A researcher has identified a vulnerability in the most recent version of Microsoft's Internet Information Services that allows attackers to execute malicious code on machines running the popular webserver. The bug stems from the way IIS parses file names with colons or semicolons in them, according to researcher Soroush Dalili …
1) Why would a webserver need to execute uploaded code? Is this a new approach to distributed computing?
2) How does IIS decide whether to execute something if the rule is to _not_ execute something ending in .asp?
Redmond's bad ideas really do extend far beyond the decimal format of Excel dates. To boldy go...
1) It's not about whether the webserver needs to execute uploaded code, it's about how you can trick something into executing an uploaded file.
2) Uhm... the web server may be running a site built with ASP. Surprisingly there are quite a few sites out there that run .ASP.
wonder if Apache has the same problem....
... what happens if you upload a .php;.jpg file ...
Why would someone trust IIS to do this?
I wouldn't leave it to IIS to decide if a file upload is allowed or not, I would validate the file and its extension with my own code.
@ Destroy All Monsters
>1) Why would a webserver need to execute uploaded code? Is this a new approach to distributed >computing?
A web server would not 'want' to execute uploaded code. After the file is uploaded to the server (bypassing content filters using this hack), the malicious user would request the file via http, thus executing it.
The effect of this would depend on the permissions which the IIS process runs under. Recommendations are to run this with a low privilege account. This should prevent running services, installing malware, most administrative functions. This is probably why Secunia have given the exploit a low rating.
>2) How does IIS decide whether to execute something if the rule is to _not_ execute something >ending in .asp?
IIS executes ASP files by default (via passing the request to the ASP.dll handler), not the other way around. The general rule is to prevent users UPLOADING executable files like this via a file upload facility.
I know its clever to be down on Micro$oft, but why comment when you don't understand the issue.
I don't understand the issue either
>>I know its clever to be down on Micro$oft, but why comment when you don't understand the
Well kid, there is always the possibility that I have forgotten more infotech than you have ever seen (I'm getting on the old side of things), and with an attitude like the one expressed, this is even quite likely.
...Now, seeing that it's 2010 and not 1999, I might be forgiven for not realising that there is still the possibility of Internet-facing applications configured to allow uploading random files into directories that allow serving executable content and where the criterium for "executable by webserver" is the three-letter file ending. (And this doesn't even involve the bug biting at all.) That fails so hard.
Still not getting it
The issue isn't really anything to do with the criterium for "executable by webserver" is the three-letter file ending.
The problem is people setting up a folder to hold user generated content under the web site root (as it needs to be served by the web server) but forgetting to deny IIS execute access for scripts on that folder. Maybe as they figured that it could only hold innocuous content anyway.
I've only used IIS 4 - 6 so maybe this has been improved in IIS7 but forgetting to reproduce these permissions is too easy to do when creating new sites by XCopy.
Re: @Matthew Evans
>"Well kid, there is always the possibility that I have forgotten more infotech than you have >ever seen (I'm getting on the old side of things), and with an attitude like the one expressed, >this is even quite likely."
Yup - *that* argument is always a winner. Instant credibility. Ooh, now tell us tales of punch cards, Oh Wise Elder ... If you're not too busy making up new words like "criterium". Does that get you any points when you're playing Scrabble at the nursing home?
We understand the issue perfectly well...
You can be your last buck that there is a trivially simple way to escalate privilege once you've gained access via this truly stupid vulnerability.
The only really secure way to run any kind of server is to avoid MS products at all costs. Why do you think ALL the "big boys" run LAMP software? I simply can't understand why people persist in buying this MS brokenware!
Criterium is a perfectly acceptable word; Criteria is plural; Criterium is singular. One Criterium, two Criteria.
Like Data is the plural of Datum.
datum -> data is second declension neuter LATIN
criteria is the plural of GREEK criterion.
There is no such word as "criterium", and as such it is not at all acceptable.
Pulling our legs
Having a number of IIS apps in the wild I saw the headine and feared an unscheduled Xmas Day server panic.
Fortunately the unsecured uploading of files into directories to which IIS has execute permissions is not a feature of our applications.
If I've got it right, for this hack to work one would have had to disable layers of default settings (or be running early versions of IIS on which one had never run the ISS lockdown tool) AND opened up anonymous FTP or similar for the directories in question.
Some kind person would long since have 'resecured' the server on your behalf anyway :-/
Paris - because I think of her while stuffing the turkey
I hate to say it
But this doesn't strike me as a vulnerability at all, if you decide to allow file uploads then you had better be damn sure that your code can separate the wheat from the poison.
when did iis become popular???
...a metric shitload of middle manglers figured out that they couldn't be fired for recommending MS software? Very popular, that.
I believe the word el reg was after would be "common" rather than "popular" - simple editorial mistake!
Ok this is somewhat of an issue, but...
If I understand what they're describing, it's a way to bypass the filter you can pass to the HTML "input type=file" file selector control, that will let you pick a file named something like "evilcode.asp;.jpg", and then once posted, this would show up in the values that the upload-processing page would get as "evilcode.asp;.jpg", in which case poor validation code might not catch it, and if that code were to use that file name to write the file to an IIS-readable folder (say, for an avatar as in the example), then it would end up on the disk as "evilcode.asp".
For this to be any sort of threat, doesn't it require some major programming/security failures on the part of the developer in the first place?
1) The programmer trusted the client-side file extension filter
2) The programmer's upload validation code did not catch the bad name
3) The programmer used the client-supplied name instead of saving said avatar to something like "avatar12345.jpg"
4) The security context the web site runs in has write-access to an EXECUTABLE folder, which is a disaster waiting to happen in the first place (someone needs to get fired over this)
While there is definitely something fishy going on because of the way .asp;.jpg can eventually transform into .asp while handling the file, if a site is set up in such a way that this can be exploited, then we're dealing with a site managed by people that don't have the slightest clue about security in the first place...
Umm Writable cgi-bin ?
WTF would *any* Webserver/FTP Server allow execute rights on *any* uploaded code ?
From reading the comments, this is what happens if you make your cgi-bin directory globally writable and executable ?
There was a reason why FTP upload directories had write, but no read or execute permissions for anon users
One of these days, maybe ...
Maybe, just maybe, Microsoft will learn what magic numbers are. You folks running un*x-ish systems, try "man magic" ... you can poke around in /etc/file/magic for more. The concept is older than UNIX[tm] itself ... Meaningful file name extensions should have died with Digital Research's CP/M.
(Rest in peace, Gary, my friend ... you are still missed by many, you cantankerous old goat!)
Gary's dead? How did I miss this?
For those who don't know, legend has it that Bill Gates was the second person IBM called when they wanted an operating system for their new personal computer, and Gary Kildall missed out (and saddled us all with Microsoft) because he was out flying his airplane or something. Apparently it is more complicated (and mysterious) than that though, according to this account:
"Gary's dead? How did I miss this?"
Yeah. 15 and a half years ago. I didn't find out until the following Wednesday morning, he was supposed to go out on the shake-down run of my newly restored Monk cruiser. The guy in the next slip over told me ... To say I was shocked would be an understatement.
Funny but true ... Gary & I knew each other from sports car and boating circles, not computers and networking. It wasn't until we'd been friends for a few years that I realized he was that Gary (my facial recognition skills are sub-par). He knew who I was, though, but chose not to say anything ... like myself, he enjoyed putting ones and zeros in his rear-view mirror for a few hours whenever possible.
I'm sorry, but IIS wasn't that just used because it came pre-installed with Windows NT and 2000? I'm sure nobody uses it anymore.
IIS has the next largest marketshare after apache
IIS is the best web server available on windows servers. Of course you could install a free apache, but the features simply don't compare. 99% of windows hosting companies use it for both asp.net and php.
Maybe MS will learn no to lie to customers about computing being easy. I have had the misfortune to watch MS trained IT experts learn and re-learn and then forget all the old lessons about security and sensible application design.
Computing isnt easy - MS makes a living out of telling us it is!
Driving a car may seem easy if you reduce the number of pedals to 1 and blacken out the windscreen so your not distracted by reality - but in the long run it doesn't get you very far.
I think you'll find that it was Apple who started perpetuating the "ease of use" myth. Microsoft, as usual, copied. And so has Canonical Ltd.
The fact is that computers are becoming easier for the drooling masses to use, but the actual administration of said boxen is becoming more complex. "Format and reinstall" is not a good answer for every little problem ...
I have to agree here.
I'm certainly no expert myself, but I'm constantly surprised by Microsoft-Certified IT people displaying ignorance of anything other than the MS "wizards" their exams were on.
I've also found it amusing how Linux/Unix types seem to do a decent job of configuring, troubleshooting and maintaining MS servers once they find where the settings they require are -- same can't be said of MS types on Linux/Unix boxes.
Not my experience
I'm often amazed at how badly unix-heads can mangle a Windows machine - I've seen Windows machines that have run fine for months brought to their knees within a day or two of a unix "expert" getting their hands on them.
It probably has something to do with the fact that a considerable number of unix-heads actually pride themselves on their ignorance of anything to do with Microsoft. That doesn't prevent them from commenting on issues like this one. It just prevents them from making useful comments.
If you create a file called test.asp;.jpg on a Windows machine, Windows will parse the name from the right, and treat the file as a .jpg file, and will pass it to the handler for .jpg files when you double-click on it. On the other hand, if you request test.asp;.jpg from an IIS web server, the claim is that it will be treated as a .asp page, and handed to asp.dll IF it is in a directory that has Scripting enabled.
That's the "inconsistent behaviour" that Microsoft has copped to. The "security hole" is in the 3rd party file uploader controls that you might rely on to filter that kind of thing out.
And then there's the fact that ASP.NET apparently doesn't try to parse test.asp;.jpg as a script at all.
"It probably has something to do with the fact that a considerable number of unix-heads actually pride themselves on their ignorance of anything to do with Microsoft."
That would be the idiot kids who think any choice of OS somehow makes 'em look "cool". That includes fanbois of all descriptions ... Remember, all hardware sucks, all OSes suck, and all applications programs suck. To that I add all fanbois suck.
Some of us are OS agnostic, and have learned many OSes over the years. That doesn't mean I'm not archiving the last of our Microsoft systems as I type (except one). No more MS for me ... too much work to maintain to my standards. Slackware is easy ... cron emails me that there are updates, I eyeball whatever offerings PV has made available, and use slackpkg to select the bits & pieces I want to upgrade. Clamav on the mailservers updates itself several times a day ... That's about all the maintenance I've done since July of 2007, at least for this box.
 That one runs Win2K and will be archived on February 16th, on its tenth anniversary. No blue screens, no crashes, no malware, no reinstalls, no problems. It is getting a trifle clunky, though ... I know HOW to admin Windows machines, it's just that there are better ways to waste my time.
skiddies xmas present
A nice simple little hack to get arbitary code to execute on IIS.
I'm fairly sure that there is a Google search that will cough up a whole bunch of iis hosted sites to get a young vandal started.
As others have commented this would require the server to have been very carelessly set up but how many servers are there on the internet?
I'm not sure but does'nt *every* copy of Windows have IIS in as standard? presumably the desktop users have theirs disabled by default by now (IIRC it was on by default).
I admit that this should *not* be a serious problem for *properly* configured IIS setup with the right attitude to security. The question is how many servers don't have that and how easily can they be found.
Some people could end up with a lot of housekeeping to do.
Microsoft? Rigorously testing software? Ummm....
Like the article said, upload an "innocent" file, and then own the server.
HackMe.asp;.jpg is a malicious C# Active Server Page file.
HackMe.asp;.jpg = image file when uploaded
HackMe.asp;.jpg = executable file when "viewed"
Yes, there *are* security holes in C#.
I have worked on and off at Microsoft for five years as a tester, and I have yet to be anything other than unimpressed. The development and testing left everything to be desired, and the testing was one step above random banging on the keyboard. Programatic testing constituted running a nearly useless "happy path" and not smacking the code over its limits. The software is *not* developed with the concept of quality or testability in mind. The vast majority of the testing is black-box testing, so of course gross flaws make it out the door. For the last project I worked on, I was forced to reimplement the product in C# to test the developer's code, instead of actually directly testing the developer's code! What kind of a development effort is it when one guy can reproduce a team's entire output? (you wouldn't believe the WTF-class bugs I found)
For all of the books that Microsoft publishes, one would think that it would be de rigueur to actually *read* those books, and *implement* the *best* practices. Instead, the f***ing slop I saw made me wonder why anybody worth their salt would actually want to be in the organization when the economy wasn't dead.
Re: Microsoft? Rigorously testing software? Ummm....
"HackMe.asp;.jpg is a malicious C# Active Server Page file"
Not by default. The default for .net pages (including C#) is aspx. In order to handle it as .asp you'd have to deliberately customise the virtual directory for that as the aspnet handler would not process .asp files (well for web forms anyway).
"Yes, there *are* security holes in C#."
There probably are holes in the framework, but this is a hole in IIS not a security hole in C# (which is just a language anyway).
"I was forced to reimplement the product in C# to test the developer's code"
In that case, all you did was test your own code which would not be best practice either if you were the only one to test it.
I would hope most programmers are familiar with the concept of not trusting user input and would check it themselves accordingly. I'd certainly hope they don't just stick files straight into a place where it can be directly executed (although I'm sure some do).
Production software has flaws, MS stuff is very prone to it, but the real test will be how long it takes them to patch it (although admittedly, I'm not expecting a particularly rapid response).
Tester not testing..
A bit off topic, but wanted to comment on:
"For the last project I worked on, I was forced to reimplement the product in C# to test the developer's code"
I have a problem with this.
A tester's role is to *test* (clue's in the title) - nothing else. This sounds like you wrote your own toolset to help test the developed code. If you need tools to carry this out they too need to be tested. How do you know whatever you "reimplemented" did not contain "WTF-class bugs" itself? Was it independently tested and verified?
The problem here isn't necessarily that you didn't have the tools - if there's no commercial products that are adequate then bespoke tools are fine - as long as they are tested and verified themselves. From my experience though it would be the developers who build these tools for the testers and hand over execution to them (after test + sign off) - so again this is subject to the correct independent verification.
Rather than agree to this situation - depending what you mean "forced" (or even carry on off your own bat) this should have been flagged and properly addressed.
Microsoft test practice, who's kidding whom?
"In that case, all you did was test your own code which would not be best practice either if you were the only one to test it."
Allow me to clarify. The MS software picks up data from a source, munges it, and then somebody else works with the munged data. To test if the data is munged correctly, have another program pick it up from the source, munge it, and then see that both agree. I found problems with null data, missing fields, all kinds of crap. And that was using what I consider to be insufficient testing.
Yes, input tests should have been done, BUT MICROSOFT DOESN'T GIVE A **** ABOUT GOOD TESTING! You have no idea how many times I told them that it needed to be done, how the system could be compromised, etc. "No, we're not interested in that." Might as well have a p0wned pool going. All they care about is some garbage happy-path black-box testing so they can pretend the product has been tested.
Despite all of the books that are published by Microsoft about how to write software, how to test it, security holes to watch for, etc., they don't actually implement anything. Bunch of strutting peacocks.
Now I understand.
" Instead, the f***ing slop I saw made me wonder why anybody worth their salt would actually want to be in the organization when the economy wasn't dead."
@John Smith 19
MS Stock Options? You mean stock that is going nowhere? Stock that will have lost 75% of its current value in 5 years ... wow, great! Sell it now, guyz, sell it now!
rename uploaded files
Surely most sites are going to be renaming files to prevent collisions. I upload pamelaanderson.asp;.jpg the site should be renaming it 12345.jpg problem solved.
John Smith 19, only server and pro versions of windows have IIS included and it's never installed by default even on NT4 I think you have to choose to install it.
File extensions as security?
It beggars belief, it really does.
... and the sad thing is, they are gonna fix it by "replacing" or "disallowing" the ";" character in file uploads.
Anybody who calls that bunch of cretins "enterprise-class developers" has a problem!
They have known of this problem for decades and there are "many" safe ways to determine what a file's content/type is ....
Damn, a laptop and my desktop keyboard in one day ...hell! Reg, it's getting expensive!
Who uses IIS?
According to Netcraft http://news.netcraft.com/archives/web_server_survey.html about 20% of webservers are IIS, pretty scary...
This is really a non-issue
First, ASP in and of itself, as supplied by microsoft, doesn't even HAVE a file upload capability. As such, any such file upload module would have be be supplied by the web developer. If the developer doesn't sanity-check input fields even do a simple regex to strip invalid characters, then they aren't much of a developer. If they are writing files to directories where the IIS Anonymous user has execute permissions, then they aren't much of a developer. In either case, the security problem is not Microsoft's but in fact the developer's - just as most LAMP sites that are hacked are because the DEVELOPER left holes, not in the framework itself.
From what I can see from the reports (and I will be testing this week to confirm) is that the parsing mechanism that IIS uses to determine what ISAPI filters may be broken. If so, that is the extent of the bug in IIS, and it isn't a security issue but a fitness-for-purpose issue.
The fact that it has apparently had this bug for over 10 years and nobody has run across it before should tell you something about the level of brain-deadness a developer must have before it can be triggered.
Of course Apache is NOT vulnerable to this trivial attack.
Once again MS screw up simple security....
Seems to me this is badly configured website/app
Custom code to allow uploading of files, incorrect script/execute permissions on a virtual folder intended to hold images - isn't IIS only involved in the handling of multiple items passed to it by the webapp?
File extensions? wtf?
Who ever thought relying on something so arbitrary as the filename was a good idea to identify the file type?
Surely it is massively more sensible to parse the contents of the file to determine what it is?
Bad Coding Practice
This whole exploit relies on two extremely bad practices.
1. Upload directories have execute script / code permissions. This should never happen, as directories in which users upload files should never execute, regardless of whether the file has the appropriate extension or not.
2. The file name the user inputs is the file name on the server side. This should also never happen, as regardless of what filters you put in, it can be easy to trick a script into thinking that the file extension is one thing when it is actually another. Your server should rename any uploaded file according to some scheme or another.
Users can't fake directory permissions, and users can't dictate what your server names the file. This is in no real way a security flaw because of Microsoft. It is a bug, but the security implications of it are due to bad practices on the end user's behalf.
"only server and pro versions of windows have IIS included and it's never installed by default even on NT4 "
Thanks. my recollection was that MS was shipping it on*all* machines so they could play the old "IIS outnumbers Apache. You'd be mad to build your website on anything else" routine when in realtiy most users did'nt realise they had one in the box.
So I guess that just leaves the question of wheather a Google search can identify whose running Windows Server or Pro installations and roughly what proportion of home and business users went with the Pro version.
Bypasses Outlook Too
Adding ;.jpg will also allow you send .exe files via Outlook even if you have the fix that blocks emailing certain file types.
Dunno about the rest.
"Experts", there's plenty of 'em
your magic bullet sometimes gets stuck in the barrel
But hey, let's all hand out security advice from our arse
That bug was patched in the first quarter of 2003. Nearly 7 years ago. How much time did you waste tracking down those two cob-web pages?
During the meanwhile, how many filename.ext bugs have been found in Microsoft products in the ensuing time frame? For extra credit, how many OSes has MS released that could have fixed it?
All complex code has bugs. Some complex code has bugs that are more inviting to people looking to compromise systems. And filename.ext has been one of the worst over the years.
Commentards defending Microsoft's so-called "security" crack me up. Thanks for the laugh :-D
- Product round-up Too 4K-ing expensive? Five full HD laptops for work and play
- Review We have a winner! Fresh Linux Mint 17.1 – hands down the best
- Vid Antarctic ice THICKER than first feared – penguin-bot boffins
- 'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
- You stupid BRICK! PCs running Avast AV can't handle Windows fixes