SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft Internet Information Services (IIS) Filename Extension Parsing Configuration Error May Let Users Bypass Security Controls
SecurityTracker Alert ID:  1023387
SecurityTracker URL:  http://securitytracker.com/id/1023387
CVE Reference:   CVE-2009-4444, CVE-2009-4445   (Links to External Site)
Updated:  Dec 29 2009
Original Entry Date:  Dec 24 2009
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6
Description:   Soroush Dalili reported a vulnerability in Microsoft Internet Information Services (IIS). A user may be able to bypass security controls and cause the web server to execute files with non-executable filenames in certain cases.

The IIS service incorrectly parses filenames that contain a semicolon character when determining the MIME type based on the filename extension. A local user can create an executable file (e.g., ASP file) with a specially crafted but non-executable filename that, when invoked via the web server, will cause the contents of the file to be executed with the privileges of the target web service.

If a web application on the system allows remote users to upload files with user-controlled filenames, the remote user may be able to bypass the web application's filename extension security filters and upload an executable file with a non-executable extension.

A demonstration exploit filename is provided: malicious.asp;.jpg

The report indicates that many web applications are affected.

The vendor indicates that only IIS version 6 is affected.

The original advisory is available at:

http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf


Impact:   A user may be able to cause the web server to execute files with non-executable filenames. The impact may depend on the users with access to the web server and/or on the applications running on the web server.
Solution:   On December 29, 2009, Microsoft issued a blog post stating that IIS web server customer configurations are vulnerable only in a non-default, unsafe configuration. A remote user must be authenticated and have write privileges on a directory that has execute permissions. Default configurations are not affected. The vendor indicates that the issue is a configuration flaw and not a product vulnerability.

The Microsoft advisories are available at:

http://blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx
http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx
http://blogs.iis.net/nazim/archive/2009/12/29/public-disclosure-of-iis-security-issue-with-semi-colons-in-url.aspx

Vendor URL:  blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (2003)

Message History:   None.


 Source Message Contents

Subject:  Microsoft IIS 0Day Vulnerability in Parsing Files (semi-colon bug)

############################################################
Microsoft IIS 0Day Vulnerability in Parsing Files (semi-colon bug)
############################################################
#Application: Microsoft Internet Information Services - IIS (All versions)
#Impact: Highly Critical for Web Applications
#Finding Date: April 2007
#Report Date: Dec. 2009
#Found by: Soroush Dalili (Irsdl {4t] yahoo [d0t} com)
#Website: Soroush.SecProject.com
#Weblog: Soroush.SecProject.com/blog/
#Thanks From: Mr. Ali Abbas Nejad, Mormoroth, Aria-Security Team, and other ethical hackers.
#Vulnerability/Risk Description:
#Impact Description:
 - Many web applications are vulnerable against file uploading attacks because of this weakness of IIS. In a measurement which was performed in summer 2008 on some of the famous web applications, 70 percent of the secure file uploaders were bypassed by using this vulnerability.
#Method of Finding:
 - Simple fuzzer by using ASP language itself.
#More Details:
#Fast Solution/Recommendation:
 - For Web Developers:
    -- Only accept alpha-numerical strings as the filename and its extension.
 - For Webmasters:
#Proof of Concept/Exploit:
 - Many of the web applications can be exploited by using this vulnerability. We cannot announce their names before the Microsoft security patch for IIS because of security reasons.
#Related Documents:
 - http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC