How to remove 'Microsoft-HTTPAPI/2.0'?

Eugene Ilyin · 2016-03-27 17:14:46

Hi,

I'm use Win 8.1 Pro as my dev env for mORMot 1.18.1530 HTTP Server application.

As you know, when your TSQLHttpServer is choose to run over THttpApiServer, the http.sys always add 'Server: ... Microsoft-HTTPAPI/2.0' into HTTP response header.

According to:
http://marc-lognoul.me/2012/12/04/share … y-reasons/
https://blogs.msdn.microsoft.com/varunm … e-headers/
http://blog.paulbouwer.com/2013/01/09/a … ows-azure/
http://stackoverflow.com/questions/1178 … eader-iis7

To remove this piece in response you need to add:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters

DisableServerHeader : REG_DWORD = 1

Then restart http.sys service (interesting that this service is not visible under services.msc)

net stop http
net start http

The issue is that all this manipulations doesn't help me to exclude this 'Microsoft-HTTPAPI/2.0' in HTTP Responses

Even put it into .OutCustomHeaders doesn't help.

function TSampleHTTPServer.Request(Context: THttpServerRequest): Cardinal;
begin
  Result := inherited Request(Context);
  Context.OutCustomHeaders := Context.OutCustomHeaders + 'Server: Sample'#$D#$A;
end;

Anything else can help me to fix it or useHttpSocket is the only option?

Thanks

ab · 2016-03-27 18:46:34

Out of interest, why do you want to remove this header?
If it is to improve performance, it won't change anything, since one header won't change the number of IP packets sent.

Note that mORMot server is http.sys, not IIS.
There is no such "http.sys service".
http.sys is an API, with an associated service, used by IIS, but not the same as IIS.

Did you to change the following lines in SynCrtSock.pas:

          with Resp^.Headers.KnownHeaders[respServer], CurrentLog^ do begin
            pRawValue := ServerName;
            RawValueLength := ServerNameLength;
          end;

Eugene Ilyin · 2016-03-27 19:13:30

Hi ab, thanks for reply.

It's not a HTTP packet size related issue ("corresponding to a MTU of 1500 bytes" SynCrtSock.pas: 615)

I'm fully understand that http.sys is a kernel-level subsystem used by mORMot or IIS.
But many people faced with "Server: " changes/hides issue when use IIS.
That why I mentioned links with advice how to fix it on http.sys level.

I tried to [comment/change/extend/make empty] the code that you mentioned, but the append of 'Microsoft-HTTPAPI/2.0' is happen on the http.sys level an suggested registry FIX doesn't help to remove it.

As for my primary interest - it's security:

I'm happy to see mORMot on the "Server: " HTTP Response Header, but I'm totally not happy to tell operational system and used API additionally to end-users.

Of course Load Balancer (Route 53 / nginx / Apache) can hide it from end-user, but for dev/qa/uat env. I'm prefer not to use it when show pre-prod demos to clients.

The framework seems very mature and it's strange for me that nobody tries to remove MS post-fix in "Server: " http-response.

As for long-term solution (and possible migration to Linux kernel in future) I decide to use useHttpSocket and forget about http.sys option (even with possible performance penalties of such decision).

ab · 2016-03-28 09:07:03

IMHO there is no security concern here.
It is the API interface level, not the API implementation level.
Impossible to identify security breaches with this information.

Eugene Ilyin · 2016-03-28 13:12:01

Hi, ab,

I use single exe-file for prod server + single db-file for database - interface and implementation is merged in one simple, light, portable solution (just run exe-file on amazon node or any other dedicated service and Wuala! is less than a second production deployment has been complete).

If this solution will be available to clients without load-balancer: any hacker will know OS, framework, and used core windows library just by reading the "Server: " line in any browser.

Do you think that there are no security concerns here and Windows (or http.sys or mORMot) zero-day vulnerabilities are not applicable?

I have an answer here. What is your experience and feedback from other developers following not changeable "Server: " post-fix in production systems?
It will be nice if I'm just being to paranoid (I have no so many real hackers attack to be ensure that most of security breaches are closed).

Thanks

P.S. as I understand this synopse.info forum interface is "server:lighttpd/1.4.26" but forum functional implementation is hidden somewhere deeper.

mpv · 2016-03-28 13:47:29

@Eugene I tried to remove this header (many times, many ways) - but can't find a solution. Looks like HTTP API always add it. But solution MUST exists - IIS does it. 100% this feature is undocumented Microsoft feature If you find a solution, please, write here.

And yes, I need to remove Server header during security reason.

P.S.
The only way I know is to use some proxy (nginx for example) and remove this header on the proxy level. But this is pain

Eugene Ilyin · 2016-03-28 14:15:33

Just to illustrate what I'm talking about, when you didn't remove http.sys "Server: ... Microsoft-HTTPAPI/2.0»" postfix:

This can occurred from time to time:

Microsoft Security Bulletin MS15-034 - Critical
Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)

And that what we have aftermath:

Or even that:

Just one of the version of this exploit looks like very simple http-request for me:

GET /%7Bwelcome.png HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)
Accept: */*
Host: [server-ip]
Connection: Keep-Alive
Range: bytes=18-18446744073709551615

Again, maybe I too paranoid here, but showing to everybody in the world that my solution is using specific OS, Framework, and http.sys looks a little bit nervous.

Eugene Ilyin · 2016-03-28 15:58:15

From the IIS perspective, according to this: there are no ways to remove Microsoft-HTTPAPI/2.0 postfix.

DisableServerHeader only applies to the Server header added by
HTTP.SYS IFF an HTTP API application does not set the Server header.
IIS intentionally sets and removes the Server header, so that registry
key has no relevance on IIS6.
Most people ask about removing the Server header because they ran some
security scanner that complains about it, or they read somewhere that
removing Server header "improves" security, so they want to do it.
However, since removing the Server header does neither, IIS team does
not consider the Server header a problem and its remove a solution, so
there is no built-in feature anywhere. You will have to search for the
add-on modules to remove the header but that may have other side
effects.

ab · 2016-03-28 16:00:41

This is the kind of exploit an attacker would do, whatever there is 'Microsoft-HTTPAPI/2.0' in the headers, or not...
I'm not sure a plain http.sys mORMot server would be affected, since the MS bulletin states that "Disable IIS kernel caching" is a potential workaround, and since by default, SynCrtSocket does not use kernel caching.

Anyway, of course, the less information, the better...

mpv · 2016-03-29 07:19:17

No, IIS removes header Server: "Microsoft-HTTPAPI/2.0" and replace it to "Server:Microsoft-IIS/7.5", so the way to replace header exists. I will look to .NET Core HTTPListener - if it also removes header, then we can reflect .NET realization and try to look at the MSIL level how they remove it.

Eugene Ilyin · 2016-03-29 22:05:01

Hi mpv,
Let me know if you success with it.
Also I've tried to find this char sequence in http.sys to set with OllyDbg control break-point, but no luck yet.

Eugene Ilyin · 2016-03-29 22:12:56

Here is the Microsoft note for previous API version:

By default, HttpSendHttpResponse uses "Microsoft-HTTPAPI/1.0" as the "Server:" header. If an application specifies a server header in a response, that value is placed as the first part of the server header, followed by a space and then "Microsoft-HTTPAPI/1.0".

mORMot Open Source

#1 2016-03-27 17:14:46

How to remove 'Microsoft-HTTPAPI/2.0'?

#2 2016-03-27 18:46:34

Re: How to remove 'Microsoft-HTTPAPI/2.0'?

#3 2016-03-27 19:13:30

Re: How to remove 'Microsoft-HTTPAPI/2.0'?

#4 2016-03-28 09:07:03

Re: How to remove 'Microsoft-HTTPAPI/2.0'?

#5 2016-03-28 13:12:01

Re: How to remove 'Microsoft-HTTPAPI/2.0'?

#6 2016-03-28 13:47:29

Re: How to remove 'Microsoft-HTTPAPI/2.0'?

#7 2016-03-28 14:15:33

Re: How to remove 'Microsoft-HTTPAPI/2.0'?

#8 2016-03-28 15:58:15

Re: How to remove 'Microsoft-HTTPAPI/2.0'?

#9 2016-03-28 16:00:41

Re: How to remove 'Microsoft-HTTPAPI/2.0'?

#10 2016-03-29 07:19:17

Re: How to remove 'Microsoft-HTTPAPI/2.0'?

#11 2016-03-29 22:05:01

Re: How to remove 'Microsoft-HTTPAPI/2.0'?

#12 2016-03-29 22:12:56

Re: How to remove 'Microsoft-HTTPAPI/2.0'?

Board footer