Monday, December 28, 2009

Old Fashion Microsoft IIS Vulnerability


An old fashion vulnerability, as been discovered in Microsoft Internet Information Service (IIS) where the server interprets incorrectly files with multiple extensions separated by character ";".




The file "aspShell.as;.jpg" is interpreted by web applications as a normal JPEG file while IIS considers it as an ASP file to be interpreted.

This allows attackers to upload malicious executable's on the vulnerable web server, bypassing the normal file extension protections. In case of having the "aspShell.as;.jpg", web applications consider it as a JPEG file and IIS
consider it as an ASP file and pass it to “asp.dll”. This bug does not work with ASP.Net as the .Net technology cannot recognize "aspShell.as;.jpg" as a .Net file and shows a “page not found” error. Besides using semi‐colon, “:” can be used to make an empty file with any arbitrary extension. For example by uploading “test.asp:.jpg”, an empty ASP file ‐ “test.asp” ‐ would be created on the server on an NTFS partition. This is only because of “NTFS Alternate Data Streams” and it is completely different from the semi‐colon vulnerability.

The bug was discovered on April 2008 but reported only 25 December 2009.

This vulnerability has a very high impact on IIS as the attacker can bypass file extension protections by using a semi-colon after an executable extension such as “.asp”, “.cer”, “.asa”, and others.


To read more about the vulnerability, and for some examples here.

No comments: