search
HomeTopicsIISIntroducing the repair of IIS short file name leak vulnerability

Introducing the repair of IIS short file name leak vulnerability

1. What is IIS

Internet Information Services (IIS, formerly known as Internet Information Server) Internet Information Services is a Microsoft The scalable web server provided by the company supports HTTP, HTTP/2, HTTPS, FTP, FTPS, SMTP and NNTP, etc. Initially used in the Windows NT series, it was later built into Windows 2000, Windows XP Professional, Windows Server 2003 and subsequent versions, but there is no IIS on the Windows XP Home version. IIS is currently only available for Windows systems and not for other operating systems.

According to data from Netcraft in February 2017, IIS had a market share of 10.19% among the "Millions of Busiest Websites", becoming the third largest network server in the world , behind Apache at 41.41% and Nginx at 28.34%. Currently, the popular Windows versions have the IIS service installed by default. However, the security of IIS has been criticized by the industry. Once a high-risk vulnerability appears in IIS, the threat will be very serious.

Recommended (free): iis

Before touching the IIS vulnerability, let’s first understand the default built-in IIS version under different Windows systems. In order to better understand and distinguish the scope of impact of IIS vulnerabilities:

Introducing the repair of IIS short file name leak vulnerability Figure 1 Default IIS version of each Windows version

2. Complete list of IIS vulnerabilities

Qianlimu Lab has collected IIS-related vulnerabilities in the past fifteen years. There are a total of 39 medium and high-risk vulnerabilities, including the (MS15-034) HTTP.sys remote code execution vulnerability that broke out in 2015 and the 2016 The (MS16-016) WebDAV privilege escalation vulnerability is particularly widespread.

Introducing the repair of IIS short file name leak vulnerability

Figure 2 A complete list of IIS vulnerabilities in the past 15 years

After reading the above IIS vulnerabilities in the past ten years, you may ask, why didn’t you see it? What about the protagonist of this article, "IIS Short File Vulnerability"? ! Before understanding the IIS vulnerability family, we first learn about some features of IIS under Windows through IIS short files.

3. IIS short file

1. The origin of the IIS short file vulnerability

Microsoft IIS short file/folder The name information leak was first discovered by Soroush Dalili of the Vulnerability Research Team on August 1, 2010, and the vendor (Microsoft Corporation) was notified on August 3, 2010. Microsoft responded on December 1, 2010 and January 4, 2011 that the next version would be fixed. On June 29, 2012, this vulnerability was publicly disclosed (medium risk).

This vulnerability is actually caused by the old DOS 8.3 Name Convention (SFN) tilde (~) tilde in HTTP requests. It allows remote attackers to expose file and folder names under the web root (which should not be accessible). An attacker can find important files that are usually not directly accessible from the outside and obtain information about the application infrastructure.

Information disclosure caused by Microsoft IIS tilde is the most common medium-risk vulnerability on the world's networks. This problem has been around since at least 1990, but has proven difficult to detect, difficult to solve, or easy to ignore entirely.

2. IIS short file vulnerability scope and harm

2.1 Affected versions:

##IIS 1.0, Windows NT 3.51

IIS 3.0, Windows NT 4.0 Service Pack 2
IIS 4.0, Windows NT 4.0 Option Pack
IIS 5.0, Windows 2000
IIS 5.1, Windows XP Professional and Windows XP Media Center Edition
IIS 6.0, Windows Server 2003 and Windows XP Professional x64 Edition
IIS 7.0, Windows Server 2008 and Windows Vista
IIS 7.5, Windows 7 (remotely enabled or no web.config)

IIS 7.5, Windows 2008 (Classic Pipeline Mode)

Note: IIS is not affected when using .Net Framework 4

(Above data source:

https://www.securityfocus.com/archive/1/523424)

It has been verified that the above affected scope is mainly for the HTTP GET method, and requires the installation of ASP.NET applications at the same time. The discoverer of this vulnerability disclosed again in 2014: During testing of IIS 7.5 (Windows 2008 R2) and IIS 8.0 (Windows 2012), when OPTIONS is used instead of the GET method, if the short file name in the request exists, IIS A different error message will be returned. Taking advantage of this feature, attackers can implement file or directory scanning based on short file names in the latest IIS version.

Currently, IIS supports six HTTP methods for short file name guessing: DEBUG, OPTIONS, GET, POST, HEAD, and TRACE. Verified by Qianlimu Laboratory, the short file names of IIS 8.0, IIS 8.5, and IIS 10.0 File names can be guessed successfully through the OPTIONS and TRACE methods. Therefore, the above affected versions need to be added with the following versions:

IIS 8.0, Windows 8, Windows Server 2012

IIS 8.5, Windows 8.1, Windows Server 2012 R2

IIS 10.0, Windows 10, Windows Server 2016

It can be seen that all versions of IIS have the problem of short file name leakage, and Microsoft seems to have ignored this problem. It can be seen from Microsoft's reply to the discoverer of the vulnerability that the IIS short file vulnerability does not meet security update standards, and it needs to determine when it will be resolved in the next logical version.

2.2 Vulnerability hazards:

2.2.1 Using the "~" character to guess and expose short file/folder names (main hazard)

Windows Support for generating MS-DOS-compatible (short) filenames in 8.3 format to allow MS-DOS or 16-bit Windows-based programs to access these files. Enter the IIS website root directory C:\inetpub\wwwroot under cmd and enter "dir /x" to see the effect of the short file name:

Introducing the repair of IIS short file name leak vulnerability

Figure 3 IIS short file Name

The picture above is the default site root directory of IIS 10.0 built in Windows 10. iisstart.htm and iisstart.png are the default files of the website. The length of the file name prefix characters does not reach 9 characters, so there is no short file name. IIS10test.html is a website file added manually. The file name prefix character length reaches 9 characters, and the corresponding short file name is IIS10T~1.HTM. According to this feature, we can indirectly access its corresponding file by accessing the short file name.

Since the length of the short file name is fixed (xxxxxx~xxxx), the attacker can directly brute force the short file name to access the corresponding file.

For example, there is a database backup file backup_20180101.sql, and its corresponding short file name is backup~1.sql. Therefore, the attacker can download the file by brute force cracking backup~1.sql without cracking the complete file name.

IIS short file names have the following characteristics:

1. Only the first six characters are displayed directly, and subsequent characters are designated by ~1. The number 1 can also be incremented if there are multiple files with similar file names (the first 6 digits of the name must be the same, and the first 3 digits of the suffix name must be the same);

2. The suffix name can only have a maximum of 3 digits, which is redundant are truncated, long files with more than 3 characters will generate short file names;

3. All lowercase letters are converted to uppercase letters;

4. Long file names contain multiple ". ”, use the last “.” in the file name as the short file name suffix;

5. The long file name prefix/folder name character length conforms to the range of 0-9 and Aa-Zz and needs to be greater than or equal to 9 characters. A short file name will be generated. If it contains spaces or other special characters, a short file will be generated regardless of the length;

We can use the GET method to violently enumerate short file names under IIS with .net enabled. The reason is that the attacker uses wildcard characters "*" and "?" to send a request to IIS. When IIS receives a file path containing a "~" request, its response is different, that is, the returned HTTP status code and error message different. Based on this feature, an available or unavailable file can be distinguished based on the HTTP response. As shown in the figure below, the information returned by different IIS versions is different:

Introducing the repair of IIS short file name leak vulnerability

Figure 4 IIS 5.0 ~ IIS 7.X short file guessing HTTP response information

The picture is an illustration of the legal and illegal IIS short file guessing response information given by Soroush Dalili, the discoverer of this vulnerability, in his research report:

Accessing an existing short file name constructed will return 404;

Accessing a constructed short file name that does not exist will return 400;

Introducing the repair of IIS short file name leak vulnerability

Figure 5 Using IIS status code guessing process

The above method is to use the GET method to guess repeatedly in a lower version of IIS ASP.NET environment until the short file name is guessed.

However, Qianlimu Laboratory verified in the real environment that in higher versions of IIS (such as: IIS 8.0/IIS 8.5/IIS 10.0), even if asp.net is not installed, through the OPTIONS and TRACE methods You can guess successfully. The HTTP status code types returned by these two methods are slightly different from the above screenshots, but they are another way to use them.

2.2.2 .Net Framework Denial of Service Attack (Side Hazard)

According to research by Soroush Dalili, if an attacker sends an illegal .Net file in the folder name request, .NeFramework will recursively search all root directories, consuming website resources and causing DOS problems. Microsoft believes that this hazard is recoverable DOS and will be modified in subsequent SP versions, so it will not be discussed here.

3. IIS Short File Vulnerability Recurrence and Exploitation     

##3.1 IIS Short File Vulnerability Recurrence

3.1.1 Vulnerability environment construction

Install the default IIS 10.0 based on Win 10 (APS.NET is not installed)

IIS short file vulnerability scanning Java program (Java environment needs to be configured Variables)

3.1.2 Vulnerability environment debugging preparation

After IIS is successfully installed, the intpub directory will be generated in the C drive directory by default. The root directory of the website is located in C:\inetpub\ wwwroot. At this time, check whether there is a short file name in the root directory:

Introducing the repair of IIS short file name leak vulnerability

As can be seen from the above figure, the default IIS 10.0 website root directory does not have short file names, only default htm and png files, and the name length does not meet the requirements for generating short files. The following uses the IIS short file scanner to detect whether there is a short file information leakage vulnerability:

Introducing the repair of IIS short file name leak vulnerability

3.1.3 Vulnerability environment reproduction

Manually create website long files Name "IIS10test.html", automatically generate the corresponding short file name "IIS10T~1.HTM"

Introducing the repair of IIS short file name leak vulnerability

Use the IIS short file scanner to scan again, and the scan found that there is a short file vulnerability. , and successfully guessed the short file name through the HTTP OPTIONS method: IIS10T.HTM

Introducing the repair of IIS short file name leak vulnerability

##Modify the vulnerability scanner, pay attention to the OPTIONS method, and try whether There are other HTTP methods that can be guessed successfully.

Introducing the repair of IIS short file name leak vulnerability

The verification found that in addition to the OPTIONS method, the HTTP

TRACE method can also successfully guess the short file name.

3.1.4 IIS vulnerability OPTIONS and TRACE method guessing analysis

OPTIONS method guessing analysis

Because the above OPTIONS method requested 196 times to guess the short file name, If the guess is successful, 404 will be returned. If the guess is failed, 200 will be returned. There are many failed combinations, so the following mainly analyzes how the request with successful 404 guess can obtain the short file name IIS10T.HTM through the OPTIONS method. As shown below:

Introducing the repair of IIS short file name leak vulnerability

TRACE method guessing analysis

The process of guessing through the TRACE method is basically the same as above, except that this HTTP method The status code returned when guessing fails is not 200, but

501 (not executed).

Introducing the repair of IIS short file name leak vulnerability3.2 IIS short file vulnerabilityExploit

1. Go deeper Exploding the full name of the file to guess

The short file name guessed through the IIS short file vulnerability needs to continue to guess the full name before it can be accessed on IIS, that is, IIS does not support short file name access due to security reasons. The following are several methods for guessing the full name of a file given by Soroush Dalili:

1) By crawling the target website or websites of the same type, crawl out and build a dictionary library, and then use the obtained short file name to Guess the remaining characters;

2) Use fuzzdb (an application fuzzing database) to guess;

3) Combined with OWASP's dirbuster (a path and web page brute force cracking tools).

There are researchers on Github who have used python to implement the above method, and obtained the username and password of the website backend, making good use of the IIS short file vulnerability.

Note: Research report address: https://webbreacher.com/2014/10/23/tilde-enumeration/ (recommended)

Python program download: https://github.com /WebBreacher/tilde_enum (recommended)

2. Combined with software that supports short file features (Apache, WordPress)

Acunetix research points out that when Apache is running under windows, if a long file is created, then No need to guess long files, you can download the short files directly. For example, a long file of backup_20180101.sql has a short file of BACKUP~1.SQL. An attacker only needs to submit BACKUP~1.SQL to directly access and download the file.

In addition, some scholars stated that after installing the WordPress backup plug-in, they successfully accessed the backup file of the WordPress blog through the short file name.

3. Bypassing Basic and Windows authentication

Soroush Dalilide’s research also mentioned that under certain IIS server configurations, Basic and Windows authentication can be bypassed. Guess the authentication directory. document. For example, if you need to access a file in a directory with authentication enabled, for example, this directory is "AuthNeeded", you can access it in the following way:

/AuthNeeded::$Index_Allocation/*~1*/.aspx or

/AuthNeeded:$I30:$Index_Allocation/*~1*/.aspx

4.

IIS short file vulnerability limitations

This vulnerability There are several limitations:

1) This vulnerability can only determine the first 6 characters. If the following characters are too long or contain special characters, it is difficult to guess;

2) If The file name itself is too short (no short file name) and cannot be guessed;

3) If the first 6 digits of the file name contain spaces, the short file name in the 8.3 format will be supplemented and does not match the real file name;

Introducing the repair of IIS short file name leak vulnerability

4) If the first 6 characters of the folder name are dotted with ".", the scanner will think it is a file instead of a folder, and eventually a false alarm will appear;

Introducing the repair of IIS short file name leak vulnerability

Introducing the repair of IIS short file name leak vulnerability

5) Chinese file names are not supported, including Chinese files and Chinese folders. One Chinese character is equivalent to two English characters, so more than 4 Chinese characters will generate a short file name, but IIS does not support Chinese guessing.

5. IIS short file vulnerability solution

5.1 General vulnerability repair solution

1) CMD closes NTFS 8.3 files Format support

Example: (1 means off, 0 means on)

Windows Server 2008 R2:

Query whether the short file name function is turned on:fsutil 8##dot3name query

Turn off this function:

fsutil 8dot3name set 1

Windows Server 2003:

Turn off this feature:

fsutil behavior set disable8dot3 1

The shutdown commands of different systems are slightly different. This function is enabled by default and does not need to be enabled for most users.

2) Modify the registry to disable the short file name function

Shortcut key Win R to open the command window, enter regedit to open the registry window

Find the path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem, set the value of NtfsDisable8dot3NameCreation to 1, 1 means not to create a short file name format

After the modification is completed, you need to restart the system to take effect

Note: This method can only prohibit the creation of NTFS8.3 format file names. The short file names of existing files cannot be removed and need to be copied again before they disappear.

The following two methods are only suitable for mitigating the GET method, other methods can still be guessed.

3) Turn off the Web service extension - ASP.NET

4) Upgrade netFramework to version 4.0 or above

The above is the detailed content of Introducing the repair of IIS short file name leak vulnerability. For more information, please follow other related articles on the PHP Chinese website!

Statement
This article is reproduced at:CSDN. If there is any infringement, please contact admin@php.cn delete
IIS's Purpose: Serving Web Content on WindowsIIS's Purpose: Serving Web Content on WindowsApr 30, 2025 am 12:06 AM

IIS is Microsoft's web server software for Windows operating systems, and the reasons for choosing it include seamless integration with Windows systems and rich features. 1) IIS supports a variety of programming languages ​​and frameworks, suitable for hosting static and dynamic content. 2) You can easily create and manage websites through IIS Manager. 3) IIS provides URL rewriting function to improve SEO effect. 4) Common errors such as 404 and 500 can be solved by checking configuration and logs. 5) Performance optimization includes enabling compression, configuring caching and load balancing to improve website speed and reliability.

IIS: Examining Its Current Usage and PopularityIIS: Examining Its Current Usage and PopularityApr 29, 2025 am 12:08 AM

IIS is still used and popular in the current market, especially in enterprise-level and Windows environments, but faces competition for open source web servers. 1) IIS has a place in enterprises using Windows servers because of its close integration with Microsoft products. 2) However, it is less used in open source communities and small websites because Apache and Nginx are more popular. 3) IIS's market share is gradually declining, but it is still common in corporate intranets and government agencies. 4) Personal experience shows that the IIS management interface is intuitive and integrates well with ASP.NET, but its high concurrency performance is not as good as Apache or Nginx.

Is IIS Still a Viable Option for Web Hosting?Is IIS Still a Viable Option for Web Hosting?Apr 28, 2025 am 12:15 AM

IIS is still a viable web hosting option, especially for enterprise applications that rely on Windows environments. 1) IIS is tightly integrated with Windows, providing rich management tools and security features. 2) Excellent in high concurrency and ASP.NETCore applications. 3) Modular design supports high scalability. 4) Provides powerful security features such as authentication and SSL/TLS support.

IIS's Capabilities: Performance and SecurityIIS's Capabilities: Performance and SecurityApr 27, 2025 am 12:26 AM

How does IIS perform in terms of performance and security? IIS is optimized in terms of performance by enabling compression, tuning application pool settings and performance monitoring; in terms of security, it is protected by enabling HTTPS, restricting IP access and security monitoring, but it also faces some challenges.

IIS's Status: A Look at Web Server TrendsIIS's Status: A Look at Web Server TrendsApr 26, 2025 am 12:14 AM

IIS performs well in the web server market, especially in the Windows environment. 1) IIS's high performance and stability make it popular in enterprise-level applications. 2) Its security is guaranteed through integrated firewalls and regular security patches. 3) The ease of use of IIS is due to its management tools and integrated development environment. 4) Although it is not as good as Apache and Nginx in terms of cross-platform and open source support, IIS's integration and ease of use under Windows are its advantages.

PHP on IIS: The Benefits and ChallengesPHP on IIS: The Benefits and ChallengesApr 25, 2025 am 12:09 AM

Running PHP on IIS is feasible, with significant advantages and some challenges. 1) IIS is well integrated with Windows, providing security and management tools. 2) FastCGI supports improving PHP performance. 3) Microsoft provides official support and documentation. However, configuration and optimization require attention to the PHP handler path and FastCGI settings to ensure efficient operation.

IIS: The Longevity of the Microsoft Web ServerIIS: The Longevity of the Microsoft Web ServerApr 24, 2025 am 12:10 AM

IIS maintains its vitality in the highly competitive web server market mainly because of its tight integration with Windows, support for ASP.NET and rich management capabilities. 1) Integration with Windows simplifies security management of web applications; 2) Native support for ASP.NET makes it the first choice for .NET developers; 3) Powerful management tools are easy to configure and monitor. Despite the challenges in cross-platform applications, IIS can still play its strengths by combining other technologies.

IIS: Managing Websites and Web ApplicationsIIS: Managing Websites and Web ApplicationsApr 23, 2025 am 12:07 AM

IIS is a web server software developed by Microsoft to host and manage websites and web applications. Here are the steps to efficiently manage IIS: 1. Create websites and web applications, using PowerShell commands such as New-WebSite and New-WebApplication. 2. Configure the application pool to optimize performance and security. 3. Use IIS Manager or PowerShell scripts for daily management, such as starting, stopping and viewing website status. 4. Use advanced features such as URL rewriting, load balancing and cluster management to improve SEO and website performance. 5. Troubleshoot common errors by viewing IIS log files. 6. Optimize performance, including compressing static content, setting cache policies and optimization

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SAP NetWeaver Server Adapter for Eclipse

SAP NetWeaver Server Adapter for Eclipse

Integrate Eclipse with SAP NetWeaver application server.

PhpStorm Mac version

PhpStorm Mac version

The latest (2018.2.1) professional PHP integrated development tool

Atom editor mac version download

Atom editor mac version download

The most popular open source editor

Safe Exam Browser

Safe Exam Browser

Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.