Welcome to WebmasterWorld Guest from 3.227.233.78

Forum Moderators: ocean10000

Message Too Old, No Replies

IIS vulnerability found

     
5:53 pm on Dec 28, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 1, 2005
posts:733
votes: 0


...
There appears to be some disagreement over the severity of the bug, which Dalili said affects all versions of IIS. While he rated it "highly critical," vulnerability tracker Secunia classified it as "less critical," which is only the second notch on its five-tier severity rating scale.
...

Source: the Register [theregister.co.uk]

Meaning that it is possible to upload an executable file such as malware.asp;.jpg

When uploading, most code will only check for the last extension (.jpg in this case) and allow the upload. When requesting this file, IIS executes it as an .asp file, ignoring the extension after the semicolon.

Easy to protect yourself though, when checking the extension of an uploaded file, make sure to also check for a semicolon in the filename.

7:33 pm on Dec 28, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
posts:864
votes: 3


I wouldn't classify this necessarily as an IIS vulnerability. But more of a web application vulnerability, along the lines of Cross site scripting attacks.

This type of attack success depends how the files are saved and where they are saved and how they served back to the user.

The easiest way is to save the user uploaded content in a non-web accessible folder. And use a Asp page or Asp.Net handler to stream that file out to the user. This would stop the attack in its tracks. Since there is no way for IIS to process the file as a scripted page.

8:28 am on Dec 29, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 1, 2005
posts:733
votes: 0


The easiest way is to save the user uploaded content in a non-web accessible folder. And use a Asp page or Asp.Net handler to stream that file out to the user.

This is the safer and better option, but I don't think it's the easiest, a simple check for an extension beginning with a semicolon before uploading is still easier in my eyes.

I have tested this in IIS6, 7 and 7.5 and can only reproduce it with IIS6. IIS7 and 7.5 just output the contents of the file.

And it seems that a .Net file is not affected (eg. '.aspx;.jpg') I tried with and without a code behind file.

Steps I took:

- Created two new files, test.asp and test.aspx (in this test without code behind)
- test.asp has the code <% Response.Write("Hello World") %>
- test.aspx also has a Response.Write in the Page Load event

- Tested both files to make sure they are working.
- changed the extension of both files by prepending ;.jpg
- requested both files in the browser with the new file name.

Results:
- IIS6 parsed the test.asp;.jpg file as if it was a standard .asp file, outputting 'Hello world'. The test.aspx;.jpg resulted in an error

- IIS7 and 7.5 returned the full contents (source code) of both the test.asp;.jpg and test.aspx;.jpg files.

According to the report, this affected 'the most recent version'* of IIS, maybe I'm missing a step here. Can anyone else reproduce this problem in IIS7 or 7.5? (or with an .aspx file?)

* Although later in the article it states '...it did confirm the bug on a machine running a fully patched version of Windows Server 2003 R2 SP2 with Microsoft IIS version 6...', which is definitely not the latest version of IIS

4:23 pm on Jan 13, 2010 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 20, 2007
posts:588
votes: 0


I have several upload scripts on my iis6, this vulnerability didnt work on my server.

Think this maybe a personal script issues.

5:21 pm on Jan 13, 2010 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 20, 2007
posts:588
votes: 0


ah, but the file does run on my iis6 if it got uploaded.