By Chris Prosise and Saumil Udayan Shah
Many administrators are unaware of a very real danger that exists on their networks. It's easy to assume that our Web servers are a cinch to find; it's all right there at www.yourcompany.com--right? So the only Web server that you have and need to secure is the one that hosts your Internet presence. Unfortunately, nothing could be further from the truth. A recent explosion in nonstandard Web servers is producing a jumble of security issues that you'll want to be aware of.
Web servers have traditionally been used to host Web sites for information dissemination or data access. However, as the popularity of the Hypertext Transfer Protocol (HTTP) has risen, so too has the popularity of Web-enabled applications. Users and administrators alike enjoy the advantages of the platform-independent, graphical interface afforded by Web servers. Accordingly, Web interfaces now exist for a wide variety of network devices and applications. These Web interfaces are often used for remote administration and configuration. In this column, we'll mention a few of the more common nonstandard Web servers and some of the security issues that are associated with them.
Nonstandard Web servers
A variety of Web servers exist for many common applications and devices. The short list of nonstandard Web servers provided below reveals the wide variety of functionality that they now encompass. Furthermore, each of these Web servers has some security risk.
- Compaq Insight Manager, TCP port 2301--a Web server that runs on Compaq hardware and is designed for system management on servers, workstations, and clients
- Netscape Server Administration Console, TCP port 10000--an administrative interface used to remotely configure Netscape's Web server software
- Cisco Router Web Interface, TCP port 80--an administrative interface used as an equivalent to interactive access to the router
- HP JetAdmin, TCP port 8000--a Web server that provides an interface for remote management and optimization of network peripheral devices such as printers
- ScreamingMedia SiteWare, TCP port 30001--an administrative interface to the SiteWare content-management product from ScreamingMedia
- RealServer Administration, TCP port 27556--an administrative interface to the RealServer product from RealNetworks
Now that we've noted some of the various Web servers out there, let's look at some of the associated security problems. The security issues associated with these Web servers come in two basic categories: those derived from using the Web interface in the intended manner and those arising from bugs in the Web server.
Abusing the administrative interface
For the first category of security issues, the major concern is that an unauthorized party will use (and abuse) the Web server's functionality. For example, if a Cisco router allows remote administration via an HTTP interface, then an unauthorized user could potentially reconfigure the router in a malicious manner. The result of a malevolent user gaining administrative access to many administrative Web interfaces can be just as damaging to your network as a vulnerability in your primary Web server. With a toehold in the network, any moderately skilled attacker can escalate privileges and access.
Unfortunately, gaining administrative access to these nonstandard Web servers is not as difficult as it should be. Virtually all nonstandard Web servers use the HTTP protocol rather than HTTPS. This means that all traffic is passed in cleartext, including the user ID and the password. If a legitimate administrator ever uses the administrative interface, any attacker on a shared network can gain the user ID and the password by monitoring network traffic (sniffing).
Even without network sniffing attacks, hackers can learn the user ID and passwords associated with these nonstandard Web servers. How? Many Web servers use default passwords that are known or easily guessed. A quick search of the Internet reveals many compilations of default passwords, such as the list found at Security Paradigm. System administrators contribute to the problem, often choosing weak passwords such as password or admin.
Web server bugs
Just because a Web server has seemingly innocuous functionality does not mean that it poses no security risk. Some nonstandard Web servers provide very limited functionality, yet they still pose significant risks to your network. Why? Because Web servers, by their very nature, allow remote users to view your files, often without authentication. Any Web server application has innumerable possible points of exposure. Even robust, time-tested, standard Web server software such as Apache, Microsoft IIS, and Netscape Server have had significant security exposures. Is it any wonder that the first version of a Web server from a manufacturer that's new to the game might have security issues?
The most common bugs that we're seeing in nonstandard Web servers are the same ones that have been found and corrected in the standard Web servers: directory traversal vulnerabilities and source disclosure vulnerabilities. Directory traversal vulnerabilities let a user of the Web server view files and directories outside of the restricted Web root directory. If this vulnerability exists, anyone with a browser can view files and directories anywhere on the system, which means that they can also crack passwords, view sensitive data, enumerate the exact location of the Web root, and so forth. Exploitation of these weaknesses is often as simple as appending ../../../../ to the URL in a browser window.
Source disclosure vulnerabilities are similarly trivial to exploit. Source disclosure bugs involve sensitive information stored in the source of Web pages. To exploit these vulnerabilities, an attacker need only use the View Source feature of a Web browser. Some nonstandard Web servers store passwords in files in a default location such as the directory /admin. This knowledge, combined with View Source, can be a recipe for disaster. The RealServer's administration interface provides an example of this weakness. By accessing http://unknown server:27556/admin/Docs/default.cfg, a user could view the administrative password. Armed with this password, further security exposures are possible.
Securing nonstandard Web servers
To prevent unauthorized users from exploiting your nonstandard Web server, you should take these steps.
- Identify your Web servers. You have to know they exist before you can secure them. Use a port scanner to identify any open ports on your Internet-facing systems or other critical hosts. After identifying open ports, determine whether they are Web servers by connecting to them with a browser or using Netcat. If you receive any HTTP error codes such as 404, or you see a Web page, then you have found a Web server.
- Control network access to Web servers. Network security devices such as packet-filtering routers or firewalls should prevent any outside connections to nonstandard Web servers.
- Disable if not used. If you don't use the Web interface, disable it. Any listening services are points of potential access for attackers.
- Control access via a strong user ID and password. If you must access the application, choose a user ID and a password that are not easily guessed. Of course, if the Web server is HTTP and the password passes cleartext, we recommend not using the Web interface.
- Upgrade to the latest version--bugs are fixed rapidly by most vendors. If you are using a Web interface, make sure that you have the current version. Check with the vendor support site often to ensure that your version is the most recent.
Many significant security exposures are due to nonstandard Web servers, and many vulnerabilities have been published on these Web servers. Search a public exploit database such as SecurityFocus.com to ensure that any nonstandard Web servers that you may be using do not have associated vulnerabilities.
Chris Prosise is the vice president of professional services at Foundstone, a network security firm specializing in consulting and training. Formerly a U.S. Air Force officer and a Big 5 consultant, Chris is the coauthor of Incident Response: Investigating Computer Crime and is an adjunct professor at Carnegie Mellon University. Chris holds a B.S. in electrical engineering from Duke University and is a Certified Information Systems Security Professional (CISSP).
Saumil Udayan Shah, principal consultant for Foundstone, provides information security consulting services to Foundstone clients. Shah specializes in ethical hacking and security architecture. He holds an M.S. in computer science from Purdue University and is a Certified Information Systems Security Professional (CISSP).