Multiple vulnerabilities found in IIS 6.0 and 7.5 web servers. On the Full-Disclosure mailinglist Kingcope posted several IIS 6.0 and 7.5 bugs. Because I am a Windows Server and IIS admin, I took some time to test the various vulnerabilities ...
The posted Windows bugs Kingcope posted are:
- Microsoft IIS 7.5 .NET source code disclosure and authentication bypass
- Microsoft IIS 7.5 Classic ASP Authentication Bypass
- Microsoft IIS 6.0 with PHP installed Authentication Bypass
I was successful in reproducing the Microsoft IIS 7.5 .NET source code disclosure and authentication bypass but couldn't reproduce the "Microsoft IIS 7.5 Classic ASP Authentication Bypass" and "Microsoft IIS 6.0 with PHP installed Authentication Bypass" vulnerabilities, unfortunately.
Microsoft IIS 7.5 .NET source code disclosure
In my limited time I could only verify the IIS 7.5 .NET source code disclosure vulnerability.
For the vulnerability to be effective, the Path Type of the PHP Handler must remain unconfigured (Type="Unspecified"). For any request on a file using the .NET Framework, such as ASPX, that is not blocked through the request filtering rules (like misconfigured .CS,.VB files), IIS will return the full source code of the file.
And executes it as PHP code! All you have to do is append /.php to the URI:
http://www.example.com/vuln.aspx/.phpIt might also be possible to execute arbitrary PHP code under special circumstances.
Workarounds for Microsoft IIS 7.5 .NET source code disclosure
There are several workarounds available, fortunately.
Configure the PHP handler properly in IIS
A proper configured IIS web server has its Request Restrictions (resourceType) set to File in the PHP handler. Having this not configured, it gives you a nasty error message ("No input file specified"), if the requested file doesn't exist.
If not configured, fix it with AppCmd.exe:
appcmd set config /section:system.webServer/handlers
"-+[name=`'PHP`',
path=`'*.php`',
verb=`'*`',
modules=`'FastCgiModule`',
scriptProcessor=`'path\to\php-cgi.exe`',
resourceType=`'File`']"If you're unable to, you can deny certain URL sequences using IIS URL Rewrite or Helicon Ape.
deny URL sequence using IIS URL Rewrite module
In your web.config file, add
<rewrite>
<rules>
<rule name="DenyPHPafterASPX" stopProcessing="true">
<match url=".?" ignoreCase="true" />
<conditions logicalGrouping="MatchAll">
<add input="{URL}" pattern="^/(.*\.aspx)/(.*\.php)$" />
</conditions>
<action type="CustomResponse"
url="/"
statusCode="403"
statusReason="Forbidden"
statusDescription="Forbidden" />
</rule>
</rules>
</rewrite>deny URL sequence using IIS Request Filtering module
In your web.config file, add
<configuration>
<system.webServer>
<security>
<denyUrlSequences>
<add sequence=".aspx/.php" />
</denyUrlSequences>
</security>
</system.webServer>
</configuration>or in Helicon APe's .htaccess file:
RewriteEngine On
# DenyPHPafterASPX
RewriteCond %{REQUEST_URI} ^/(.*\.aspx)/(.*\.php)$ [NC]
RewriteRule .? / [F,L]Important: The URL Rewrite and Helicon Ape rewrite rules must be made for any .NET Framework file extension, like .aspx, .vb, .cs, and so on.
You can use AppCmd.exe to configure these, if not already. For example:
appcmd set config /section:system.webServer/security/requestFiltering
/+"fileExtensions.[fileExtension='.aspx',allowed='False']"
appcmd set config /section:system.webServer/security/requestFiltering
/+"fileExtensions.[fileExtension='.vb',allowed='False']"
appcmd set config /section:system.webServer/security/requestFiltering
/+"fileExtensions.[fileExtension='.htaccess',allowed='False']"Microsoft IIS 6.0 with PHP installed Authentication Bypass
Kingcope replied that the IIS 6.0 PHP authentication bypass is only possible on Windows Server 2003 SP1. SP2 seems unaffected.
Microsoft IIS 7.5 Classic ASP Authentication Bypass
On two different server-environments, I was unable to reproduce the Classic ASP authentication bypass.
A web server with the .NET Framework version 4.0.30319.237 returns an HttpException after adding ::$INDEX_ALLOCATION to the directory name:
[HttpException (0x80004005): A potentially dangerous Request.Path value
was detected from the client (:).]
System.Web.HttpRequest.ValidateInputIfRequiredByConfig() +9016361
System.Web.PipelineStepManager.ValidateHelper(HttpContext context) +59A second web server with the .NET Framework version 4.0.30319.269 returns a 401.2 - Unauthorized status. I tested with the following browsers: Google Chrome, Mozilla Firefox and Internet Explorer 9, as Kingcope thought that might make a difference.
Thank you very much! <3 ❤️
Hi, my name is Jan. I am not a hacker, coder, developer or guru. I am merely an application manager / systems administrator, doing my daily thing at Embrace – The Human Cloud. In the past I worked at CLDIN (CLouDINfra) and Vevida. With over 20 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization. I blog at https://www.saotn.org.
