Multiple IIS 6.0/7.5 Vulnerabilities

Multiple vulnerabilities found in IIS 6.0 and 7.5 web servers. On the Full-Disclosure mailinglist Kingcope posted several IIS 6.0 and 7.5 bugs. Because I am a Windows Server and IIS admin, I took some time to test the various vulnerabilities …

Table of Contents show

The posted Windows bugs Kingcope posted are:

Microsoft IIS 7.5 .NET source code disclosure and authentication bypass
Microsoft IIS 7.5 Classic ASP Authentication Bypass
Microsoft IIS 6.0 with PHP installed Authentication Bypass

I was successful in reproducing the Microsoft IIS 7.5 .NET source code disclosure and authentication bypass but couldn’t reproduce the “Microsoft IIS 7.5 Classic ASP Authentication Bypass” and “Microsoft IIS 6.0 with PHP installed Authentication Bypass” vulnerabilities, unfortunately.

Microsoft IIS 7.5 .NET source code disclosure

In my limited time I could only verify the IIS 7.5 .NET source code disclosure vulnerability.

For the vulnerability to be effective, the Path Type of the PHP Handler must remain unconfigured (Type="Unspecified"). For any request on a file using the .NET Framework, such as ASPX, that is not blocked through the request filtering rules (like misconfigured .CS,.VB files), IIS will return the full source code of the file.

And executes it as PHP code! All you have to do is append /.php to the URI:

http://www.example.com/vuln.aspx/.phpCode language: JavaScript (javascript)

It might also be possible to execute arbitrary PHP code under special circumstances.

Read this too: IIS URL Rewrite "Rewrite Module error: Expression contains a repeat expression"

Workarounds for Microsoft IIS 7.5 .NET source code disclosure

There are several workarounds available, fortunately.

Configure the PHP handler properly in IIS
A proper configured IIS web server has its Request Restrictions (resourceType) set to File in the PHP handler. Having this not configured, it gives you a nasty error message (“N o input file specifie d“), if the requested file doesn’t exist.

If not configured, fix it with AppCmd.exe:

appcmd set config /section:system.webServer/handlers 
  "-+[name=`'PHP`',
    path=`'*.php`',
    verb=`'*`',
    modules=`'FastCgiModule`',
    scriptProcessor=`'path\to\php-cgi.exe`',
    resourceType=`'File`']"Code language: PowerShell (powershell)

If you’re unable to, you can deny certain URL sequences using IIS URL Rewrite or Helicon Ape.

deny URL sequence using IIS URL Rewrite module
In your web.config file, add

<rewrite>
  <rules>
    <rule name="DenyPHPafterASPX" stopProcessing="true">
      <match url=".?" ignoreCase="true" />
      <conditions logicalGrouping="MatchAll">
        <add input="{URL}" pattern="^/(.*\.aspx)/(.*\.php)$" />
      </conditions>
      <action type="CustomResponse"
        url="/"
        statusCode="403"
        statusReason="Forbidden"
        statusDescription="Forbidden" />
    </rule>
  </rules>
</rewrite>Code language: HTML, XML (xml)

deny URL sequence using IIS Request Filtering module
In your web.config file, add

<configuration>
  <system.webServer>
    <security>
      <denyUrlSequences>
        <add sequence=".aspx/.php" />
      </denyUrlSequences>
    </security>
  </system.webServer>
</configuration>Code language: HTML, XML (xml)

or in Helicon APe’s .htaccess file:

RewriteEngine On
# DenyPHPafterASPX
RewriteCond %{REQUEST_URI} ^/(.*\.aspx)/(.*\.php)$ [NC]
RewriteRule .? / [F,L]Code language: Apache (apache)

Important: The URL Rewrite and Helicon Ape rewrite rules must be made for any .NET Framework file extension, like .aspx, .vb, .cs, and so on.

Read this too: How to hide the .php file extension with IIS URL Rewrite Module

You can use AppCmd.exe to configure these, if not already. For example:

appcmd set config /section:system.webServer/security/requestFiltering
  /+"fileExtensions.[fileExtension='.aspx',allowed='False']"
appcmd set config /section:system.webServer/security/requestFiltering
  /+"fileExtensions.[fileExtension='.vb',allowed='False']"
appcmd set config /section:system.webServer/security/requestFiltering
  /+"fileExtensions.[fileExtension='.htaccess',allowed='False']"Code language: PowerShell (powershell)

Microsoft IIS 6.0 with PHP installed Authentication Bypass

Kingcope replied that the IIS 6.0 PHP authentication bypass is only possible on Windows Server 2003 SP1. SP2 seems unaffected.

Microsoft IIS 7.5 Classic ASP Authentication Bypass

On two different server-environments, I was unable to reproduce the Classic ASP authentication bypass.

A web server with the .NET Framework version 4.0.30319.237 returns an HttpException after adding ::$INDEX_ALLOCATION to the directory name:

[HttpException (0x80004005): A potentially dangerous Request.Path value
was detected from the client (:).]
 System.Web.HttpRequest.ValidateInputIfRequiredByConfig() +9016361
 System.Web.PipelineStepManager.ValidateHelper(HttpContext context) +59Code language: PowerShell (powershell)

A second web server with the .NET Framework version 4.0.30319.269 returns a 401.2 – Unauthorized status. I tested with the following browsers: Google Chrome, Mozilla Firefox and Internet Explorer 9, as Kingcope thought that might make a difference.

PHP with WinCache on IIS Windows Server
Custom PHP version on IIS Express and WebMatrix 3 Windows Server
ASP.NET performance: what to keep in mind Windows Server
How to send authenticated SMTP over a TLS encrypted… Code base
Exploit PHP's mail() to get remote code execution Web application security
AppCmd introduction and examples Windows Server

Share this post

Twitter Facebook LinkedIn Email Reddit

Jan Reilink

Hi, my name is Jan. I am not a hacker, coder, developer or guru. I am merely an application manager / systems administrator, doing my daily thing at Embrace - The Human Cloud. In the past I worked for clidn and Vevida. With over 20 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization. I blog at https://www.saotn.org.