Wednesday, 27 March 2013

Microsoft IIS Vulnerability in Parsing Files (semi‐colon bug)

Microsoft IIS Vulnerability in Parsing Files (semi‐colon bug)
----------------------------------------------------------------------------------------------

Reasonof Update:Update in version of vulnerable application
Application:Microsoft Interne tInformation Services IIS(Allversions Work successfully on IIS6 and prior versions–IIS7 has not been tested yet–does not work on IIS7.5)
Impact:Highly Critical for WebApplications
Foundby:Soroush Dalili(Irsdl{4t]yahoo[d0t}com)
Website:Soroush.SecProject.com
Weblog:Soroush.SecProject.com/blog/
ThanksFrom:Mr.Ali Abbas Nejad,Mormoroth,Aria-Security Team,and other ethical hackers.

Vulnerability/RiskDescription:
IIS can execute any extension as an Active Server Page or any other executable extension.For instance "malicious.asp;.jpg" is executed as an ASP file on the server.Many file uploaders protect the system by checking only the last section of thefile name as its extension.And by using this vulnerability,an attacker can by pass this protection and upload a dangerous executable file on the server.

ImpactDescription:
Impact of this vulnerability is absolutely high as anattacker can bypass file extension protections by using a semi-colon after anexecutable extension such as".asp",".cer",".asa",and so on.

Many web applications are vulnerable against file uploading attacks because of this weakness of IIS.In a measurement which was performed in summer2008 on some of the famous web applications, 70 percent of these cure file uploaders were by passed by using this vulnerability.

Method of Finding:
Simple fuzzer by using ASP language it self.

More Details:
In case of having the "malicious.asp;.jpg", web applications consider it as a JPEG file and IIS consider it as an ASP file and pass it to "asp.dll". This bug does not work with ASP.Net as the .Net technology can not recognize "malicious.aspx;.jpg" as a .Net file and shows a "pagenotfound" error.

Besides using semi-colon,":"can be used to make an empty file with any arbitrary extension.For example by uploading"test.asp:.jpg",an empty ASP file-"test.asp”" - would be created on the server on an NTFS partition.This is only because of "NTFS Alternate Data Streams" and it is completely different from the semi-colon vulnerability.

FastSolution / Recommendation:

ForWebDevelopers:
1)Highly Recommended: Use a completely random string as a file name and set its extension by the webapplication it self(by using a" switch-case or select-case" for example)and never accept the user’s input as the file name.

2)Only accept alpha-numerical strings as the file name and its extension.

ForWebmasters:
Remove "execute" permission from the upload directories(folders).

Proof of Concept / Exploit:
Many of the web applications can be exploited by using this vulnerability.We can not announce their names before the Microsoft security patch for IIS because of security reasons.

Related Documents:
http://www.owasp.org/index.php/Unrestricted_File_Upload
http://www.owasp.org/index.php/File_System
http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf

Vulnerability in Microsoft IIS Serving Classic ASP Pages
------------------------------------------------------------------------------------------

The Internet Storm Center has reported a vulnerability in Microsoft Internet Information Services (IIS)
6.0 and earlier. The vulnerability exists due to the way IIS processes filenames containing non-alphanumeric characters; specifically a semi-colon. Due to thisvulnerability, a file that is uploaded to an IIS 6.0 or earlier web serve as‘bad.asp;.jpg’ will be stored as‘bad.asp’. Depending upon the storage location of the file, it could potentially allow for execution by IIS. This vulnerability only affects classic ASP, not ASP.NET.Additionally, a web-based application that allows file uploads must exist for this vulnerability to be exploited.At this time,no patch is available from Microsoft.


Recommendation:
1.Never allow execute permissions in the directory where uploads are stored.
2.Disallow unusual characters,such as a semi-colon or colon, in filenames.
3.Ensure web applications run with less than SYSTEM privileges.
4.Require authentication for uploads.

References 
Internet Storm Center:
http://isc.sans.org/diary.html?storyid=7810
Soroush:
http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf


ASP Encode Decode Functions

ASP Encode/Decode Functions
-------------------------------------------------------------------------------------------------------

Server.URLEncode

Used for encoding data that will be passed via a querystring variable. A querystring variable is anything following the question mark (?) in the URL (location) field of your browser. You create querystring variables when you perform a redirect or build a hyperlink to another page on your site.

<a href="page2.asp?name=Joe+Schmoe">here</a>
<%
Response.Redirect "page2.asp?ID=3"
%>
In the example above, the hyperlink contains a variable named "name" which has a value of "Joe Schmoe" (the space is encoded as "+") In the Response.Redirect statement, we have a querystring variabled named "ID" with a value of 3. To perform a URL encode on a variable (for purposes of passing this variable to another page) use the following:

<a href="page2.asp?name=<%= Server.URLEncode(sName) %>">
here</a>
<%
Response.Redirect "page2.asp?ID=" &_
    Server.URLEncode(nID)
%>

URLDecode

For some reason, Microsoft did not include a URL decode function with Active Server Pages. Most likely, this was because the decoding of querystring variables is done automatically for you when you access the querystring object:

<%= Request.QueryString("name") %>

For those of you who are desperately in need of this function:

' -----------------------------------------
' URL decode to retrieve the original value

Function URLDecode(sConvert)
    Dim aSplit
    Dim sOutput
    Dim I
    If IsNull(sConvert) Then
       URLDecode = ""
       Exit Function
    End If

    ' convert all pluses to spaces
    sOutput = REPLACE(sConvert, "+", " ")

    ' next convert %hexdigits to the character
    aSplit = Split(sOutput, "%")

    If IsArray(aSplit) Then
      sOutput = aSplit(0)
      For I = 0 to UBound(aSplit) - 1
        sOutput = sOutput & _
          Chr("&H" & Left(aSplit(i + 1), 2)) &_
          Right(aSplit(i + 1), Len(aSplit(i + 1)) - 2)
      Next
    End If

    URLDecode = sOutput
End Function

Server.HTMLEncode

This useful built-in function is very useful for encoding text that should be displayed in a form input. By "form input" we mean a web form control such as a text input, select or textarea control.

You may have noticed that certain characters cause the HTML on your web form to be interpretted incorrectly. Specifically, the HTML tag characters "<" and ">" can have this effect as well as the quote character (") which is used to encapsulate values.

<input type="text" value="<%= Server.HTMLEncode(sValue) %>">

<textarea name="sample" width=38 height=10>
<%= Server.HTMLEncode(sValue) %>
</textarea>
This simple value shows you how easy it is to safely include any value within a web form control.

HTMLDecode

Just like with the URLDecode function described previously, Microsoft, in its infinite wisdom decided not to include an HTMLDecode function with their Server component. It is a relatively simple matter to decode this test data (although I haven't had a need to do this so far.) For completeness sake, here is an HTMLDecode function you may use:

Function HTMLDecode(sText)
    Dim I
    sText = Replace(sText, "&quot;", Chr(34))
    sText = Replace(sText, "&lt;"  , Chr(60))
    sText = Replace(sText, "&gt;"  , Chr(62))
    sText = Replace(sText, "&amp;" , Chr(38))
    sText = Replace(sText, "&nbsp;", Chr(32))
    For I = 1 to 255
        sText = Replace(sText, "&#" & I & ";", Chr(I))
    Next
    HTMLDecode = sText
End Function