Vulnerability : Microsoft Iis Zip Solar Daytime Even Then Opened Upward !

A vulnerability has been identified inwards the Microsoft Internet Information Services (IIS) where the server inwards incorrectly treatment files amongst multiple extensions separated yesteryear the “;” grapheme such every bit “malicious.asp;.jpg” every bit an ASP file.
This allows attackers to upload malicious executable’s on a vulnerable spider web server, bypassing file extension protections too restrictions ! ASP.Net is NOT affected yesteryear this vulnerability

Applicable on Microsoft Internet Information Services IIS – All versions Work successfully on IIS half-dozen too prior versions – IIS7 has non been tested withal – does non operate on IIS7.5

It was works life end yr Apr 2008 exactly was reported inwards Dec 2009.

This vulnerability has a real high impact on IIS every bit the assailant tin bypass file extension protections yesteryear using a semi-colon later an executable extension such every bit “.asp”, “.cer”, “.asa”, too others.

This vulnerability is applicable for many IIS versions leading spider web applications to danger. Influenza A virus subtype H5N1 measuring which was performed inwards summertime 2008 on about of the famous spider web applications, seventy percentage of the secure file uploader’s were bypassed yesteryear using this vulnerability!


How was the vulnerability discovered?
Using Simple fuzzer yesteryear using ASP language.

How does the vulnerability work?
In instance of having the “malicious.asp;.jpg”, spider web applications see it every bit a JPEG file too IIS see it every bit an ASP file too expire it to “asp.dll”. This põrnikas does non operate amongst ASP.Net every bit the .Net technology cannot recognize “malicious.aspx;.jpg” every bit a .Net file too shows a “page not
found” error.

Besides using semi-colon, “:” tin endure used to brand an empty file amongst whatever arbitrary extension.For illustration yesteryear uploading “test.asp:.jpg”, an empty ASP file  “test.asp” would endure created on the server on an NTFS partition. This is alone because of “NTFS Alternate Data Streams” too it is completely dissimilar from the semi?colon vulnerability.

Two working workarounds to protect our IIS:
1. Never bespeak keep the user’s input every bit the filename.
2. Accept alpha-numerical strings every bit the filename too its extension.

As this vulnerability talks alone most filename too extention too therefore does the the vulnerability. Hope Microsoft before long finds about spell or servicepack which covers this vulnerability.

Share This :