Internet Information Server (IIS) Exploitation
IIS is a web server application and a set of feature extension modules created by Microsoft for use with Microsoft Windows. IIS is currently the third most popular web server in the world. There have recently been several new attacks on IIS systems. Here is an outline of recent attack vectors, some of which still have not been patched.
File/directory name bruteforcing using the Windows file system shorthand characters and status returns codes
- It is possible to find an unknown filename up to six characters by using shorthand file characters such as ~1 and
- *Example: site.com/admin/uplo*~1*/.aspx
- This attack relies on reading different error codes the webserver responds with when the file(s) exist or not. Let’s say the file upload.aspx exists in the directory admin. Our attacks responses would look like this:
- site.com/admin/uplo*~1*/.aspx – IIS returns HTTP 404 File Not Found (valid file)
- site.com/admin/uplp*~1*/.aspx – IIS returns HTTP 400 Bad Request (invalid file)
- *Note that IIS 7.x responds with different error codes (0x0 when valid) instead of http status codes
Denial of service using Windows file system shorthand characters
- Enable error handling in the web.config file. This will cause more appropriate error messages.
- Upgrade IIS and .Net to the newest available version. If possible you may want to look into using URL rewriting to not allow any URL with a tilde character to be accepted.
- Disable short name file creation by following the advice given at http://support.microsoft.com/kb/121007
- Windows will recursively search for files for every directory you use the shorthand character. If I use site.com/~1/~1/~1.aspx, Windows will recursively search for any file two times.
- If we use multiple lower and upper case characters, Windows will also do a case insensitive search and perform many more queries for different variations of lower and upper case characters.
- Given the above two examples, if we keep using ~1/~1/~1/~1 a couple hundred times followed by /Aa~.AsPx, we will cause millions of expensive filesystem searches.
- Example: site.com/~1/~1/~1/~1…*200/Aa~.AsPX
There is currently no solution for this attack. Microsoft was informed about the vulnerability on August 2010 and has currently taken no known action to resolve the issue.
IIS 1.0, Windows NT 3.51
IIS 2.0, Windows NT 4.0
IIS 3.0, Windows NT 4.0 Service Pack 2
IIS 4.0, Windows NT 4.0 Option Pack
IIS 5.0, Windows 2000
IIS 5.1, Windows XP Professional and Windows XP Media Center Edition
IIS 6.0, Windows Server 2003 and Windows XP Professional x64 Edition
IIS 7.0, Windows Server 2008 and Windows Vista
IIS 7.5, Windows 7 (error remotely enabled or no web.config)
IIS 7.5, Windows 2008 (classic pipeline mode)
IIS 6.0/7.5 Authentication Bypass and Source Code Disclosure
- IIS 6.0 disclosure attempt:
- Requires: php to be enabled on the IIS server
- Issue: The attacker can bypass any authentication and execute files in any directory.
- Example: site.com/admin::$INDEX_ALLOCATION/upload.php
- Attack: /admin is a password protected directory and upload.php allows only admin users to upload files. This attack will allow anyone to access upload.php and, for example, upload a shell to the site. Beware of content-management systems that allow this type of activity.
- IIS 7.5 Authentication Bypass:
- Requires: Classic ASP to be installed and running .NET 4.0 framework
- Issue: Attacker can bypass any authentication and execute files in any directory
- Example: site.com/admin:$i30:$INDEX_ALLOCATION/upload.asp
- Attack: /admin is a password protected directory and upload.asp allows only admin users to upload files. This attack will allow anyone to access upload.asp and, for example, upload a shell to the site. Beware of content-management systems that allow this type of activity.
- IIS 7.5 Source Code Disclosure/Authentication Bypass:
- Requires: PHP to be enabled and the “Path Type” of PHP to be set to”Unspecified” in the Handler Mappings.
- Issue: Attacker can bypass any authentication and execute files in any directory.
- Example: site.com/admin:$i30:$INDEX_ALLOCATION/upload.php
- Attack: Say admin is a password protected directory and upload.php allows only admin users to upload files. This attack will allow anyone to access upload.php and, for example, upload a shell to the site. Beware of content-management systems that allow this type of activity.
- Example: site.com/uploads/attacked.aspx/.php?attack=hi
- Attack: Say you have a cross-site scripting attack that allows you to insert < and > characters into attacked.aspx. If the attacker were to execute attacked.aspx/.php?attack=hi, then the cross-site scripting would be executed as php. This could play out in several different ways, for example, the aspx source code reveals itself in the client-side source during this attack, which could contain things like database credentials.
Tyler Borland, AlertLogic Research Team