IIS Short File/Folder Name Disclosure(iis短文件或文件夹名泄露)
I. 背景<br />---------------------<br />"IIS is a web server application and set of<br />feature extension modules created by Microsoft for use with Microsoft Windows.<br />IIS is the third most popular server in the world." (Wikipedia)<br />II. 概述<br />---------------------<br />Vulnerability Research Team discovered a vulnerability<br />in Microsoft IIS.<br />The vulnerability is caused by a tilde character "~" in a Get request, which could allow remote attackers<br />to diclose File and Folder names.<br />III. 影响产品<br />---------------------------<br /> IIS 1.0, Windows NT 3.51<br /> IIS 2.0, Windows NT 4.0<br /> IIS 3.0, Windows NT 4.0 Service Pack 2<br /> IIS 4.0, Windows NT 4.0 Option Pack<br /> IIS 5.0, Windows 2000<br /> IIS 5.1, Windows XP Professional and Windows XP Media Center Edition<br /> IIS 6.0, Windows Server 2003 and Windows XP Professional x64 Edition<br /> IIS 7.0, Windows Server 2008 and Windows Vista<br /> IIS 7.5, Windows 7 (error remotely enabled or no web.config)<br /> IIS 7.5, Windows 2008 (classic pipeline mode)<br /> Note: Does not work when IIS uses .Net Framework 4.<br />IV. Binary Analysis & Exploits/PoCs<br />---------------------------------------<br />Tilde character "~" can be used to find short names of files and folders when the website is running on IIS. <br />The attacker can find important file and folders that they are not normaly visible.<br />In-depth technical analysis of the vulnerability and a functional exploit<br />are available through:<br />http://soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/<br />V. 解决方案<br />----------------<br />There are still workarounds through Vendor and security vendors.<br />Using a configured WAF may be usefull (discarding web requests including the tilde "~" character).<br />VII. 参考<br />----------------------<br />http://support.microsoft.com/kb/142982/en-us<br />http://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/
頁:
[1]