using ~ to enumerate directories on IIS 6.0

Recently I was running a web application assessment for a client whose system was running IIS 6.0 on Windows 2003 server. Much foosball and coffee had already gone into this assessment yet I still didn’t have the “Oh Shit, how did you find that?” discovery that makes developers curl up in a ball and rock themselves to sleep. These developers where smarter than most and this was not their first assessment either. They had learned from previous tests to be vigilant about input sanitation and the usual bag of tricks.

I was pretty much ready to swap my Nerf Gun for Microsoft Word and start typing up my findings when I saw this article by Soroush Dalili about using a 17 year old technique to enumerate directories on < IIS 7.0 using the good old “~1” from the 8dot3 days of Windows.

A bit of history for you kids and nostalgia for us old-timers about the 8dot3 days of Windows was that in older versions of the OS the user had to use filenames that met the format of filename.ext (or 8 chars for the filename and 3 chars for the extension.) That is why the older systems always had files like autoexec.bat, config.sys and command.com

As time moved on, past Y2K I believe, the time came when Bob wanted to hide his porn collection in folders called “photos_of_aunty_agnus_70th_anniversary_very_boring_dont_open_ever”, Microsoft obliged and made the lengths far longer and such as we have today we can all create the dumb names for folders and files to remind us what’s in them. The problem arose when copying files from your awesome Pentium 75 MMX running Windows 2000 to your 486 running Windows 98 and windows would then show the folder as “photos~1” as it’s way to stay away from the angry blue screen.

I had pretty much though at this point that the 8dot3 days were long gone and with the long names we have for websites today that IIS wouldn’t have bothered supporting any functionality for 8dot3 files and folders. Turns out that Windows Server 2003 running IIS 6.0 does just that! I grabbed a copy of Soroush’s PoC and ran it against the site, pretty much content that whatever it would find would have already been found by DirBuster but decided to give it a go anyway.

To my astonishment it had found three folders, two of which I knew about and one that I didn’t. I figured that “COLLIE~1” wouldn’t be that hard to guess since I knew of at least on other company who used this system whose first six letters matched those and upon snooping inside there I found a very old version of the site that the developers had used when building/testing for that client and had never removed it. As such, the code was not up to standard in any way  and the “Oh Shit” moment had arrived.

There are tens of thousands of sites out there running IIS 6.0 as can be seen here and a lot of them may be susceptible to the same ~1 enumeration vulnerabilities described above. Your crawlers and scanners are very good at finding folders named “admin”, “secure”, “wp-login” and the rest but might never be good enough to find “/johnspizzaemporium” although your inside info and a “JOHNSP~1” may be enough to give you the edge you need. I suggest reading the article fully as it can do deep recursion into folders and give you a very good head start on your DirBuster scan. Also, seeing as any “.aspx” file does not meet the 8dot3 standard, the tool will find all the occurrences of .aspx files

Footnote: If I can find some Windows 2003 floppy discs, I’ll set it up in the lab and do a video demonstration of the exploit and post it up.

References:

Soroush Dalili – http://soroush.secproject.com/

Microsoft Tilde Directory Enumeration – http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf

IIS Shortname Scanner PoC – http://code.google.com/p/iis-shortname-scanner-poc/

Tagged , , , , , , , . Bookmark the permalink.

HTML Injection goes here...