SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft Internet Information Services (IIS) Filename Extension Parsing Configuration Error May Let Users Bypass Security Controls
SecurityTracker Alert ID:  1023387
SecurityTracker URL:  http://securitytracker.com/id/1023387
CVE Reference:   CVE-2009-4444, CVE-2009-4445   (Links to External Site)
Updated:  Dec 29 2009
Original Entry Date:  Dec 24 2009
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6
Description:   Soroush Dalili reported a vulnerability in Microsoft Internet Information Services (IIS). A user may be able to bypass security controls and cause the web server to execute files with non-executable filenames in certain cases.

The IIS service incorrectly parses filenames that contain a semicolon character when determining the MIME type based on the filename extension. A local user can create an executable file (e.g., ASP file) with a specially crafted but non-executable filename that, when invoked via the web server, will cause the contents of the file to be executed with the privileges of the target web service.

If a web application on the system allows remote users to upload files with user-controlled filenames, the remote user may be able to bypass the web application's filename extension security filters and upload an executable file with a non-executable extension.

A demonstration exploit filename is provided: malicious.asp;.jpg

The report indicates that many web applications are affected.

The vendor indicates that only IIS version 6 is affected.

The original advisory is available at:

http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf

[Editor's note: The vendor states that this is not a product vulnerability, but rather, a configuration issue due to an inconsistency in how IIS version 6 handles semicolons in URLs. Non-default configurations that allow both “write” and “execute” privileges on the same directory are affected. However, these configurations are contrary with best practices.]

Impact:   A user may be able to cause the web server to execute files with non-executable filenames. The impact may depend on the users with access to the web server and/or on the applications running on the web server.
Solution:   On December 29, 2009, Microsoft issued a blog post stating that IIS web server customer configurations are vulnerable only in a non-default, unsafe configuration. A remote user must be authenticated and have write privileges on a directory that has execute permissions. Default configurations are not affected. The vendor indicates that the issue is a configuration flaw and not a product vulnerability.

The Microsoft advisories are available at:

http://blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx
http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx
http://blogs.iis.net/nazim/archive/2009/12/29/public-disclosure-of-iis-security-issue-with-semi-colons-in-url.aspx

Vendor URL:  blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx (Links to External Site)
Cause:   Input validation error
Underlying OS:   Windows (2003)

Message History:   None.


 Source Message Contents

Date:  Wed, 23 Dec 2009 13:42:13 -0800 (PST)
Subject:  Microsoft IIS 0Day Vulnerability in Parsing Files (semi-colon bug)

############################################################
Microsoft IIS 0Day Vulnerability in Parsing Files (semi-colon bug)
############################################################
#Application: Microsoft Internet Information Services - IIS (All versions)
#Impact: Highly Critical for Web Applications
#Finding Date: April 2007
#Report Date: Dec. 2009
#Found by: Soroush Dalili (Irsdl {4t] yahoo [d0t} com)
#Website: Soroush.SecProject.com
#Weblog: Soroush.SecProject.com/blog/
#Thanks From: Mr. Ali Abbas Nejad, Mormoroth, Aria-Security Team, and other ethical hackers.
#Vulnerability/Risk Description:
 - IIS can execute any extension as an Active Server Page or any other executable extension. For instance “malicious.asp;.jpg” is executed as an ASP file on the server. Many file uploaders protect the system by checking only the last section of the filename as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server.
#Impact Description:
 - Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semi-colon after an executable extension such as “.asp”, “.cer”, “.asa”, and so on.
 - Many web applications are vulnerable against file uploading attacks because of this weakness of IIS. In a measurement which was performed in summer 2008 on some of the famous web applications, 70 percent of the secure file uploaders were bypassed by using this vulnerability.
#Method of Finding:
 - Simple fuzzer by using ASP language itself.
#More Details:
 - In case of having the “malicious.asp;.jpg”, web applications consider it as a JPEG file and IIS consider it as an ASP file and pass it to “asp.dll”. This bug does not work with ASP.Net as the .Net technology cannot recognize “malicious.aspx;.jpg” as a .Net file and shows a “page not found” error.
 - Besides using semi-colon, “:” can be used to make an empty file with any arbitrary extension. For example by uploading “test.asp:.jpg”, an empty ASP file - “test.asp” - would be created on the server on an NTFS partition. This is only because of “NTFS Alternate Data Streams” and it is completely different from the semi-colon vulnerability.
#Fast Solution/Recommendation:
 - For Web Developers:
    -- Highly Recommended: Use a completely random string as a filename and set its extension by the web application itself (by using a “switch-case or select-case” for example) and never accept the user’s input as the filename.
    -- Only accept alpha-numerical strings as the filename and its extension.
 - For Webmasters:
    -- Remove “execute” permission from the upload directories (folders).
#Proof of Concept/Exploit:
 - Many of the web applications can be exploited by using this vulnerability. We cannot announce their names before the Microsoft security patch for IIS because of security reasons.
#Related Documents:
 - http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC