Scribd
Upload
131 views2 pages

Microsoft IIS 0day Vulnerability in Parsing Files (Semi Colon Bug)

This document summarizes a vulnerability in Microsoft Internet Information Services (IIS) that allows files with unexpected extensions to be executed. Specifically, using a semicolon in the filename allows a file to be executed despite its stated extension. For example, "malicious.asp;.jpg" would be executed as an ASP file despite the .jpg extension. This vulnerability could allow attackers to bypass file upload protections and execute malicious code on vulnerable IIS servers. The document provides details on the vulnerability and recommends steps like randomizing filenames and restricting permissions to help mitigate risks.

Uploaded by

clu5t3r
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
131 views2 pages

Microsoft IIS 0day Vulnerability in Parsing Files (Semi Colon Bug)

This document summarizes a vulnerability in Microsoft Internet Information Services (IIS) that allows files with unexpected extensions to be executed. Specifically, using a semicolon in the filename allows a file to be executed despite its stated extension. For example, "malicious.asp;.jpg" would be executed as an ASP file despite the .jpg extension. This vulnerability could allow attackers to bypass file upload protections and execute malicious code on vulnerable IIS servers. The document provides details on the vulnerability and recommends steps like randomizing filenames and restricting permissions to help mitigate risks.

Uploaded by

clu5t3r
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

MicrosoftIIS0DayVulnerabilityin

ParsingFiles(semicolonbug)
LastUpdate:25Dec.2009
ReasonofUpdate:Updateinversionofvulnerableapplication
Application:MicrosoftInternetInformationServicesIIS(AllversionsWorksuccessfullyonIIS6and
priorversionsIIS7hasnotbeentestedyetdoesnotworkonIIS7.5)
Impact:HighlyCriticalforWebApplications
FindingDate:April2008
ReportDate:Dec.2009
Foundby:SoroushDalili(Irsdl{4t]yahoo[d0t}com)
Website:Soroush.SecProject.com
Weblog:Soroush.SecProject.com/blog/
ThanksFrom:Mr.AliAbbasNejad,Mormoroth,AriaSecurityTeam,andotherethicalhackers.
Vulnerability/RiskDescription:

IIScanexecuteanyextensionasanActiveServerPageoranyotherexecutableextension.For
instance malicious.asp;.jpg is executed as an ASP file on the server. Many file uploaders
protect the system by checking only the last section of the filename as its extension. And by
using this vulnerability, an attacker can bypass this protection and upload a dangerous
executablefileontheserver.

ImpactDescription:

Impactofthisvulnerabilityisabsolutelyhighasanattackercanbypassfileextensionprotections
byusingasemicolonafteranexecutableextensionsuchas.asp,.cer,.asa,andsoon.
Manywebapplicationsarevulnerableagainstfileuploadingattacksbecauseofthisweaknessof
IIS. In a measurement which was performed in summer 2008 on some of the famous web
applications,70percentofthesecurefileuploaderswerebypassedbyusingthisvulnerability.

MethodofFinding:

SimplefuzzerbyusingASPlanguageitself.

MoreDetails:

In case of having the malicious.asp;.jpg, web applications consider it as a JPEG file and IIS
consider it as an ASP file and pass it to asp.dll. This bug does not work with ASP.Net as the
.Net technology cannot recognize malicious.aspx;.jpg as a .Net file and shows a page not
founderror.
Besidesusingsemicolon,:canbeusedtomakeanemptyfile withanyarbitraryextension.
Forexamplebyuploadingtest.asp:.jpg,anemptyASPfiletest.aspwouldbecreatedon
theserveronanNTFSpartition.ThisisonlybecauseofNTFSAlternateDataStreamsanditis
completelydifferentfromthesemicolonvulnerability.

FastSolution/Recommendation:

ForWebDevelopers:
o HighlyRecommended:Useacompletelyrandomstringasafilenameandsetitsextension
bythewebapplicationitself(byusingaswitchcaseorselectcaseforexample)andnever
accepttheusersinputasthefilename.
o Onlyacceptalphanumericalstringsasthefilenameanditsextension.
ForWebmasters:
o Removeexecutepermissionfromtheuploaddirectories(folders).

ProofofConcept/Exploit:

Manyofthewebapplicationscanbeexploitedbyusingthisvulnerability.Wecannotannounce
theirnamesbeforetheMicrosoftsecuritypatchforIISbecauseofsecurityreasons.

RelatedDocuments:

http://www.owasp.org/index.php/Unrestricted_File_Upload
http://www.owasp.org/index.php/File_System
http://soroush.secproject.com/downloadable/iissemicolonreport.pdf

You might also like