Broadband Tech > Security > Security > [MS DENIAL] Microsoft IIS 0-Day Vulnerability Parsing Files

A researcher has identified a vulnerability in the most recent version of Microsoft's Internet Information Services that allows attackers to execute malicious code on machines running the popular webserver.

The bug stems from the way IIS parses file names with colons or semicolons in them, according to researcher Soroush Dalili. Many web applications are configured to reject uploads that contain executable files, such as active server pages, which often carry the extension ".asp." By appending ";.jpg" or other benign file extensions to a malicious file, attackers can bypass such filters and potentially trick a server into running the malware.

There appears to be some disagreement over the severity of the bug, which Dalili said affects all versions of IIS. While he rated it "highly critical," vulnerability tracker Secunia classified it as "less critical," which is only the second notch on its five-tier severity rating scale.

"Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semicolon after an executable extension such as '.asp,' '.cer,' '.asa' and so on," Dalili wrote. "Many web applications are vulnerable against file uploading attacks because of this weakness of IIS."

Secunia didn't explain how it arrived at its assessment, but it did confirm the bug on a machine running a fully patched version of Windows Server 2003 R2 SP2 with Microsoft IIS version 6.

A Microsoft spokeswoman said company researchers are investigating the report. They are not aware of attacks targeting the reported vulnerability, she said.

In the absence of any official guidance, webmasters who want to workaround the potential problem should make sure that upload directories don't have execute permissions. And web developers should ensure their applications never accept the user's input as a file name.

Secunia has confirmed the vulnerability "on a fully patched Windows Server 2003 R2 SP2 running Microsoft IIS version 6. Other versions may also be affected". It should be mentioned that if you don't think you're vulnerable because you are running a non-vulnerable version of IIS, the vulnerable functionality may have been made available by your webmaster when deploying IIS

After reading up on related posts and IIS issues, the nature of the vulnerability is such that it's going to be widely exploited soon, quite successfully, and not only by the usual suspects, but more effectively by the specialized groups of attackers that are after unrestricted access to your protected network, and, of course, the other groups after more mundane items like bank accounts.

said by KodiacZiller:

LOL. Just goes to show how silly the whole notion of file extensions (in relation to security) is.

said by djrobx:

Yeah, that's what I don't quite understand about this vulnerability. Why on earth would you allow users to upload to a folder with scripts/execute permissions enabled? The extension should be irrelevant.

said by asdfghjklzx5:

Because most Windows server admins don't ever think about security. This vulnerability can't be exploited if proper permissions are set on the directory.

said by munky99999:

»httpd.apache.org/

The security patch is already out in the above link.

said by munky99999:

»httpd.apache.org/

The security patch is already out in the above link.

said by asdfghjklzx5:

Why? Apache has had far more vulnerabilities discovered than IIS over the last six years.

said by asdfghjklzx5:

Why? Apache has had far more vulnerabilities discovered than IIS over the last six years.

said by munky99999:

lol what?

Unless you're counting ALL apache projects into apache's web server.

IIS has [had] 7 [vulnerabilities] in 2009.

Just looking at the known history disproves your claim.

I dont even know where you get this 6 years range neither. IIS prior to version 5 was remarkably bad.

New Reports of a Vulnerability in IIS
Posted Sunday, December 27, 2009 5:33 PM by MSRC TEAM

On Dec. 23 we were made aware of a new claim of a vulnerability in Internet Information Services (IIS). We are still investigating this issue and are not aware of any active attacks but wanted to let customers know that our initial assessment shows that the IIS web server must be in a non-default, unsafe configuration in order to be vulnerable. An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration. Customers using out of the box configurations and who follow security best practices are at reduced risk of being impacted by issues like this.

Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.

This vulnerability was not responsibly disclosed to Microsoft and may put customers at risk. We continue to encourage responsible disclosure of vulnerabilities as we believe reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

I want to close by providing some resources and best practices for securely configuring IIS servers:

IIS 6.0 Security Best Practices
»technet.microsoft.com/en-us/libr···10).aspx

Securing Sites with Web Site Permissions
»technet.microsoft.com/en-us/libr···10).aspx

IIS 6.0 Operations Guide
»technet.microsoft.com/en-us/libr···10).aspx

Improving Web Application Security: Threats and Countermeasures
»msdn.microsoft.com/en-us/library···921.aspx

Thanks,

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

said by munky99999:

Wasnt using secunia. Looking now. It just lists mods. So sorry. You're source proves you wrong yet again.

Results of Investigation into Holiday IIS Claim
Posted Tuesday, December 29, 2009 11:42 AM by MSRC TEAM

We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.

What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server.

The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack.

However, customers who are using IIS 6.0 in the default configuration or following our recommended best practices don’t need to worry about this issue. If, however, you are running IIS in a configuration that allows both “write” and “execute” privileges on the same directory like this scenario requires, you should review our best practices and make changes to better secure your system from the threats that configuration can enable. Once again, here’s a list of best practices resources:

· IIS 6.0 Security Best Practices

· Securing Sites with Web Site Permissions

· IIS 6.0 Operations Guide

· Improving Web Application Security: Threats and Countermeasures

The IIS folks are evaluating a change to bring the behavior of IIS 6.0 in line with the other versions. In the meantime, they’ve put more information up about this on their weblog.

I hope this helps answer any questions.

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights*

said by Microsoft :

The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack.

said by asdfghjklzx5:

"It just lists mods". What are you talking about?



You are certainly hard core in your Microsoft hatred.