Microsoft's Internet Information Server offers Web, FTP, Mail and NNTP services. If the server is protected by a firewall using Network Address Translation and the server uses a private internal IP address then, by making a malformed request to the web service it is possible for an attacker to discover this IP address. Whilst this won't come anywhere near to allowing an attacker to compromise an IIS server it will help them formulate further attacks. This issue is similar to the issue documented at http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q218180&id=KB;EN-US;Q218180.
By making certain requests to the web service with a blank Host HTTP client header the server response will often contain the server's IP address, for example when using the PROPFIND request method.
PROPFIND / HTTP/1.1
Host:
Content-Length: 0
The server will return a 207 Multi-Status response with certain properties of the root page. The server's IP address will be revealed if the HREF property. Using the WRITE or MKCOL method will return the machine's IP address in the Location server HTTP header, though of course if the server allows the WRITE and MKCOL methods then the server has greater problems.
Only IIS 5 and 5.1 support the WebDAV methods so these methods only affect these systems. IIS 5.x and 4.0 are both vulnerable to this issue if Basic authentication is enabled.
Fix information:
To prevent internal IP address disclosure take the following steps.
Open a command prompt and change the current directory to c:\inetpub\adminscripts or to where the adminscripts can be found.
Run the commands
adsutil set w3svc/UseHostName True
net stop iisadmin /y
net start w3svc
This will cause the IIS server to use the machine's host name rather than its IP address.
