IIS5.1 Directory Authentication Bypass by using “:$I30:$Index_Allocation”

Download this advisory from: http://soroush.secproject.com/downloadable/IIS5.1_Authentication_Bypass.pdf
or: http://0me.me/demo/IIS/IIS5.1_Authentication_Bypass.pdf

Description:
Although IIS5 is very old, finding one is not impossible! Therefore, I want to introduce a technique to bypass the IIS authentication methods on a directory.
This vulnerability is because of using Alternate Data Stream to open a protected folder.
All of IIS authentication methods can be circumvented. In this technique, we can add a “:$i30:$INDEX_ALLOCATION” to a directory name to bypass the authentication.
In a protected folder such as “AuthNeeded” which includes “secretfile.asp”:
It is possible to run “secretfile.asp” by using:
“/AuthNeeded:$i30:$INDEX_ALLOCATION/secretfile.asp”
Instead of:
“/AuthNeeded/secretfile.asp”

More description:
Why IIS6 and 7 are not vulnerable:
- In these versions, IIS does not accept colon (“:”) character from the URL before the querystring.

Why we cannot use “::$Data” in IIS 5.1 anymore:
- IIS rejects the request if its URL contains “::$” (before querystring).

Why IIS5 is vulnerable to “Directory Authentication Bypass” by using “:$I30:$Index_Allocation”:
- IIS only verifies the directory name to check for authentication. Therefore, we can use “http://victim.com/SecretFolder:$I30:$Index_Allocation/” instead of “http://victim.com/SecretFolder” to bypass the authentication.

Is it possible to bypass something else by using “:$I30:$Index_Allocation” on a NTFS partition:
- If a checking is only based on the directory name, it can be bypassed by using this method.

Download this advisory from: http://soroush.secproject.com/downloadable/IIS5.1_Authentication_Bypass.pdf
or: http://0me.me/demo/IIS/IIS5.1_Authentication_Bypass.pdf

About Soroush Dalili
Web application security pentester.

9 Responses to IIS5.1 Directory Authentication Bypass by using “:$I30:$Index_Allocation”

  1. Pingback: Microsoft Internet Information Services Basic Authentication Security Bypass « zencurity

  2. Pingback: Haha – IIS 5.1 Directory Authentication Bypass « New World D0mber

  3. This vulnerability does not appear to apply if there is .NET 1.1 or later installed and in use via aspx pages on the IIS 5.X instance. Therefore, this vulnerability appears to be limited to .asp and the old style of windows web page development. So far, all tests we have conducted give the proper 404 page not found response when using :$I30:$INDEX_ALLOCATION on directory folders listed as protected in Web.config using this method:

  4. Using this method

    <location path=”account”>
    <system.web>
    <authorization>
    <deny users=”?”/>
    </authorization>
    </system.web>
    </location>

  5. pavlovconst says:

    it was very interesting to read soroush.secproject.com
    I want to quote your post in my blog. It can?
    And you et an account on Twitter?

  6. I answered all the comments through my email.
    IIS<=5.1 are still unpatched. In order to be secure, install URLScan on your web-server. It is not only possible to stop this attack by filtering “:” and “$” characters as there are some other unicode forms for these characters. Unfortunately, IIS5.1 supports illegal unicode form of characters as well.

  7. Anonymous says:

    Fixed by MS10-065; CVE-2010-2731?

  8. Pingback: IIS短文件和文件夹泄漏漏洞 | we8i

  9. Pingback: Attack@Dis9Team » IIS短文件和文件夹泄漏漏洞