SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft IIS Web Server Discloses Potentially Sensitive Information to Remote Users
SecurityTracker Alert ID:  1027223
SecurityTracker URL:  http://securitytracker.com/id/1027223
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 6 2012
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.x, 6.x
Description:   A vulnerability was reported in Microsoft IIS Web Server. A remote user can obtain potentially sensitive information.

A remote user can supply a specially crafted request containing the tilde ('~') character to determine whether a matching file exists within the web directory on the target system without specifying the entire filename.

This can be exploited to determine filenames more rapidly than by brute force guessing individual characters of the filename. This can also be exploited to potentially bypass certain URL string based filtering if such filtering is used.

A remote user can supply a specially crafted request containing the tilde character and the '::$Index_Allocation' string to determine whether matching files exist within ostensibly protected directories within the web directory on the target system.

On systems running .Net, a remote user can supply a specially crafted request to cause the target system to make an excessive number of file system calls, which may temporarily affect system performance.

The latest version of IIS (7.5) is not affected.

The original advisory is available at:

http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf

Soroush Dalili (@irsdl) reported this vulnerability.
Impact:   A remote user can obtain potentially sensitive information.
Solution:   The vendor has issued a fix (7.5).
Vendor URL:  www.microsoft.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Fri, 29 Jun 2012 16:50:37 -0700 (PDT)
Subject:  Microsoft IIS tilde character “~” Vulnerability: Short File/Folder Name Disclosure + Recoverable DoS

Technical details link: http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf 

#Title: [Microsoft IIS tilde character “~” Vulnerability: Short File/Folder Name Disclosure + Recoverable DoS]
#Date: [
- Vendor Awareness: 3 August 2010 
- Vendor Response: 4 Jan 2011 Recoverable DoS issues will be addressed in a Service Pack or next version fix
- Last Vendor Response Result for Tilde "~" Vulnerability: As it has already been 
rectified in latest versions of .Net & IIS which follow best practices, Microsoft does 
not have any plan to change the other versions.
- Published: 29 June 2012
]
#Application Name: [Microsoft IIS, .Net Framework]
#Version: [All versions of IIS except IIS 7.5 and on .Net Framework 4]
#Impact: [Unknown]
#Reference(s): [
- http://www.secproject.com
]
#Finder: [
- Soroush Dalili (@irsdl)
]
#Technical Supporter: [
- Ali Abbasnejad
]
---

Overall:
We have used the tilde character “~” to find short names of files and folders when the 
website is running under IIS. This can be a major issue especially for the .Net 
websites which are vulnerable to direct URL access as an attacker can find important 
files and folders that they are not normally visible. Moreover, this bug (or maybe an 
undocumented feature from Microsoft’s point of view) is very useful for penetration 
testers when they do not have access to the box and can be added to the available web 
application security scanners in order to find more files and folders. We have also 
proved that the password protected folders (with Basic and Windows authentication), 
are still searchable using the infamous “::$Index_Allocation” vector [3],other ADS 
vectors can also be helpful to purify the results. 
Additionally, a proof of concept has been implemented to prove the possibility of 
exploiting this issue. Furthermore, we have introduced several methods that can be 
used in order to find the long-names based on the short-names which can be implemented 
at a later stage.
A denial of service issue also has been identified during this research; Microsoft has 
been informed since August 2010, but there is still no fix or workaround. 
Finally, we think these issues pose a significant risk for certain websites and they 
should have been addressed by the vendor and also firewall/WAF companies.

Technical details link: http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC