← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:10759 · CWE-200 · Disclosed 2000-07-13

Web Server HTTP Header Internal IP Disclosure

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a receptionist accidentally mentioning the staff-only hallway number, not handing over the master key

Tenable plugin 10759 is a symptom check, not a modern exploit chain. It fires when a web stack leaks an internal RFC1918 IP or internal hostname in headers such as Location, Content-Location, or WWW-Authenticate. Tenable maps it to CVE-2000-0649, whose original case was Microsoft IIS 4.0 returning an internal IP after a specially crafted HTTP/1.0 request against a basic-auth protected page with no realm defined; modern hits are often similar misconfigurations on IIS, reverse proxies, load balancers, or Exchange front ends rather than the exact 2000-era bug.

The vendor's LOW call is basically right, and if anything the practical enterprise risk is even lower. The leak is recon-only: it can help an attacker map origin infrastructure or confirm NAT/proxy topology, but it does not grant code execution, authentication bypass, or direct data access. The biggest reality check is request friction: mainstream browsers use HTTP/1.1+ and send Host, so most findings require deliberate malformed probing rather than ambient internet traffic.

"This is recon leakage, not compromise: fix it as web-tier hygiene, not as an urgent patch event."
02 · The Attack Path

3 steps from start to impact.

STEP 01

Send a non-standard probe

The attacker uses a raw client such as netcat, openssl s_client, or Metasploit's auxiliary/scanner/http/owa_iis_internal_ip to send an HTTP/1.0 request or a request missing a valid Host header. This is not normal browser behavior; it is explicit scanner behavior designed to exercise fallback header-generation logic.
Conditions required:
  • Unauthenticated network reachability to the HTTP(S) listener
  • Ability to send raw or malformed HTTP rather than relying on a browser
Where this breaks in practice:
  • Many modern reverse proxies normalize or reject malformed requests
  • Browsers typically include Host, so casual user traffic will not trigger the condition
  • WAFs and edge services may drop host-less or legacy-protocol requests
Detection/coverage: Well covered by vulnerability scanners; edge logs and WAF telemetry can flag HTTP/1.0 or missing/NULL Host requests. Passive internet search engines do not reliably detect this without active malformed probing.
STEP 02

Hit a code path that reflects origin identity

A redirect, auth challenge, error path, or server variable lookup returns a header containing the internal IP or internal hostname. On IIS-family cases, this can show up in Location, Content-Location, or values derived from SERVER_NAME before the public-facing alternate host name is applied.
Conditions required:
  • A vulnerable or misconfigured redirect/auth/error path exists
  • The specific endpoint or virtual host returns origin-derived header content
Where this breaks in practice:
  • Not every URI triggers the leak
  • Some products only leak on specific auth-protected or folder-style requests
  • Canonical host configuration often suppresses the issue
Detection/coverage: Active scanners like Nessus and Metasploit modules catch this reliably when they test the right path. Generic SCA/SBOM tooling will not.
STEP 03

Use the leak for infrastructure recon

The attacker correlates the leaked private address or internal hostname with cloud ranges, VPN segments, naming conventions, or later SSRF/lateral-movement opportunities. This is supporting intelligence, not compromise by itself.
Conditions required:
  • The disclosed value is actually useful and not just a generic RFC1918 address
  • The attacker has another follow-on path that benefits from topology knowledge
Where this breaks in practice:
  • A single private IP rarely changes the attacker's options on its own
  • Zero-trust segmentation, private DNS isolation, and egress filtering blunt follow-on value
  • If the exposed service already reveals product identity, the marginal intel gain is small
Detection/coverage: No direct payload or shell follows from this step. Detection shifts to broader recon correlation, such as repeated malformed requests across many URIs or subsequent probing of related internal hostnames.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo evidence this issue is in CISA KEV, and I found no credible reporting of current campaigns using this header leak as a primary intrusion vector. Public tooling exists, but campaign relevance is weak.
Proof-of-concept availabilityYes. Tenable marks exploit availability as true, and Rapid7 publishes Metasploit scanner modules for related IIS internal-IP disclosure checks, including auxiliary/scanner/http/owa_iis_internal_ip.
EPSSTenable's CVE page currently shows EPSS 0.65163 for CVE-2000-0649. Treat that cautiously: EPSS on very old, generic, scanner-friendly CVEs can overstate enterprise urgency versus the actual recon-only impact.
KEV statusNot listed in the CISA Known Exploited Vulnerabilities catalog.
CVSS vectorPlugin page shows CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N (3.1, Low), which better matches reality than Tenable's separate CVE page 5.3 vector. In plain English: remote, but fiddly, and the only impact is limited confidentiality loss.
Affected versions / scopeAuthoritatively, the mapped CVE describes IIS 4.0 on 2000-07-13. Operationally, the plugin is broader than the CVE and can also flag modern IIS, Exchange front ends, reverse proxies, load balancers, and apps that emit private IPs in redirect or auth headers.
Fixed versionsThere is no single universal fixed version for plugin 10759 because many findings are configuration-driven. For IIS 7.0, Microsoft documented a hotfix plus setting alternateHostName; for other stacks, the fix is usually canonical host/redirect/header configuration.
Scanning / exposure dataThis is not meaningfully countable via Shodan/Censys/FOFA alone because passive banners do not prove the malformed-request behavior. Exposure has to be validated with active probing, which is exactly why Nessus and Metasploit-style checks exist.
Disclosure dateThe mapped CVE was disclosed on 2000-07-13; Tenable plugin 10759 was published on 2001-09-14.
Researcher / reporting orgThe older Microsoft bulletin cited Internet Security Systems X-Force and David Litchfield / Cerberus Information Security for IIS issues of that era; the specific CVE record itself is maintained through MITRE/NVD attribution.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to LOW (1.8/10)

The decisive factor is attack friction: this usually requires deliberate malformed HTTP/1.0 or host-less requests that normal clients do not send. Even when triggered, the result is architecture leakage, not initial access or privilege gain, so the real-world blast radius stays small.

HIGH Impact remains recon-only
MEDIUM Generic plugin-to-product mapping on modern deployments

Why this verdict

  • Malformed request prerequisite: the interesting code path is usually reached with HTTP/1.0 or a missing/NULL Host header, which implies intentional probing rather than ambient user traffic.
  • Impact is limited to confidentiality of topology: the leak exposes a private IP or internal hostname, but does not create code execution, auth bypass, or arbitrary read/write.
  • Reachable population is narrower than the plugin name suggests: the original CVE is ancient IIS behavior, while many modern detections are configuration quirks on only some URIs, redirects, or auth flows.
  • Modern controls often intercept it: reverse proxies, WAFs, canonical-host rules, and strict request parsing commonly stop or normalize the request before the origin leaks anything.
  • EPSS is not the deciding signal here: the current EPSS value is high for the CVE record, but the practical enterprise outcome is still a weak recon primitive with limited standalone value.

Why not higher?

To rate higher, this would need to create an attacker foothold or materially shorten time-to-compromise across a broad exposed population. It does neither. The attacker still needs a separate exploitable bug, valid credentials, or another trust boundary failure before the leaked address becomes operationally useful.

Why not lower?

I am not putting this in IGNORE because it can still reveal internal naming and addressing on public services, and that does have reconnaissance value in real attack chains. It also frequently points to sloppy edge or redirect configuration, which is worth cleaning up during normal hardening.

05 · Compensating Control

What to do — in priority order.

  1. Reject malformed host-less requests — At the edge proxy, WAF, or web server, block or normalize HTTP/1.0 requests and requests with missing/NULL Host headers where business-safe. For a LOW finding, deploy during the next normal hardening cycle; there is no accelerated SLA, but this is the cleanest way to suppress the behavior across many hosts at once.
  2. Set a canonical public hostname — On IIS-family systems, ensure redirects and server-runtime settings return the public FQDN rather than the origin IP; on other stacks, review Location, Content-Location, and auth/error templates. Do this as backlog hygiene in the next web-tier config sprint.
  3. Fix redirect and auth flows — Test folder redirects, auth challenges, and error pages specifically, because those are the paths most likely to leak origin details. Fold this into routine web application hardening rather than emergency change windows.
  4. Constrain origin exposure — If the service sits behind a reverse proxy or load balancer, keep the origin unexposed from the internet and restrict direct access with ACLs or network policy. That limits the usefulness of any leaked private address even if the header bug remains.
What doesn't work
  • Installing EDR does not prevent header leakage; this is a request-handling/configuration issue, not endpoint execution.
  • MFA does not address it; the leak often occurs before authentication succeeds and sometimes during redirect/auth challenge generation.
  • TLS renewal or certificate replacement does not help; the server can still emit a private IP in headers over a perfectly valid HTTPS session.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or jump host that can reach the target URL; no admin privileges are required. Save as check-internal-ip-leak.sh and run bash check-internal-ip-leak.sh https://target.example.com /owa/ or bash check-internal-ip-leak.sh http://target.example.com /.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check-internal-ip-leak.sh
# Purpose: Detect RFC1918/internal IP disclosure in HTTP response headers using a raw HTTP/1.0 request.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=USAGE

set -u

usage() {
  echo "Usage: $0 <url> [path]"
  echo "Example: $0 https://example.com /owa/"
  exit 3
}

[ $# -lt 1 ] && usage

URL="$1"
PATH_PART="${2:-/}"

if [[ ! "$URL" =~ ^https?:// ]]; then
  echo "UNKNOWN - URL must start with http:// or https://"
  exit 2
fi

SCHEME="${URL%%://*}"
REST="${URL#*://}"
HOSTPORT="${REST%%/*}"
HOST="${HOSTPORT%%:*}"
PORT="${HOSTPORT##*:}"

if [[ "$HOST" == "$PORT" ]]; then
  if [[ "$SCHEME" == "https" ]]; then PORT=443; else PORT=80; fi
fi

REQ=$(printf 'GET %s HTTP/1.0\r\nUser-Agent: noisgate-check/1.0\r\nAccept: */*\r\nConnection: close\r\n\r\n' "$PATH_PART")
TMP=$(mktemp)
trap 'rm -f "$TMP"' EXIT

if [[ "$SCHEME" == "https" ]]; then
  RESP=$(printf "%s" "$REQ" | timeout 10 openssl s_client -quiet -connect "${HOST}:${PORT}" -servername "$HOST" 2>/dev/null || true)
else
  RESP=$(printf "%s" "$REQ" | timeout 10 nc "$HOST" "$PORT" 2>/dev/null || true)
fi

if [[ -z "$RESP" ]]; then
  echo "UNKNOWN - no response from ${HOST}:${PORT}"
  exit 2
fi

# Keep only header section
printf '%s\n' "$RESP" | awk 'BEGIN{RS="\r\n\r\n|\n\n"} NR==1{print}' > "$TMP"

if [[ ! -s "$TMP" ]]; then
  echo "UNKNOWN - unable to parse HTTP headers"
  exit 2
fi

# RFC1918, loopback, link-local, CGNAT
IP_REGEX='((10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})|(172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3})|(192\.168\.[0-9]{1,3}\.[0-9]{1,3})|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})|(169\.254\.[0-9]{1,3}\.[0-9]{1,3})|(100\.(6[4-9]|[7-9][0-9]|1[01][0-9]|12[0-7])\.[0-9]{1,3}\.[0-9]{1,3}))'

LEAK_LINES=$(grep -E -i '^(Location|Content-Location|WWW-Authenticate|Refresh|Content-Base|URI|Link|Server):' "$TMP" | grep -E "$IP_REGEX" || true)

if [[ -n "$LEAK_LINES" ]]; then
  echo "VULNERABLE - internal/private IP found in response headers"
  echo "$LEAK_LINES"
  exit 1
fi

STATUS=$(head -n 1 "$TMP" | tr -d '\r')
if [[ "$STATUS" =~ ^HTTP/ ]]; then
  echo "PATCHED - no internal/private IP found in tested response headers"
  exit 0
fi

echo "UNKNOWN - non-HTTP response"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: validate whether the finding is on an internet-facing service and whether the leak is real with a raw HTTP/1.0 request, then document or suppress false-positive-style cases where only a non-routable address appears behind a tightly controlled edge. For a LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA beyond backlog hygiene, so fold canonical-host / redirect cleanup into the next normal web-tier hardening sprint rather than burning emergency patch capacity on it.

Sources

  1. Tenable Nessus Plugin 10759
  2. NVD CVE-2000-0649
  3. MITRE CVE record
  4. Microsoft support article on IIS internal IP disclosure
  5. Rapid7 Metasploit module for IIS internal IP disclosure
  6. CISA Known Exploited Vulnerabilities catalog
  7. Tenable CVE page with EPSS
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.