Multiple IIS 6.0/7.5 Vulnerabilities

Multiple vulnerabilities found in IIS 6.0 and 7.5 web servers and reported to the Full-Disclosure mailinglist by Kingcope. I took some time to test the various vulnerablities.
Published on Tuesday, 17 July 2012

Multiple vulnerabilities found in IIS 6.0 and 7.5 web servers. On the Full-Disclosure mailinglist Kingcope posted several IIS 6.0 and 7.5 bugs. Because I am a Windows Server and IIS admin, I took some time to test the various vulnerabilities ...


The posted Windows bugs Kingcope posted are:

  • Microsoft IIS 7.5 .NET source code disclosure and authentication bypass
  • Microsoft IIS 7.5 Classic ASP Authentication Bypass
  • Microsoft IIS 6.0 with PHP installed Authentication Bypass

I was successful in reproducing the Microsoft IIS 7.5 .NET source code disclosure and authentication bypass but couldn't reproduce the "Microsoft IIS 7.5 Classic ASP Authentication Bypass" and "Microsoft IIS 6.0 with PHP installed Authentication Bypass" vulnerabilities, unfortunately.

Microsoft IIS 7.5 .NET source code disclosure

In my limited time I could only verify the IIS 7.5 .NET source code disclosure vulnerability.

For the vulnerability to be effective, the Path Type of the PHP Handler must remain unconfigured (Type="Unspecified"). For any request on a file using the .NET Framework, such as ASPX, that is not blocked through the request filtering rules (like misconfigured .CS,.VB files), IIS will return the full source code of the file.

And executes it as PHP code! All you have to do is append /.php to the URI:

http://www.example.com/vuln.aspx/.php

It might also be possible to execute arbitrary PHP code under special circumstances.

Workarounds for Microsoft IIS 7.5 .NET source code disclosure

There are several workarounds available, fortunately.

Configure the PHP handler properly in IIS
A proper configured IIS web server has its Request Restrictions (resourceType) set to File in the PHP handler. Having this not configured, it gives you a nasty error message ("No input file specified"), if the requested file doesn't exist.

If not configured, fix it with AppCmd.exe:

appcmd set config /section:system.webServer/handlers 
  "-+[name=`'PHP`',
    path=`'*.php`',
    verb=`'*`',
    modules=`'FastCgiModule`',
    scriptProcessor=`'path\to\php-cgi.exe`',
    resourceType=`'File`']"

If you're unable to, you can deny certain URL sequences using IIS URL Rewrite or Helicon Ape.

deny URL sequence using IIS URL Rewrite module
In your web.config file, add

<rewrite>
  <rules>
    <rule name="DenyPHPafterASPX" stopProcessing="true">
      <match url=".?" ignoreCase="true" />
      <conditions logicalGrouping="MatchAll">
        <add input="{URL}" pattern="^/(.*\.aspx)/(.*\.php)$" />
      </conditions>
      <action type="CustomResponse"
        url="/"
        statusCode="403"
        statusReason="Forbidden"
        statusDescription="Forbidden" />
    </rule>
  </rules>
</rewrite>

deny URL sequence using IIS Request Filtering module
In your web.config file, add

<configuration>
  <system.webServer>
    <security>
      <denyUrlSequences>
        <add sequence=".aspx/.php" />
      </denyUrlSequences>
    </security>
  </system.webServer>
</configuration>

or in Helicon APe's .htaccess file:

RewriteEngine On
# DenyPHPafterASPX
RewriteCond %{REQUEST_URI} ^/(.*\.aspx)/(.*\.php)$ [NC]
RewriteRule .? / [F,L]

Important: The URL Rewrite and Helicon Ape rewrite rules must be made for any .NET Framework file extension, like .aspx, .vb, .cs, and so on.

You can use AppCmd.exe to configure these, if not already. For example:

appcmd set config /section:system.webServer/security/requestFiltering
  /+"fileExtensions.[fileExtension='.aspx',allowed='False']"
appcmd set config /section:system.webServer/security/requestFiltering
  /+"fileExtensions.[fileExtension='.vb',allowed='False']"
appcmd set config /section:system.webServer/security/requestFiltering
  /+"fileExtensions.[fileExtension='.htaccess',allowed='False']"

Microsoft IIS 6.0 with PHP installed Authentication Bypass

Kingcope replied that the IIS 6.0 PHP authentication bypass is only possible on Windows Server 2003 SP1. SP2 seems unaffected.

Microsoft IIS 7.5 Classic ASP Authentication Bypass

On two different server-environments, I was unable to reproduce the Classic ASP authentication bypass. A web server with the .NET Framework version 4.0.30319.237 returns an HttpException after adding ::$INDEX_ALLOCATION to the directory name:

[HttpException (0x80004005): A potentially dangerous Request.Path value
was detected from the client (:).]
 System.Web.HttpRequest.ValidateInputIfRequiredByConfig() +9016361
 System.Web.PipelineStepManager.ValidateHelper(HttpContext context) +59

A second web server with the .NET Framework version 4.0.30319.269 returns a 401.2 - Unauthorized status. I tested with the following browsers: Google Chrome, Mozilla Firefox and Internet Explorer 9, as Kingcope thought that might make a difference.