IIS5.1 Directory Authentication Bypass by using “:$I30:$Index_Allocation”

Download this advisory from: http://soroush.secproject.com/downloadable/IIS5.1_Authentication_Bypass.pdf
or: http://0me.me/demo/IIS/IIS5.1_Authentication_Bypass.pdf

Description:
Although IIS5 is very old, finding one is not impossible! Therefore, I want to introduce a technique to bypass the IIS authentication methods on a directory.
This vulnerability is because of using Alternate Data Stream to open a protected folder.
All of IIS authentication methods can be circumvented. In this technique, we can add a “:$i30:$INDEX_ALLOCATION” to a directory name to bypass the authentication.
In a protected folder such as “AuthNeeded” which includes “secretfile.asp”:
It is possible to run “secretfile.asp” by using:
“/AuthNeeded:$i30:$INDEX_ALLOCATION/secretfile.asp”
Instead of:
“/AuthNeeded/secretfile.asp”

More description:
Why IIS6 and 7 are not vulnerable:
– In these versions, IIS does not accept colon (“:”) character from the URL before the querystring.

Why we cannot use “::$Data” in IIS 5.1 anymore:
– IIS rejects the request if its URL contains “::$” (before querystring).

Why IIS5 is vulnerable to “Directory Authentication Bypass” by using “:$I30:$Index_Allocation”:
– IIS only verifies the directory name to check for authentication. Therefore, we can use “http://victim.com/SecretFolder:$I30:$Index_Allocation/” instead of “http://victim.com/SecretFolder” to bypass the authentication.

Is it possible to bypass something else by using “:$I30:$Index_Allocation” on a NTFS partition:
– If a checking is only based on the directory name, it can be bypassed by using this method.

Download this advisory from: http://soroush.secproject.com/downloadable/IIS5.1_Authentication_Bypass.pdf
or: http://0me.me/demo/IIS/IIS5.1_Authentication_Bypass.pdf

9 thoughts on “IIS5.1 Directory Authentication Bypass by using “:$I30:$Index_Allocation”

  1. Pingback: Microsoft Internet Information Services Basic Authentication Security Bypass « zencurity

  2. Pingback: Haha – IIS 5.1 Directory Authentication Bypass « New World D0mber

  3. Derek McUmber

    This vulnerability does not appear to apply if there is .NET 1.1 or later installed and in use via aspx pages on the IIS 5.X instance. Therefore, this vulnerability appears to be limited to .asp and the old style of windows web page development. So far, all tests we have conducted give the proper 404 page not found response when using :$I30:$INDEX_ALLOCATION on directory folders listed as protected in Web.config using this method:

  4. Derek McUmber

    Using this method

    <location path=”account”>
    <system.web>
    <authorization>
    <deny users=”?”/>
    </authorization>
    </system.web>
    </location>

  5. pavlovconst

    it was very interesting to read soroush.secproject.com
    I want to quote your post in my blog. It can?
    And you et an account on Twitter?

  6. Soroush Dalili Post author

    I answered all the comments through my email.
    IIS<=5.1 are still unpatched. In order to be secure, install URLScan on your web-server. It is not only possible to stop this attack by filtering ":" and "$" characters as there are some other unicode forms for these characters. Unfortunately, IIS5.1 supports illegal unicode form of characters as well.

  7. Pingback: IIS短文件和文件夹泄漏漏洞 | we8i

  8. Pingback: Attack@Dis9Team » IIS短文件和文件夹泄漏漏洞

Comments are closed.