Microsoft IIS Back

Security related information and use within the scope of pentesting


Description

Internet Information Server is a extensible web server created by Microsoft for use within the NT (3.1 - WS 2016) family. It supports different protocols like HTTP 1/2, TLS, FTP/FTPS, SMTP and NNTP (Network News Transfer Protocol). ISS implements also different authentication mechanisms (like HTTP basic authentication) [1].


Tilde Vulnerability

Microsoft invented a filename convention called 8.3 or SFN (short filename) to support legacy programs (e.g. MS-DOS) accessing a file with a long filename. Creating a file, also creates a SFN based copy (look it up via dir /x) considering the following rules:

example.txt => EXAMPLE.TXT (<= 8 chars; convert to uppercase)
if-filename-longer-than-8-chars.txt => IF-FIL~1.txt (first 6 chars + "~" + incrementing number)

This manner can be used in combination with IIS's behavior when requesting an existent vs. a nonexistent file (HTTP status-code 200/404/400) to enumerate files on the server. Example:

test.com/*~1*/.aspx                   =>  404: valid (one/more files available with SFN)
test.com/a*~1*/.aspx                  =>  404: valid (starts with "A")
test.com/aa*~1*/.aspx                 =>  400: invalid (the second letter is not "A")
test.com/ac*~1*/.aspx                 =>  404: valid (the second letter is "C")
test.com/acsecr~1/.aspx               =>  400: invalid (it's not a folder and it has an extension)
test.com/acsecr~1.%3f%3f%3f/.aspx     =>  404: valid (extension has 3 or more chars; %3f = ? [URL-encoded])

Multiple tools are automating the process of enumeration: IIS-ShortName-Scanner, tilde_enum (this script tries to go further).


Source: https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf
Tool #1 (Java): https://github.com/irsdl/iis-shortname-scanner
Tool #2: https://github.com/WebBreacher/tilde_enum