Critical Vulnerability in Microsoft IIS Web Server
December 2009 by Tal Mozes, COO, Hacktics
A critical vulnerability has been disclosed regarding the Microsoft Internet Information Service (IIS) web server affecting applications that allow file uploading. A successful exploitation of this vulnerability allows the attacker to upload arbitrary executable scripts to the server (such as ASP files), which allow execution of malicious code on the server and potentially assume control over server functions.
This vulnerability has been discovered by Soroush Dalili (Soroush.SecProject.com). According to the finder, this vulnerability applies to IIS 6.0 and prior versions. Hacktics confirms the vulnerability and that it applies to IIS 6.0. Description The exposure enables an attacker to run malicious Active Server Pages (ASP) code from an uploaded file with any non-executable extension. As a result, checking extensions of files is not sufficient to prevent the malicious file from being uploaded to the server file system, allowing an attacker to bypass protection and upload dangerous executable files on the server. For instance, a file with the name: “malicious.asp;.jpg” is executed as an ASP file on the server. Impact is high as an attacker can bypass file extension protections by using a semi-colon after an executable extension such as “.asp”, “.cer”, “.asa”. Recommended Countermeasures As this vulnerability has not been disclosed responsibly by the publisher, Microsoft has not had the opportunity to release an official patch. Hacktics therefore recommends the following security practices which will render this vulneraebility ineffective:
• It is recommended to store uploaded files in an isolated partition or folder on the server, without execute permissions.
• Never accept user input as the filename. Use a random string as a filename for the uploaded file and set its extension by the web application itself
• Only accept alpha-numerical strings as the filename and its extension. Implementing these recommendations will not only defend against this vulnerability but may potentially prevent exploitation of future file upload related vulnerabilities. Please read the comments provided by the Microsoft Security Response Center (MSRC), as in the link below.
Original advisory by Soroush Dalili:
Microsoft Security Response Center (MSRC)
Note the third paragraph starting with: “This vulnerability was not responsibly disclosed to Microsoft …”