Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22993
HistoryDec 29, 2009 - 12:00 a.m.

Microsoft IIS 0Day Vulnerability in Parsing Files (semi-colon bug)

2009-12-2900:00:00
vulners.com
99
JSON

############################################################
Microsoft IIS 0Day Vulnerability in Parsing Files (semi-colon bug)
############################################################
#Application: Microsoft Internet Information Services - IIS (All versions)
#Impact: Highly Critical for Web Applications
#Finding Date: April 2007
#Report Date: Dec. 2009
#Found by: Soroush Dalili (Irsdl {4t] yahoo [d0t} com)
#Website: Soroush.SecProject.com
#Weblog: Soroush.SecProject.com/blog/
#Thanks From: Mr. Ali Abbas Nejad, Mormoroth, Aria-Security Team, and other ethical hackers.
#Vulnerability/Risk Description:

  • IIS can execute any extension as an Active Server Page or any other executable extension.
    For instance “malicious.asp;.jpg” is executed as an ASP file on the server. Many file
    uploaders protect the system by checking only the last section of the filename as its
    extension. And by using this vulnerability, an attacker can bypass this protection and upload
    a dangerous executable file on the server.
    #Impact Description:
  • Impact of this vulnerability is absolutely high as an attacker can bypass file extension
    protections by using a semi-colon after an executable extension such as “.asp”, “.cer”,
    “.asa”, and so on.
  • Many web applications are vulnerable against file uploading attacks because of this
    weakness of IIS. In a measurement which was performed in summer 2008 on some of the famous
    web applications, 70 percent of the secure file uploaders were bypassed by using this
    vulnerability.
    #Method of Finding:
  • Simple fuzzer by using ASP language itself.
    #More Details:
  • In case of having the “malicious.asp;.jpg”, web applications consider it as a JPEG file
    and IIS consider it as an ASP file and pass it to “asp.dll”. This bug does not work with
    ASP.Net as the .Net technology cannot recognize “malicious.aspx;.jpg” as a .Net file and
    shows a “page not found” error.
  • Besides using semi-colon, “:” can be used to make an empty file with any arbitrary
    extension. For example by uploading “test.asp:.jpg”, an empty ASP file - “test.asp” - would
    be created on the server on an NTFS partition. This is only because of “NTFS Alternate Data
    Streams” and it is completely different from the semi-colon vulnerability.
    #Fast Solution/Recommendation:
  • For Web Developers:
    – Highly Recommended: Use a completely random string as a filename and set its
    extension by the web application itself (by using a “switch-case or select-case” for example)
    and never accept the user’s input as the filename.
    – Only accept alpha-numerical strings as the filename and its extension.
  • For Webmasters:
    – Remove “execute” permission from the upload directories (folders).
    #Proof of Concept/Exploit:
  • Many of the web applications can be exploited by using this vulnerability. We cannot
    announce their names before the Microsoft security patch for IIS because of security reasons.
    #Related Documents:
  • http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf
JSON