Thursday, December 24, 2009

Microsoft IIS File Parsing Extension Vulnerability

A vulnerability has been identified in Microsoft Internet Information Services (IIS) where the server in incorrectly handling files with multiple extensions separated by the ";" character such as "malicious.asp;.jpg" as an ASP file. This could allow attackers to upload malicious executables on a vulnerable web server, bypassing file extension protections and restrictions. This vulnerability does not work with ASP.Net.

Finding Date: April 2008
Report Date: Dec. 2009
Found by: Soroush Dalili (Irsdl {4t] yahoo [d0t} com)
Website: Soroush.SecProject.com
Weblog: Soroush.SecProject.com/blog/
Thanks From: Mr. Ali Abbas Nejad, Mormoroth, Aria‐Security Team, and other ethical hackers.

Vulnerability/Risk Description:
IIS can execute any extension as an Active Server Page or any other executable extension. For instance “malicious.asp;.jpg” is executed as an ASP file on the server. Many file uploaders protect the system by checking only the last section of the filename as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server.

Impact Description:
Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semi‐colon after an executable extension such as “.asp”, “.cer”, “.asa”, and so on.Many web applications are vulnerable against file uploading attacks because of this weakness of IIS. In a measurement which was performed in summer 2008 on some of the famous web applications, 70 percent of the secure file uploaders were bypassed by using this vulnerability.

Method of Finding:
Simple fuzzer by using ASP language itself.

More Details:
In case of having the “malicious.asp;.jpg”, web applications consider it as a JPEG file and IIS consider it as an ASP file and pass it to “asp.dll”. This bug does not work with ASP.Net as the .Net technology cannot recognize “malicious.aspx;.jpg” as a .Net file and shows a “page not found” error.
Besides using semi‐colon, “:” can be used to make an empty file with any arbitrary extension. For example by uploading “test.asp:.jpg”, an empty ASP file ‐ “test.asp” ‐ would be created on the server on an NTFS partition. This is only because of “NTFS Alternate Data Streams” and it is completely different from the semi‐colon vulnerability.


More details about this vulnerability here.

3 comments:

Technology said...

OpExpert is a unified solution to manage the entire IT operations for any organization, small or big. The functionality includes Enterprise Management, Performance Management, Fault Management, Network Performance Management, Server Performance Management, Virtualization Management. www.opexpert.com

80sec said...

The bug wasn't found by Mr.Dalili, the original bug has been published here http://www.80sec.com/microsoft-internet-infomation-server-6-isapi-filename-analytic-vulnerabilitie.html few months ago
im sorry for your childish thoughts

Anonymous said...

You have to express more your opinion to attract more readers, because just a video or plain text without any personal approach is not that valuable. But it is just form my point of view