Introducing the repair of IIS short file name leak vulnerability

1. What is IIS

Internet Information Services (IIS, formerly known as Internet Information Server) Internet Information Services is a Microsoft The scalable web server provided by the company supports HTTP, HTTP/2, HTTPS, FTP, FTPS, SMTP and NNTP, etc. Initially used in the Windows NT series, it was later built into Windows 2000, Windows XP Professional, Windows Server 2003 and subsequent versions, but there is no IIS on the Windows XP Home version. IIS is currently only available for Windows systems and not for other operating systems.

According to data from Netcraft in February 2017, IIS had a market share of 10.19% among the "Millions of Busiest Websites", becoming the third largest network server in the world , behind Apache at 41.41% and Nginx at 28.34%. Currently, the popular Windows versions have the IIS service installed by default. However, the security of IIS has been criticized by the industry. Once a high-risk vulnerability appears in IIS, the threat will be very serious.

Recommended (free): iis

Before touching the IIS vulnerability, let’s first understand the default built-in IIS version under different Windows systems. In order to better understand and distinguish the scope of impact of IIS vulnerabilities:

Figure 1 Default IIS version of each Windows version

2. Complete list of IIS vulnerabilities

Qianlimu Lab has collected IIS-related vulnerabilities in the past fifteen years. There are a total of 39 medium and high-risk vulnerabilities, including the (MS15-034) HTTP.sys remote code execution vulnerability that broke out in 2015 and the 2016 The (MS16-016) WebDAV privilege escalation vulnerability is particularly widespread.

Figure 2 A complete list of IIS vulnerabilities in the past 15 years

After reading the above IIS vulnerabilities in the past ten years, you may ask, why didn’t you see it? What about the protagonist of this article, "IIS Short File Vulnerability"? ! Before understanding the IIS vulnerability family, we first learn about some features of IIS under Windows through IIS short files.

3. IIS short file

1. The origin of the IIS short file vulnerability

Microsoft IIS short file/folder The name information leak was first discovered by Soroush Dalili of the Vulnerability Research Team on August 1, 2010, and the vendor (Microsoft Corporation) was notified on August 3, 2010. Microsoft responded on December 1, 2010 and January 4, 2011 that the next version would be fixed. On June 29, 2012, this vulnerability was publicly disclosed (medium risk).

This vulnerability is actually caused by the old DOS 8.3 Name Convention (SFN) tilde (~) tilde in HTTP requests. It allows remote attackers to expose file and folder names under the web root (which should not be accessible). An attacker can find important files that are usually not directly accessible from the outside and obtain information about the application infrastructure.

Information disclosure caused by Microsoft IIS tilde is the most common medium-risk vulnerability on the world's networks. This problem has been around since at least 1990, but has proven difficult to detect, difficult to solve, or easy to ignore entirely.

2. IIS short file vulnerability scope and harm

2.1 Affected versions:

##IIS 1.0, Windows NT 3.51

IIS 3.0, Windows NT 4.0 Service Pack 2
IIS 4.0, Windows NT 4.0 Option Pack
IIS 5.0, Windows 2000
IIS 5.1, Windows XP Professional and Windows XP Media Center Edition
IIS 6.0, Windows Server 2003 and Windows XP Professional x64 Edition
IIS 7.0, Windows Server 2008 and Windows Vista
IIS 7.5, Windows 7 (remotely enabled or no web.config)

IIS 7.5, Windows 2008 (Classic Pipeline Mode)

Note: IIS is not affected when using .Net Framework 4

(Above data source:

https://www.securityfocus.com/archive/1/523424)

It has been verified that the above affected scope is mainly for the HTTP GET method, and requires the installation of ASP.NET applications at the same time. The discoverer of this vulnerability disclosed again in 2014: During testing of IIS 7.5 (Windows 2008 R2) and IIS 8.0 (Windows 2012), when OPTIONS is used instead of the GET method, if the short file name in the request exists, IIS A different error message will be returned. Taking advantage of this feature, attackers can implement file or directory scanning based on short file names in the latest IIS version.

Currently, IIS supports six HTTP methods for short file name guessing: DEBUG, OPTIONS, GET, POST, HEAD, and TRACE. Verified by Qianlimu Laboratory, the short file names of IIS 8.0, IIS 8.5, and IIS 10.0 File names can be guessed successfully through the OPTIONS and TRACE methods. Therefore, the above affected versions need to be added with the following versions:

IIS 8.0, Windows 8, Windows Server 2012

IIS 8.5, Windows 8.1, Windows Server 2012 R2

IIS 10.0, Windows 10, Windows Server 2016

It can be seen that all versions of IIS have the problem of short file name leakage, and Microsoft seems to have ignored this problem. It can be seen from Microsoft's reply to the discoverer of the vulnerability that the IIS short file vulnerability does not meet security update standards, and it needs to determine when it will be resolved in the next logical version.

2.2 Vulnerability hazards:

2.2.1 Using the "~" character to guess and expose short file/folder names (main hazard)

Windows Support for generating MS-DOS-compatible (short) filenames in 8.3 format to allow MS-DOS or 16-bit Windows-based programs to access these files. Enter the IIS website root directory C:\inetpub\wwwroot under cmd and enter "dir /x" to see the effect of the short file name:

Figure 3 IIS short file Name

The picture above is the default site root directory of IIS 10.0 built in Windows 10. iisstart.htm and iisstart.png are the default files of the website. The length of the file name prefix characters does not reach 9 characters, so there is no short file name. IIS10test.html is a website file added manually. The file name prefix character length reaches 9 characters, and the corresponding short file name is IIS10T~1.HTM. According to this feature, we can indirectly access its corresponding file by accessing the short file name.

Since the length of the short file name is fixed (xxxxxx~xxxx), the attacker can directly brute force the short file name to access the corresponding file.

For example, there is a database backup file backup_20180101.sql, and its corresponding short file name is backup~1.sql. Therefore, the attacker can download the file by brute force cracking backup~1.sql without cracking the complete file name.

IIS short file names have the following characteristics:

1. Only the first six characters are displayed directly, and subsequent characters are designated by ~1. The number 1 can also be incremented if there are multiple files with similar file names (the first 6 digits of the name must be the same, and the first 3 digits of the suffix name must be the same);

2. The suffix name can only have a maximum of 3 digits, which is redundant are truncated, long files with more than 3 characters will generate short file names;

3. All lowercase letters are converted to uppercase letters;

4. Long file names contain multiple ". ”, use the last “.” in the file name as the short file name suffix;

5. The long file name prefix/folder name character length conforms to the range of 0-9 and Aa-Zz and needs to be greater than or equal to 9 characters. A short file name will be generated. If it contains spaces or other special characters, a short file will be generated regardless of the length;

We can use the GET method to violently enumerate short file names under IIS with .net enabled. The reason is that the attacker uses wildcard characters "*" and "?" to send a request to IIS. When IIS receives a file path containing a "~" request, its response is different, that is, the returned HTTP status code and error message different. Based on this feature, an available or unavailable file can be distinguished based on the HTTP response. As shown in the figure below, the information returned by different IIS versions is different:

Figure 4 IIS 5.0 ~ IIS 7.X short file guessing HTTP response information

The picture is an illustration of the legal and illegal IIS short file guessing response information given by Soroush Dalili, the discoverer of this vulnerability, in his research report:

Accessing an existing short file name constructed will return 404;

Accessing a constructed short file name that does not exist will return 400;

Figure 5 Using IIS status code guessing process

The above method is to use the GET method to guess repeatedly in a lower version of IIS ASP.NET environment until the short file name is guessed.

However, Qianlimu Laboratory verified in the real environment that in higher versions of IIS (such as: IIS 8.0/IIS 8.5/IIS 10.0), even if asp.net is not installed, through the OPTIONS and TRACE methods You can guess successfully. The HTTP status code types returned by these two methods are slightly different from the above screenshots, but they are another way to use them.

2.2.2 .Net Framework Denial of Service Attack (Side Hazard)

According to research by Soroush Dalili, if an attacker sends an illegal .Net file in the folder name request, .NeFramework will recursively search all root directories, consuming website resources and causing DOS problems. Microsoft believes that this hazard is recoverable DOS and will be modified in subsequent SP versions, so it will not be discussed here.

3. IIS Short File Vulnerability Recurrence and Exploitation     

##3.1 IIS Short File Vulnerability Recurrence

3.1.1 Vulnerability environment construction

Install the default IIS 10.0 based on Win 10 (APS.NET is not installed)

IIS short file vulnerability scanning Java program (Java environment needs to be configured Variables)

3.1.2 Vulnerability environment debugging preparation

After IIS is successfully installed, the intpub directory will be generated in the C drive directory by default. The root directory of the website is located in C:\inetpub\ wwwroot. At this time, check whether there is a short file name in the root directory:

As can be seen from the above figure, the default IIS 10.0 website root directory does not have short file names, only default htm and png files, and the name length does not meet the requirements for generating short files. The following uses the IIS short file scanner to detect whether there is a short file information leakage vulnerability:

3.1.3 Vulnerability environment reproduction

Manually create website long files Name "IIS10test.html", automatically generate the corresponding short file name "IIS10T~1.HTM"

Use the IIS short file scanner to scan again, and the scan found that there is a short file vulnerability. , and successfully guessed the short file name through the HTTP OPTIONS method: IIS10T.HTM

##Modify the vulnerability scanner, pay attention to the OPTIONS method, and try whether There are other HTTP methods that can be guessed successfully.

The verification found that in addition to the OPTIONS method, the HTTP

TRACE method can also successfully guess the short file name.

3.1.4 IIS vulnerability OPTIONS and TRACE method guessing analysis

OPTIONS method guessing analysis

Because the above OPTIONS method requested 196 times to guess the short file name, If the guess is successful, 404 will be returned. If the guess is failed, 200 will be returned. There are many failed combinations, so the following mainly analyzes how the request with successful 404 guess can obtain the short file name IIS10T.HTM through the OPTIONS method. As shown below:

TRACE method guessing analysis

The process of guessing through the TRACE method is basically the same as above, except that this HTTP method The status code returned when guessing fails is not 200, but

501 (not executed).

3.2 IIS short file vulnerabilityExploit

1. Go deeper Exploding the full name of the file to guess

The short file name guessed through the IIS short file vulnerability needs to continue to guess the full name before it can be accessed on IIS, that is, IIS does not support short file name access due to security reasons. The following are several methods for guessing the full name of a file given by Soroush Dalili:

1) By crawling the target website or websites of the same type, crawl out and build a dictionary library, and then use the obtained short file name to Guess the remaining characters;

2) Use fuzzdb (an application fuzzing database) to guess;

3) Combined with OWASP's dirbuster (a path and web page brute force cracking tools).

There are researchers on Github who have used python to implement the above method, and obtained the username and password of the website backend, making good use of the IIS short file vulnerability.

Note: Research report address: https://webbreacher.com/2014/10/23/tilde-enumeration/ (recommended)

Python program download: https://github.com /WebBreacher/tilde_enum (recommended)

2. Combined with software that supports short file features (Apache, WordPress)

Acunetix research points out that when Apache is running under windows, if a long file is created, then No need to guess long files, you can download the short files directly. For example, a long file of backup_20180101.sql has a short file of BACKUP~1.SQL. An attacker only needs to submit BACKUP~1.SQL to directly access and download the file.

In addition, some scholars stated that after installing the WordPress backup plug-in, they successfully accessed the backup file of the WordPress blog through the short file name.

3. Bypassing Basic and Windows authentication

Soroush Dalilide’s research also mentioned that under certain IIS server configurations, Basic and Windows authentication can be bypassed. Guess the authentication directory. document. For example, if you need to access a file in a directory with authentication enabled, for example, this directory is "AuthNeeded", you can access it in the following way:

/AuthNeeded::$Index_Allocation/*~1*/.aspx or

/AuthNeeded:$I30:$Index_Allocation/*~1*/.aspx

4.

IIS short file vulnerability limitations

This vulnerability There are several limitations:

1) This vulnerability can only determine the first 6 characters. If the following characters are too long or contain special characters, it is difficult to guess;

2) If The file name itself is too short (no short file name) and cannot be guessed;

3) If the first 6 digits of the file name contain spaces, the short file name in the 8.3 format will be supplemented and does not match the real file name;

4) If the first 6 characters of the folder name are dotted with ".", the scanner will think it is a file instead of a folder, and eventually a false alarm will appear;

5) Chinese file names are not supported, including Chinese files and Chinese folders. One Chinese character is equivalent to two English characters, so more than 4 Chinese characters will generate a short file name, but IIS does not support Chinese guessing.

5. IIS short file vulnerability solution

5.1 General vulnerability repair solution

1) CMD closes NTFS 8.3 files Format support

Example: (1 means off, 0 means on)

Windows Server 2008 R2:

Query whether the short file name function is turned on:fsutil 8##dot3name query

Turn off this function:

fsutil 8dot3name set 1

Windows Server 2003:

Turn off this feature:

fsutil behavior set disable8dot3 1

The shutdown commands of different systems are slightly different. This function is enabled by default and does not need to be enabled for most users.

2) Modify the registry to disable the short file name function

Shortcut key Win R to open the command window, enter regedit to open the registry window

Find the path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem, set the value of NtfsDisable8dot3NameCreation to 1, 1 means not to create a short file name format

After the modification is completed, you need to restart the system to take effect

Note: This method can only prohibit the creation of NTFS8.3 format file names. The short file names of existing files cannot be removed and need to be copied again before they disappear.

The following two methods are only suitable for mitigating the GET method, other methods can still be guessed.

3) Turn off the Web service extension - ASP.NET

4) Upgrade netFramework to version 4.0 or above

The above is the detailed content of Introducing the repair of IIS short file name leak vulnerability. For more information, please follow other related articles on the PHP Chinese website!