Heads up – Microsoft IIS File Extension Processing Security Bypass Vulnerability

Update – 30th Dec
MSRC response to the vulnerability claim.

http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx
IIS team is working on a patch for this so called inconsistency feature :)


>>
Well, this was reported on Christmas Eve :) regarding file extension bypass on IIS 5.x/6.x.
Read the vulnerability details here, have yet to test it myself, but after reading the doc, this is not as bad I would expected.


I mean if you have #1 allow upload, #2 allow execution on the upload path, #3 the worker processing hosting the app has high privileges, then with or without this bypass IMHO not much different :)

Of coz, you may argue that validation is done at upload page, say scanning the file extension, etc. In this case, ya it will ‘slip’ through the validation, yet you can also put in more validations? I mean like scan the content before writing the file? scan for <% ?? scan for  filetype, header ? bla bla…. ha! I’m not a coder, but this can be done right?

Anyway, from sysadmin side, what you can do is make sure logging is there, even if something really happen, you can trace the culprit; disable Scripts and Executables web permission on the path; grant write access only to trusted user and etc. If you have anonymous write access, you are waiting to get p@wned sooner or later :) 

Lastly the moral of the story is – a good defense in depth is not solely depending on the product itself, i.e no bug, no exploit/etc, you will need to assess your business requirement, budget/etc, have good sense of overall setup, understand best practices, lock down as much as you can :) say port, service, access levels/etc. Give the user as much pain as you can :) while not causing any lost of business productivity

Cya and have a happy holiday.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>