what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft IIS Semi-Colon Execution

Microsoft IIS Semi-Colon Execution
Posted Dec 29, 2009
Authored by Soroush Dalili

Microsoft IIS servers suffer from a semi-colon bug where any file can be executed as an Active Server Page.

tags | exploit
SHA-256 | 443f3fbb36e323e5d66ae72c42458f7d1d061375232ceaaa360f5e395e9bc143

Microsoft IIS Semi-Colon Execution

Change Mirror Download
############################################################
Microsoft IIS 0Day Vulnerability in Parsing Files (semi-colon bug)
############################################################
#Application: Microsoft Internet Information Services - IIS (All versions)
#Impact: Highly Critical for Web Applications
#Finding Date: April 2007
#Report Date: Dec. 2009
#Found by: Soroush Dalili (Irsdl {4t] yahoo [d0t} com)
#Website: Soroush.SecProject.com
#Weblog: Soroush.SecProject.com/blog/
#Thanks From: Mr. Ali Abbas Nejad, Mormoroth, Aria-Security Team, and other ethical hackers.
#Vulnerability/Risk Description:
- IIS can execute any extension as an Active Server Page or any other executable extension. For instance “malicious.asp;.jpg” is executed as an ASP file on the server. Many file uploaders protect the system by checking only the last section of the filename as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server.
#Impact Description:
- Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semi-colon after an executable extension such as “.asp”, “.cer”, “.asa”, and so on.
- Many web applications are vulnerable against file uploading attacks because of this weakness of IIS. In a measurement which was performed in summer 2008 on some of the famous web applications, 70 percent of the secure file uploaders were bypassed by using this vulnerability.
#Method of Finding:
- Simple fuzzer by using ASP language itself.
#More Details:
- In case of having the “malicious.asp;.jpg”, web applications consider it as a JPEG file and IIS consider it as an ASP file and pass it to “asp.dll”. This bug does not work with ASP.Net as the .Net technology cannot recognize “malicious.aspx;.jpg” as a .Net file and shows a “page not found” error.
- Besides using semi-colon, “:” can be used to make an empty file with any arbitrary extension. For example by uploading “test.asp:.jpg”, an empty ASP file - “test.asp” - would be created on the server on an NTFS partition. This is only because of “NTFS Alternate Data Streams” and it is completely different from the semi-colon vulnerability.
#Fast Solution/Recommendation:
- For Web Developers:
-- Highly Recommended: Use a completely random string as a filename and set its extension by the web application itself (by using a “switch-case or select-case” for example) and never accept the user’s input as the filename.
-- Only accept alpha-numerical strings as the filename and its extension.
- For Webmasters:
-- Remove “execute” permission from the upload directories (folders).
#Proof of Concept/Exploit:
- Many of the web applications can be exploited by using this vulnerability. We cannot announce their names before the Microsoft security patch for IIS because of security reasons.
#Related Documents:
- http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close