Vulnerability in Microsoft IIS Allows Malicious File Uploads

Nov 12, 2010Mohit Kumar

A vulnerability has been identified in Microsoft Internet Information Services (IIS) that causes the server to incorrectly handle files with multiple extensions separated by the “;” character. For instance, a file named “malicious.asp;.jpg” is treated as an ASP file. This flaw allows attackers to upload malicious executables to a vulnerable web server, bypassing file extension protections and restrictions. Notably, ASP.Net is NOT affected by this vulnerability.

IIS Vulnerability

Impact and Versions Affected

This vulnerability affects all versions of Microsoft IIS. It works successfully on IIS 6 and earlier versions. IIS 7 has not been tested, but it does not work on IIS 7.5. The vulnerability was discovered in April 2008 but reported in December 2009.

Severity and Exploitation

The impact on IIS is significant, as attackers can bypass file extension protections using a semi-colon after an executable extension, such as “.asp”, “.cer”, “.asa”, and others. This vulnerability affects many IIS versions, endangering web applications. A test conducted in the summer of 2008 on popular web applications showed that 70% of secure file uploaders were bypassed using this vulnerability.

Discovery and Mechanics

The vulnerability was discovered using a simple fuzzer with the ASP language. Here's how it works: when a file named “malicious.asp;.jpg” is uploaded, web applications treat it as a JPEG file, while IIS treats it as an ASP file and processes it with “asp.dll”. This bug does not affect ASP.Net because the .Net technology does not recognize “malicious.aspx;.jpg” as a .Net file and returns a “page not found” error.

Additionally, the colon “:” can be used to create an empty file with any arbitrary extension. For example, uploading “test.asp:.jpg” on an NTFS partition would create an empty ASP file named “test.asp”. This is due to NTFS Alternate Data Streams and is different from the semi-colon vulnerability.