Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Critical Vulnerability in Microsoft IIS Web Server

December 2009 by Tal Mozes, COO, Hacktics

A critical vulnerability has been disclosed regarding the Microsoft Internet Information Service
(IIS) web server affecting applications that allow file uploading. A successful exploitation of this
vulnerability allows the attacker to upload arbitrary executable scripts to the server (such as
ASP files), which allow execution of malicious code on the server and potentially assume control
over server functions.

This vulnerability has been discovered by Soroush Dalili (Soroush.SecProject.com). According to
the finder, this vulnerability applies to IIS 6.0 and prior versions. Hacktics confirms the
vulnerability and that it applies to IIS 6.0.
Description
The exposure enables an attacker to run malicious Active Server Pages (ASP) code from an
uploaded file with any non-executable extension. As a result, checking extensions of files is not
sufficient to prevent the malicious file from being uploaded to the server file system, allowing
an attacker to bypass protection and upload dangerous executable files on the server.
For instance, a file with the name: “malicious.asp;.jpg” is executed as an ASP file on the server.
Impact is high as an attacker can bypass file extension protections by using a semi-colon after
an executable extension such as “.asp”, “.cer”, “.asa”.
Recommended Countermeasures
As this vulnerability has not been disclosed responsibly by the publisher, Microsoft has not had
the opportunity to release an official patch. Hacktics therefore recommends the following
security practices which will render this vulneraebility ineffective:

• It is recommended to store uploaded files in an isolated partition or folder on the
server, without execute permissions.

• Never accept user input as the filename. Use a random string as a filename for the
uploaded file and set its extension by the web application itself

• Only accept alpha-numerical strings as the filename and its extension.
Implementing these recommendations will not only defend against this vulnerability but may
potentially prevent exploitation of future file upload related vulnerabilities.
Please read the comments provided by the Microsoft Security Response Center (MSRC), as in
the link below.

References

Original advisory by Soroush Dalili:

http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf

Microsoft Security Response Center (MSRC)

http://blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx

Note the third paragraph starting with: “This vulnerability was not responsibly disclosed to
Microsoft …”


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts