A vulnerability has been identified in the Microsoft Internet Information Services (IIS) where the server in incorrectly handling files with multiple extensions separated by the ";" character such as "malicious.asp;.jpg" as an ASP file.
This allows attackers to upload malicious executable's on a vulnerable web server, bypassing file extension protections and restrictions ! ASP.Net is NOT affected by this vulnerability
Applicable on Microsoft Internet Information Services IIS – All versions Work successfully on IIS 6 and prior versions – IIS7 has not been tested yet – does not work on IIS7.5
It was found last year April 2008 but was reported in December 2009.
This vulnerability has a very high impact on IIS as the attacker can bypass file extension protections by using a semi-colon after an executable extension such as ".asp", ".cer", ".asa", and others.
This vulnerability is applicable for many IIS versions leading web applications to danger. A measurement which was performed in summer 2008 on some of the famous web applications, 70 percent of the secure file uploader's were bypassed by using this vulnerability!
How was the vulnerability discovered?
Using Simple fuzzer by using ASP language.
How does the vulnerability work?
In case of having the "malicious.asp;.jpg", web applications consider it as a JPEG file and IIS consider it as an ASP file and pass it to "asp.dll". This bug does not work with ASP.Net as the .Net technology cannot recognize "malicious.aspx;.jpg" as a .Net file and shows a "page not
found" error.
Besides using semi-colon, ":" can be used to make an empty file with any arbitrary extension.For example by uploading "test.asp:.jpg", an empty ASP file "test.asp" would be created on the server on an NTFS partition. This is only because of "NTFS Alternate Data Streams" and it is completely different from the semi?colon vulnerability.
Two working workarounds to protect our IIS:
1. Never accept the user's input as the filename.
2. Accept alpha-numerical strings as the filename and its extension.
As this vulnerability talks only about filename and extention so does the the vulnerability. Hope Microsoft soon finds some patch or servicepack which covers this vulnerability.
This allows attackers to upload malicious executable's on a vulnerable web server, bypassing file extension protections and restrictions ! ASP.Net is NOT affected by this vulnerability
Applicable on Microsoft Internet Information Services IIS – All versions Work successfully on IIS 6 and prior versions – IIS7 has not been tested yet – does not work on IIS7.5
It was found last year April 2008 but was reported in December 2009.
This vulnerability has a very high impact on IIS as the attacker can bypass file extension protections by using a semi-colon after an executable extension such as ".asp", ".cer", ".asa", and others.
This vulnerability is applicable for many IIS versions leading web applications to danger. A measurement which was performed in summer 2008 on some of the famous web applications, 70 percent of the secure file uploader's were bypassed by using this vulnerability!
How was the vulnerability discovered?
Using Simple fuzzer by using ASP language.
How does the vulnerability work?
In case of having the "malicious.asp;.jpg", web applications consider it as a JPEG file and IIS consider it as an ASP file and pass it to "asp.dll". This bug does not work with ASP.Net as the .Net technology cannot recognize "malicious.aspx;.jpg" as a .Net file and shows a "page not
found" error.
Besides using semi-colon, ":" can be used to make an empty file with any arbitrary extension.For example by uploading "test.asp:.jpg", an empty ASP file "test.asp" would be created on the server on an NTFS partition. This is only because of "NTFS Alternate Data Streams" and it is completely different from the semi?colon vulnerability.
Two working workarounds to protect our IIS:
1. Never accept the user's input as the filename.
2. Accept alpha-numerical strings as the filename and its extension.
As this vulnerability talks only about filename and extention so does the the vulnerability. Hope Microsoft soon finds some patch or servicepack which covers this vulnerability.
