Microsoft IIS Vulnerability in Parsing Files (semi‐colon bug)
----------------------------------------------------------------------------------------------
Reasonof Update:Update in version of vulnerable application
Application:Microsoft Interne tInformation Services IIS(Allversions Work successfully on IIS6 and prior versions–IIS7 has not been tested yet–does not work on IIS7.5)
Impact:Highly Critical for WebApplications
Foundby:Soroush Dalili(Irsdl{4t]yahoo[d0t}com)
Website:Soroush.SecProject.com
Weblog:Soroush.SecProject.com/blog/
ThanksFrom:Mr.Ali Abbas Nejad,Mormoroth,Aria-Security Team,and other ethical hackers.
Vulnerability/RiskDescription:
IIS can execute any extension as an Active Server Page or any other executable extension.For instance "malicious.asp;.jpg" is executed as an ASP file on the server.Many file uploaders protect the system by checking only the last section of thefile name as its extension.And by using this vulnerability,an attacker can by pass this protection and upload a dangerous executable file on the server.
ImpactDescription:
Impact of this vulnerability is absolutely high as anattacker can bypass file extension protections by using a semi-colon after anexecutable extension such as".asp",".cer",".asa",and so on.
Many web applications are vulnerable against file uploading attacks because of this weakness of IIS.In a measurement which was performed in summer2008 on some of the famous web applications, 70 percent of these cure file uploaders were by passed by using this vulnerability.
Method of Finding:
Simple fuzzer by using ASP language it self.
More Details:
In case of having the "malicious.asp;.jpg", web applications consider it as a JPEG file and IIS consider it as an ASP file and pass it to "asp.dll". This bug does not work with ASP.Net as the .Net technology can not recognize "malicious.aspx;.jpg" as a .Net file and shows a "pagenotfound" error.
Besides using semi-colon,":"can be used to make an empty file with any arbitrary extension.For example by uploading"test.asp:.jpg",an empty ASP file-"test.asp”" - would be created on the server on an NTFS partition.This is only because of "NTFS Alternate Data Streams" and it is completely different from the semi-colon vulnerability.
FastSolution / Recommendation:
ForWebDevelopers:
1)Highly Recommended: Use a completely random string as a file name and set its extension by the webapplication it self(by using a" switch-case or select-case" for example)and never accept the user’s input as the file name.
2)Only accept alpha-numerical strings as the file name and its extension.
ForWebmasters:
Remove "execute" permission from the upload directories(folders).
Proof of Concept / Exploit:
Many of the web applications can be exploited by using this vulnerability.We can not announce their names before the Microsoft security patch for IIS because of security reasons.
Related Documents:
http://www.owasp.org/index.php/Unrestricted_File_Upload
http://www.owasp.org/index.php/File_System
http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf
----------------------------------------------------------------------------------------------
Reasonof Update:Update in version of vulnerable application
Application:Microsoft Interne tInformation Services IIS(Allversions Work successfully on IIS6 and prior versions–IIS7 has not been tested yet–does not work on IIS7.5)
Impact:Highly Critical for WebApplications
Foundby:Soroush Dalili(Irsdl{4t]yahoo[d0t}com)
Website:Soroush.SecProject.com
Weblog:Soroush.SecProject.com/blog/
ThanksFrom:Mr.Ali Abbas Nejad,Mormoroth,Aria-Security Team,and other ethical hackers.
Vulnerability/RiskDescription:
IIS can execute any extension as an Active Server Page or any other executable extension.For instance "malicious.asp;.jpg" is executed as an ASP file on the server.Many file uploaders protect the system by checking only the last section of thefile name as its extension.And by using this vulnerability,an attacker can by pass this protection and upload a dangerous executable file on the server.
ImpactDescription:
Impact of this vulnerability is absolutely high as anattacker can bypass file extension protections by using a semi-colon after anexecutable extension such as".asp",".cer",".asa",and so on.
Many web applications are vulnerable against file uploading attacks because of this weakness of IIS.In a measurement which was performed in summer2008 on some of the famous web applications, 70 percent of these cure file uploaders were by passed by using this vulnerability.
Method of Finding:
Simple fuzzer by using ASP language it self.
More Details:
In case of having the "malicious.asp;.jpg", web applications consider it as a JPEG file and IIS consider it as an ASP file and pass it to "asp.dll". This bug does not work with ASP.Net as the .Net technology can not recognize "malicious.aspx;.jpg" as a .Net file and shows a "pagenotfound" error.
Besides using semi-colon,":"can be used to make an empty file with any arbitrary extension.For example by uploading"test.asp:.jpg",an empty ASP file-"test.asp”" - would be created on the server on an NTFS partition.This is only because of "NTFS Alternate Data Streams" and it is completely different from the semi-colon vulnerability.
FastSolution / Recommendation:
ForWebDevelopers:
1)Highly Recommended: Use a completely random string as a file name and set its extension by the webapplication it self(by using a" switch-case or select-case" for example)and never accept the user’s input as the file name.
2)Only accept alpha-numerical strings as the file name and its extension.
ForWebmasters:
Remove "execute" permission from the upload directories(folders).
Proof of Concept / Exploit:
Many of the web applications can be exploited by using this vulnerability.We can not announce their names before the Microsoft security patch for IIS because of security reasons.
Related Documents:
http://www.owasp.org/index.php/Unrestricted_File_Upload
http://www.owasp.org/index.php/File_System
http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf
