The Register® — Biting the hand that feeds IT

Feeds

Microsoft IIS vuln leaves users open to remote attack

A researcher has identified a vulnerability in the most recent version of Microsoft's Internet Information Services that allows attackers to execute malicious code on machines running the popular webserver. The bug stems from the way IIS parses file names with colons or semicolons in them, according to researcher Soroush Dalili …

This topic is closed for new posts.

Page:

Destroy All Monsters
Gates Horns

WHAT!

Ok...

1) Why would a webserver need to execute uploaded code? Is this a new approach to distributed computing?

2) How does IIS decide whether to execute something if the rule is to _not_ execute something ending in .asp?

Redmond's bad ideas really do extend far beyond the decimal format of Excel dates. To boldy go...

Adrian Crooks
Reply Icon

It's ASP

1) It's not about whether the webserver needs to execute uploaded code, it's about how you can trick something into executing an uploaded file.

2) Uhm... the web server may be running a site built with ASP. Surprisingly there are quite a few sites out there that run .ASP.

OffBeatMammal
Reply Icon

wonder if Apache has the same problem....

... what happens if you upload a .php;.jpg file ...

Si 1
Gates Horns

Why would someone trust IIS to do this?

I wouldn't leave it to IIS to decide if a file upload is allowed or not, I would validate the file and its extension with my own code.

Matthew Evans

Re "What!"

@ Destroy All Monsters

>1) Why would a webserver need to execute uploaded code? Is this a new approach to distributed >computing?

A web server would not 'want' to execute uploaded code. After the file is uploaded to the server (bypassing content filters using this hack), the malicious user would request the file via http, thus executing it.

The effect of this would depend on the permissions which the IIS process runs under. Recommendations are to run this with a low privilege account. This should prevent running services, installing malware, most administrative functions. This is probably why Secunia have given the exploit a low rating.

>2) How does IIS decide whether to execute something if the rule is to _not_ execute something >ending in .asp?

IIS executes ASP files by default (via passing the request to the ASP.dll handler), not the other way around. The general rule is to prevent users UPLOADING executable files like this via a file upload facility.

I know its clever to be down on Micro$oft, but why comment when you don't understand the issue.

Anonymous Coward
Anonymous Coward
Reply Icon

I don't understand the issue either

Just saying.

Destroy All Monsters
Gates Horns
Reply Icon

@Matthew Evans

>>I know its clever to be down on Micro$oft, but why comment when you don't understand the

issue.

Well kid, there is always the possibility that I have forgotten more infotech than you have ever seen (I'm getting on the old side of things), and with an attitude like the one expressed, this is even quite likely.

...Now, seeing that it's 2010 and not 1999, I might be forgiven for not realising that there is still the possibility of Internet-facing applications configured to allow uploading random files into directories that allow serving executable content and where the criterium for "executable by webserver" is the three-letter file ending. (And this doesn't even involve the bug biting at all.) That fails so hard.

Martin Smith 2
Reply Icon

Still not getting it

The issue isn't really anything to do with the criterium for "executable by webserver" is the three-letter file ending.

The problem is people setting up a folder to hold user generated content under the web site root (as it needs to be served by the web server) but forgetting to deny IIS execute access for scripts on that folder. Maybe as they figured that it could only hold innocuous content anyway.

I've only used IIS 4 - 6 so maybe this has been improved in IIS7 but forgetting to reproduce these permissions is too easy to do when creating new sites by XCopy.

Anonymous Coward
Anonymous Coward
Reply Icon

Re: @Matthew Evans

>"Well kid, there is always the possibility that I have forgotten more infotech than you have >ever seen (I'm getting on the old side of things), and with an attitude like the one expressed, >this is even quite likely."

Yup - *that* argument is always a winner. Instant credibility. Ooh, now tell us tales of punch cards, Oh Wise Elder ... If you're not too busy making up new words like "criterium". Does that get you any points when you're playing Scrabble at the nursing home?

CrossChris
Linux
Reply Icon

We understand the issue perfectly well...

You can be your last buck that there is a trivially simple way to escalate privilege once you've gained access via this truly stupid vulnerability.

The only really secure way to run any kind of server is to avoid MS products at all costs. Why do you think ALL the "big boys" run LAMP software? I simply can't understand why people persist in buying this MS brokenware!

Major N
Reply Icon

well...

Criterium is a perfectly acceptable word; Criteria is plural; Criterium is singular. One Criterium, two Criteria.

Like Data is the plural of Datum.

Seriously.

DrPizza
Reply Icon

whut

lrn2greek.

datum -> data is second declension neuter LATIN

criteria is the plural of GREEK criterion.

There is no such word as "criterium", and as such it is not at all acceptable.

http://dictionary.reference.com/browse/criterion?r=75&src=ref&ch=dic

Cucumber C Face
Paris Hilton

Pulling our legs

Having a number of IIS apps in the wild I saw the headine and feared an unscheduled Xmas Day server panic.

Fortunately the unsecured uploading of files into directories to which IIS has execute permissions is not a feature of our applications.

If I've got it right, for this hack to work one would have had to disable layers of default settings (or be running early versions of IIS on which one had never run the ISS lockdown tool) AND opened up anonymous FTP or similar for the directories in question.

Some kind person would long since have 'resecured' the server on your behalf anyway :-/

Paris - because I think of her while stuffing the turkey

jubtastic1

I hate to say it

But this doesn't strike me as a vulnerability at all, if you decide to allow file uploads then you had better be damn sure that your code can separate the wheat from the poison.

Anonymous Coward
FAIL

wait, what

when did iis become popular???

Anonymous Coward
Anonymous Coward
Reply Icon

Since...

...a metric shitload of middle manglers figured out that they couldn't be fired for recommending MS software? Very popular, that.

Anonymous Coward
Linux
Reply Icon

semantics

I believe the word el reg was after would be "common" rather than "popular" - simple editorial mistake!

Pascal

Ok this is somewhat of an issue, but...

If I understand what they're describing, it's a way to bypass the filter you can pass to the HTML "input type=file" file selector control, that will let you pick a file named something like "evilcode.asp;.jpg", and then once posted, this would show up in the values that the upload-processing page would get as "evilcode.asp;.jpg", in which case poor validation code might not catch it, and if that code were to use that file name to write the file to an IIS-readable folder (say, for an avatar as in the example), then it would end up on the disk as "evilcode.asp".

For this to be any sort of threat, doesn't it require some major programming/security failures on the part of the developer in the first place?

1) The programmer trusted the client-side file extension filter

2) The programmer's upload validation code did not catch the bad name

3) The programmer used the client-supplied name instead of saving said avatar to something like "avatar12345.jpg"

4) The security context the web site runs in has write-access to an EXECUTABLE folder, which is a disaster waiting to happen in the first place (someone needs to get fired over this)

While there is definitely something fishy going on because of the way .asp;.jpg can eventually transform into .asp while handling the file, if a site is set up in such a way that this can be exploited, then we're dealing with a site managed by people that don't have the slightest clue about security in the first place...

Irp
WTF?

Umm Writable cgi-bin ?

WTF would *any* Webserver/FTP Server allow execute rights on *any* uploaded code ?

From reading the comments, this is what happens if you make your cgi-bin directory globally writable and executable ?

There was a reason why FTP upload directories had write, but no read or execute permissions for anon users

jake

One of these days, maybe ...

Maybe, just maybe, Microsoft will learn what magic numbers are. You folks running un*x-ish systems, try "man magic" ... you can poke around in /etc/file/magic for more. The concept is older than UNIX[tm] itself ... Meaningful file name extensions should have died with Digital Research's CP/M.

(Rest in peace, Gary, my friend ... you are still missed by many, you cantankerous old goat!)

Apocalypse Later
Reply Icon

RIP

Gary's dead? How did I miss this?

For those who don't know, legend has it that Bill Gates was the second person IBM called when they wanted an operating system for their new personal computer, and Gary Kildall missed out (and saddled us all with Microsoft) because he was out flying his airplane or something. Apparently it is more complicated (and mysterious) than that though, according to this account:

http://www.businessweek.com/magazine/content/04_43/b3905109_mz063.htm

jake
Reply Icon

@Apocalypse Later

"Gary's dead? How did I miss this?"

Yeah. 15 and a half years ago. I didn't find out until the following Wednesday morning, he was supposed to go out on the shake-down run of my newly restored Monk cruiser. The guy in the next slip over told me ... To say I was shocked would be an understatement.

Funny but true ... Gary & I knew each other from sports car and boating circles, not computers and networking. It wasn't until we'd been friends for a few years that I realized he was that Gary (my facial recognition skills are sub-par). He knew who I was, though, but chose not to say anything ... like myself, he enjoyed putting ones and zeros in his rear-view mirror for a few hours whenever possible.

Christian Berger

IIS?

I'm sorry, but IIS wasn't that just used because it came pre-installed with Windows NT and 2000? I'm sure nobody uses it anymore.

pitagora
Thumb Down
Reply Icon

IIS has the next largest marketshare after apache

IIS is the best web server available on windows servers. Of course you could install a free apache, but the features simply don't compare. 99% of windows hosting companies use it for both asp.net and php.

Tom 7

@Jake

Maybe MS will learn no to lie to customers about computing being easy. I have had the misfortune to watch MS trained IT experts learn and re-learn and then forget all the old lessons about security and sensible application design.

Computing isnt easy - MS makes a living out of telling us it is!

Driving a car may seem easy if you reduce the number of pedals to 1 and blacken out the windscreen so your not distracted by reality - but in the long run it doesn't get you very far.

jake
Reply Icon

@Tom 7

I think you'll find that it was Apple who started perpetuating the "ease of use" myth. Microsoft, as usual, copied. And so has Canonical Ltd.

The fact is that computers are becoming easier for the drooling masses to use, but the actual administration of said boxen is becoming more complex. "Format and reinstall" is not a good answer for every little problem ...

Cameron Colley
Reply Icon

I have to agree here.

I'm certainly no expert myself, but I'm constantly surprised by Microsoft-Certified IT people displaying ignorance of anything other than the MS "wizards" their exams were on.

I've also found it amusing how Linux/Unix types seem to do a decent job of configuring, troubleshooting and maintaining MS servers once they find where the settings they require are -- same can't be said of MS types on Linux/Unix boxes.

Al Jones
Reply Icon

Not my experience

I'm often amazed at how badly unix-heads can mangle a Windows machine - I've seen Windows machines that have run fine for months brought to their knees within a day or two of a unix "expert" getting their hands on them.

It probably has something to do with the fact that a considerable number of unix-heads actually pride themselves on their ignorance of anything to do with Microsoft. That doesn't prevent them from commenting on issues like this one. It just prevents them from making useful comments.

If you create a file called test.asp;.jpg on a Windows machine, Windows will parse the name from the right, and treat the file as a .jpg file, and will pass it to the handler for .jpg files when you double-click on it. On the other hand, if you request test.asp;.jpg from an IIS web server, the claim is that it will be treated as a .asp page, and handed to asp.dll IF it is in a directory that has Scripting enabled.

That's the "inconsistent behaviour" that Microsoft has copped to. The "security hole" is in the 3rd party file uploader controls that you might rely on to filter that kind of thing out.

And then there's the fact that ASP.NET apparently doesn't try to parse test.asp;.jpg as a script at all.

jake
Reply Icon

Fanbois

"It probably has something to do with the fact that a considerable number of unix-heads actually pride themselves on their ignorance of anything to do with Microsoft."

That would be the idiot kids who think any choice of OS somehow makes 'em look "cool". That includes fanbois of all descriptions ... Remember, all hardware sucks, all OSes suck, and all applications programs suck. To that I add all fanbois suck.

Some of us are OS agnostic, and have learned many OSes over the years. That doesn't mean I'm not archiving the last of our Microsoft systems as I type (except one[1]). No more MS for me ... too much work to maintain to my standards. Slackware is easy ... cron emails me that there are updates, I eyeball whatever offerings PV has made available, and use slackpkg to select the bits & pieces I want to upgrade. Clamav on the mailservers updates itself several times a day ... That's about all the maintenance I've done since July of 2007, at least for this box.

[1] That one runs Win2K and will be archived on February 16th, on its tenth anniversary. No blue screens, no crashes, no malware, no reinstalls, no problems. It is getting a trifle clunky, though ... I know HOW to admin Windows machines, it's just that there are better ways to waste my time.

John Smith 19
Thumb Down

skiddies xmas present

A nice simple little hack to get arbitary code to execute on IIS.

I'm fairly sure that there is a Google search that will cough up a whole bunch of iis hosted sites to get a young vandal started.

As others have commented this would require the server to have been very carelessly set up but how many servers are there on the internet?

I'm not sure but does'nt *every* copy of Windows have IIS in as standard? presumably the desktop users have theirs disabled by default by now (IIRC it was on by default).

I admit that this should *not* be a serious problem for *properly* configured IIS setup with the right attitude to security. The question is how many servers don't have that and how easily can they be found.

Some people could end up with a lot of housekeeping to do.

Anonymous Coward
Grenade

Microsoft? Rigorously testing software? Ummm....

Like the article said, upload an "innocent" file, and then own the server.

HackMe.asp;.jpg is a malicious C# Active Server Page file.

HackMe.asp;.jpg = image file when uploaded

HackMe.asp;.jpg = executable file when "viewed"

Yes, there *are* security holes in C#.

I have worked on and off at Microsoft for five years as a tester, and I have yet to be anything other than unimpressed. The development and testing left everything to be desired, and the testing was one step above random banging on the keyboard. Programatic testing constituted running a nearly useless "happy path" and not smacking the code over its limits. The software is *not* developed with the concept of quality or testability in mind. The vast majority of the testing is black-box testing, so of course gross flaws make it out the door. For the last project I worked on, I was forced to reimplement the product in C# to test the developer's code, instead of actually directly testing the developer's code! What kind of a development effort is it when one guy can reproduce a team's entire output? (you wouldn't believe the WTF-class bugs I found)

For all of the books that Microsoft publishes, one would think that it would be de rigueur to actually *read* those books, and *implement* the *best* practices. Instead, the f***ing slop I saw made me wonder why anybody worth their salt would actually want to be in the organization when the economy wasn't dead.

Anonymous Coward
Grenade
Reply Icon

Re: Microsoft? Rigorously testing software? Ummm....

"HackMe.asp;.jpg is a malicious C# Active Server Page file"

Not by default. The default for .net pages (including C#) is aspx. In order to handle it as .asp you'd have to deliberately customise the virtual directory for that as the aspnet handler would not process .asp files (well for web forms anyway).

"Yes, there *are* security holes in C#."

There probably are holes in the framework, but this is a hole in IIS not a security hole in C# (which is just a language anyway).

"I was forced to reimplement the product in C# to test the developer's code"

In that case, all you did was test your own code which would not be best practice either if you were the only one to test it.

I would hope most programmers are familiar with the concept of not trusting user input and would check it themselves accordingly. I'd certainly hope they don't just stick files straight into a place where it can be directly executed (although I'm sure some do).

Production software has flaws, MS stuff is very prone to it, but the real test will be how long it takes them to patch it (although admittedly, I'm not expecting a particularly rapid response).

Matt 9
Reply Icon

Tester not testing..

A bit off topic, but wanted to comment on:

"For the last project I worked on, I was forced to reimplement the product in C# to test the developer's code"

I have a problem with this.

A tester's role is to *test* (clue's in the title) - nothing else. This sounds like you wrote your own toolset to help test the developed code. If you need tools to carry this out they too need to be tested. How do you know whatever you "reimplemented" did not contain "WTF-class bugs" itself? Was it independently tested and verified?

The problem here isn't necessarily that you didn't have the tools - if there's no commercial products that are adequate then bespoke tools are fine - as long as they are tested and verified themselves. From my experience though it would be the developers who build these tools for the testers and hand over execution to them (after test + sign off) - so again this is subject to the correct independent verification.

Rather than agree to this situation - depending what you mean "forced" (or even carry on off your own bat) this should have been flagged and properly addressed.

Anonymous Coward
Flame
Reply Icon

Microsoft test practice, who's kidding whom?

"In that case, all you did was test your own code which would not be best practice either if you were the only one to test it."

Allow me to clarify. The MS software picks up data from a source, munges it, and then somebody else works with the munged data. To test if the data is munged correctly, have another program pick it up from the source, munge it, and then see that both agree. I found problems with null data, missing fields, all kinds of crap. And that was using what I consider to be insufficient testing.

Yes, input tests should have been done, BUT MICROSOFT DOESN'T GIVE A **** ABOUT GOOD TESTING! You have no idea how many times I told them that it needed to be done, how the system could be compromised, etc. "No, we're not interested in that." Might as well have a p0wned pool going. All they care about is some garbage happy-path black-box testing so they can pretend the product has been tested.

Despite all of the books that are published by Microsoft about how to write software, how to test it, security holes to watch for, etc., they don't actually implement anything. Bunch of strutting peacocks.

Anonymous Coward
Anonymous Coward
Reply Icon

sharepoint

Now I understand.

John Smith 19
Thumb Up

AC@06:05

" Instead, the f***ing slop I saw made me wonder why anybody worth their salt would actually want to be in the organization when the economy wasn't dead."

Stock options.

Anonymous Coward
Joke
Reply Icon

@John Smith 19

MS Stock Options? You mean stock that is going nowhere? Stock that will have lost 75% of its current value in 5 years ... wow, great! Sell it now, guyz, sell it now!

Fuzz

rename uploaded files

Surely most sites are going to be renaming files to prevent collisions. I upload pamelaanderson.asp;.jpg the site should be renaming it 12345.jpg problem solved.

John Smith 19, only server and pro versions of windows have IIS included and it's never installed by default even on NT4 I think you have to choose to install it.

dave lawless
Boffin

File extensions as security?

It beggars belief, it really does.

Hans 1
Coffee/keyboard
Reply Icon

@dave lawful

so true!!!

... and the sad thing is, they are gonna fix it by "replacing" or "disallowing" the ";" character in file uploads.

Anybody who calls that bunch of cretins "enterprise-class developers" has a problem!

They have known of this problem for decades and there are "many" safe ways to determine what a file's content/type is ....

Damn, a laptop and my desktop keyboard in one day ...hell! Reg, it's getting expensive!

Dick
Alert

Who uses IIS?

According to Netcraft http://news.netcraft.com/archives/web_server_survey.html about 20% of webservers are IIS, pretty scary...

Donn Bly
FAIL

This is really a non-issue

First, ASP in and of itself, as supplied by microsoft, doesn't even HAVE a file upload capability. As such, any such file upload module would have be be supplied by the web developer. If the developer doesn't sanity-check input fields even do a simple regex to strip invalid characters, then they aren't much of a developer. If they are writing files to directories where the IIS Anonymous user has execute permissions, then they aren't much of a developer. In either case, the security problem is not Microsoft's but in fact the developer's - just as most LAMP sites that are hacked are because the DEVELOPER left holes, not in the framework itself.

From what I can see from the reports (and I will be testing this week to confirm) is that the parsing mechanism that IIS uses to determine what ISAPI filters may be broken. If so, that is the extent of the bug in IIS, and it isn't a security issue but a fitness-for-purpose issue.

The fact that it has apparently had this bug for over 10 years and nobody has run across it before should tell you something about the level of brain-deadness a developer must have before it can be triggered.

CrossChris
Linux

As Usual....

Of course Apache is NOT vulnerable to this trivial attack.

Once again MS screw up simple security....

Anonymous Coward
Anonymous Coward

Seems to me this is badly configured website/app

Custom code to allow uploading of files, incorrect script/execute permissions on a virtual folder intended to hold images - isn't IIS only involved in the handling of multiple items passed to it by the webapp?

Joe Montana
FAIL

File extensions? wtf?

Who ever thought relying on something so arbitrary as the filename was a good idea to identify the file type?

Surely it is massively more sensible to parse the contents of the file to determine what it is?

IceMage
Stop

Bad Coding Practice

This whole exploit relies on two extremely bad practices.

1. Upload directories have execute script / code permissions. This should never happen, as directories in which users upload files should never execute, regardless of whether the file has the appropriate extension or not.

2. The file name the user inputs is the file name on the server side. This should also never happen, as regardless of what filters you put in, it can be easy to trick a script into thinking that the file extension is one thing when it is actually another. Your server should rename any uploaded file according to some scheme or another.

Remember,

Users can't fake directory permissions, and users can't dictate what your server names the file. This is in no real way a security flaw because of Microsoft. It is a bug, but the security implications of it are due to bad practices on the end user's behalf.

John Smith 19
Happy

@Fuzz

"only server and pro versions of windows have IIS included and it's never installed by default even on NT4 "

Thanks. my recollection was that MS was shipping it on*all* machines so they could play the old "IIS outnumbers Apache. You'd be mad to build your website on anything else" routine when in realtiy most users did'nt realise they had one in the box.

So I guess that just leaves the question of wheather a Google search can identify whose running Windows Server or Pro installations and roughly what proportion of home and business users went with the Pro version.

Doug Glass
Go

Bypasses Outlook Too

Adding ;.jpg will also allow you send .exe files via Outlook even if you have the fix that blocks emailing certain file types.

Dunno about the rest.

dave lawless
Boffin

"Experts", there's plenty of 'em

Hey @Jake

your magic bullet sometimes gets stuck in the barrel

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=27

http://marc.info/?l=bugtraq&m=104696992100353&w=2

But hey, let's all hand out security advice from our arse

jake
Reply Icon

@dave lawless

That bug was patched in the first quarter of 2003. Nearly 7 years ago. How much time did you waste tracking down those two cob-web pages?

During the meanwhile, how many filename.ext bugs have been found in Microsoft products in the ensuing time frame? For extra credit, how many OSes has MS released that could have fixed it?

All complex code has bugs. Some complex code has bugs that are more inviting to people looking to compromise systems. And filename.ext has been one of the worst over the years.

Commentards defending Microsoft's so-called "security" crack me up. Thanks for the laugh :-D

Page:

This topic is closed for new posts.