The Hacker News Logo
Subscribe to Newsletter

Vulnerability : Microsoft IIS Zero Day Still Open !

A vulnerability has been identified in the Microsoft Internet Information Services (IIS) where the server in incorrectly handling files with multiple extensions separated by the “;” character such as “malicious.asp;.jpg” as an ASP file.
This allows attackers to upload malicious executable’s on a vulnerable web server, bypassing file extension protections and restrictions ! ASP.Net is NOT affected by this vulnerability


Applicable on Microsoft Internet Information Services IIS – All versions Work successfully on IIS 6 and prior versions – IIS7 has not been tested yet – does not work on IIS7.5

It was found last year April 2008 but was reported in December 2009.

This vulnerability has a very high impact on IIS as the attacker can bypass file extension protections by using a semi-colon after an executable extension such as “.asp”, “.cer”, “.asa”, and others.

This vulnerability is applicable for many IIS versions leading web applications to danger. A measurement which was performed in summer 2008 on some of the famous web applications, 70 percent of the secure file uploader’s were bypassed by using this vulnerability!


How was the vulnerability discovered?
Using Simple fuzzer by using ASP language.

How does the vulnerability work?
In case of having the “malicious.asp;.jpg”, web applications consider it as a JPEG file and IIS consider it as an ASP file and pass it to “asp.dll”. This bug does not work with ASP.Net as the .Net technology cannot recognize “malicious.aspx;.jpg” as a .Net file and shows a “page not
found” error.

Besides using semi-colon, “:” can be used to make an empty file with any arbitrary extension.For example by uploading “test.asp:.jpg”, an empty ASP file  “test.asp” would be created on the server on an NTFS partition. This is only because of “NTFS Alternate Data Streams” and it is completely different from the semi?colon vulnerability.

Two working workarounds to protect our IIS:
1. Never accept the user’s input as the filename.
2. Accept alpha-numerical strings as the filename and its extension.

As this vulnerability talks only about filename and extention so does the the vulnerability. Hope Microsoft soon finds some patch or servicepack which covers this vulnerability.
Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.