Every now and then, a controversial issue triggers a flood of online discourse. For our Noise Filter feature, the WHIR pans the raging rivers of opinion for shining nuggets of useful commentary.
(WEB HOST INDUSTRY REVIEW) — On Christmas Day, security researcher Soroush Dalili delivered a rather unfortunate present to users of Microsoft Internet Information Services (www.iis.net), when he issued a research note that alerted users of what he called a highly critical new zero day flaw in IIS, though Microsoft has disputed the impact of the issue.
According to Dalili, the vulnerability could potentially make it possible for hackers to breach existing security features and upload malicious code to any affected computer.
A few days later, Microsoft downplayed the severity of the supposed flaw, asserting that customers using IIS 6.0 in the default configuration or following best practices will have no issues.
This has been an ongoing issue with the Web server product. In May 2009, reports began to surface that a vulnerability was found in older versions of Microsoft IIS.
At the time, the software giant admitted there was an “elevation of privilege” flaw existing in the way that the WebDAV extension for IIS handles HTTP requests, in which hackers could exploit it by creating a specially crafted anonymous HTTP request to gain access to a location that would normally require authentication.
By September, Microsoft still had not patched the flaw. It issued a security advisory warning of a flaw in the FTP service in IIS 5.0, 5.1 and 6.0 which could allow remote code execution.
In the research note, Dalili warned that the vulnerability affects IIS 6 and earlier versions. IIS 7 had not yet been tested and he confirmed that version 7.5 was safe.
He explains how the flaw works in the paper, which he released on his website:
IIS can execute any extension as an Active Server Page or any other executable extension. For instance “malicious.asp;.jpg” is executed as an ASP file on the server.
Many file uploaders protect the system by checking only the last section of the filename as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server.
In the comments section of his blog post, Soroush writes:
In some cases although you can gain access to the admin panel of the Web site, you can only upload some images. Now, perhaps you can bypass it and upload a Web shell to read all the source codes, download some important data, and so on.
Meanwhile, other security news and advisory sites debated on the severity of the vulnerability. Security news website SpamFighter writes:
Incidentally, the exploration of flaw continues and some disagreements have emerged about its seriousness. While Dalili assigns the flaw a “highly critical” rating, Secunia the vulnerability tracker calls it “less critical.”
In a blog post, Symantec’s Patrick Fitzgerald said the vulnerability might very well be a cause for concern. He writes:
Essentially your site is at risk if it:
1. Runs on IIS.
2. Allows files to be uploaded.
3. Has execute permissions for the directory where the uploaded files are stored.
On December 28, Metasploit added support into their framework to allow exploitation of this issue. This makes it trivial to compromise badly configured servers as outlined above. This development could see a rise in exploitation of this issue.
With information on this issue in the public domain and tools available to easily exploit this issue we urge everyone to ensure their Web applications are properly configured.
On December 30th, The Register reported that Microsoft responded to these reports, dismissing the IIS bug. The Register writes:
The software giant accepts there is an “inconsistency” in how IIS 6 handles semicolons in URLs . But it denies that this lends itself to hacking attacks, contrary to claims by security researchers shortly before Xmas. Redmond said fears that the bug allows hackers to circumvent content filtering software in order to upload and execute code on an IIS server are misplaced.
Microsoft provides a more detailed analysis of the flaw in the Microsoft Security Response Center blog, where Microsoft’s Christopher Bud writes:
We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.
What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server.
The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack.
