	Re: IIS 6 reveals NAT address Reply Contact mcm1303, If you can send me your metabase.xml file at wadeh@microsoft.com, I can take a look to see if I can determine why you are seeing this. Thanks, -Wade

• 04-16-2009, 6:14 PM

  In reply to

  mcm1303 Joined on 04-14-2009, 11:29 PM Posts 4	Re: IIS 6 reveals NAT address Reply Contact MetaBase.xml sent. Thanks, Marlin

• 04-16-2009, 8:16 PM

  In reply to

  wadeh Joined on 04-19-2005, 10:17 PM Posts 112	Re: IIS 6 reveals NAT address Reply Contact Thanks. I've received it and have taken an initial look.  Once we've figured it out via email, one of us can post back here with a summary of the resolution, to help others who might be having the same problem. -Wade

• 04-17-2009, 4:27 PM

  In reply to

  mcm1303 Joined on 04-14-2009, 11:29 PM Posts 4

  Re: IIS 6 reveals NAT address Reply Contact It is fixed! Wade H, after examining my MetaBase.xml sent me something to try: ---------------------------------------- I think what is happening here is that the request is going to the default site for port 80. The reason for this is that you are not sending a host header. Without a host header, the only information IIS has available to it for routing the request is the IP address and host that your telnet client connected to. Based on your metabase.xml, the request is going to site ID 97, with the ServerComment "www.your-other-site.com". If you add a SetHostName property to that site, that’s what will show up in the response to your telnet request. -------------------------------------------- I'm not certain, but what I think what was happening was even though the site in question had the SetHostName property set for it, there were many other sites being served by this same server that did not. And one site in particular, the www.your-other-site.com did not have the host header value set (As in Properties->Web Site->Advanced... The host header value was blank here). What I did to resolve it is to add in the host header value for the site above. And that solved it. When I run the exploit procedure: > telnet my.host.com 80 GET / HTTP/1.0 I now get: HTTP/1.1 400 Bad Request Content-Type: text/html Date: Fri, 17 Apr 2009 18:47:53 GMT Connection: close Content-Length: 39 <h1>Bad Request (Invalid Hostname)</h1> Which is fine by me! And we are still serving webpages for legitimate requests. Now I just need to spend the time to update my MetaBase.xml and add the SetHostName for all my other sites and I'll be good.  Thanks for your help.

• 04-17-2009, 4:45 PM

  In reply to

  wadeh Joined on 04-19-2005, 10:17 PM Posts 112

  Re: IIS 6 reveals NAT address Reply Contact Thanks for the followup. I just want to make one correction to the response I sent to you.  The second sentence in the reason paragraph should read: "Without a host header, the only information IIS has available to it for routing the request is the IP address and port (not host as I mistyped) that your telnet client connected to." I think it makes more sense with the correction. -Wade

• 10-29-2009, 12:26 PM

  In reply to

  Atters Joined on 10-29-2009, 10:40 AM Posts 1

  IIS 6 reveals NAT address Reply Contact First, I hate reopening a post that is more than 6 months old, but I am unable to find a solution or a more appropriate place to post this issue. I am having the same problem as has been discussed previously, however the sites affected are using SSL rather than clear HTTP.  I have applied the UseHostName and SetHostName changes to metabase.xml using the process described in KB834141.  I have also set the host header values for these sites to the appropriate values from within the IIS manager, and then restarted IIS.  To verify the changes I have made, I am using the openssl s_client program to connect to the site and send the "GET / HTTP/1.0" request.  When sending only the "GET / HTTP/1.0" line, the site's header returns the internal IP.  When sending the "GET / HTTP/1.0" and "Host: www.my-site-name.com" lines, the internal IP is not returned. Any advice will be extremely appreciated, and thank you for your time.