[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IIS5.1 Directory Authentication Bypass by using “:$I30:$Index_Allocation”
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: IIS5.1 Directory Authentication Bypass by using “:$I30:$Index_Allocation”
- From: bugreport@xxxxxxxxxxxx
- Date: 2 Jul 2010 11:59:18 -0000
Description:
Although IIS5 is very old, finding one is not impossible! Therefore, I want to
introduce a technique to bypass the IIS authentication methods on a directory.
This vulnerability is because of using Alternate Data Stream to open a
protected folder.
All of IIS authentication methods can be circumvented. In this technique, we
can add a ?:$i30:$INDEX_ALLOCATION? to a directory name to bypass the
authentication.
In a protected folder such as ?AuthNeeded? which includes ?secretfile.asp?:
It is possible to run ?secretfile.asp? by using:
?/AuthNeeded:$i30:$INDEX_ALLOCATION/secretfile.asp?
Instead of:
?/AuthNeeded/secretfile.asp?
More description:
Why IIS6 and 7 are not vulnerable:
- In these versions, IIS does not accept colon (?:?) character from the URL
before the querystring.
Why we cannot use ?::$Data? in IIS 5.1 anymore:
- IIS rejects the request if its URL contains ?::$? (before querystring).
Why IIS5 is vulnerable to ?Directory Authentication Bypass? by using
?:$I30:$Index_Allocation?:
- IIS only verifies the directory name to check for authentication. Therefore,
we can use ?http://victim.com/SecretFolder:$I30:$Index_Allocation/? instead of
?http://victim.com/SecretFolder? to bypass the authentication.
Is it possible to bypass something else by using ?:$I30:$Index_Allocation? on a
NTFS partition:
- If a checking is only based on the directory name, it can be bypassed by
using this method.
Download this advisory from:
http://soroush.secproject.com/downloadable/IIS5.1_Authentication_Bypass.pdf
or: http://0me.me/demo/IIS/IIS5.1_Authentication_Bypass.pdf
More here:
http://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/