Tag Archives: IIS Tilde bug

IIS Short File Name Disclosure is back! Is your server vulnerable?

After a few years of finding IIS Short File Name Disclosure vulnerability/feature, I discovered a new method that can work on the latest versions of IIS!

It is a simple trick: If OPTIONS method is used instead of a GET method, the latest versions of IIS will produce a different error message when a short file name is available on the server. The actual bug is exactly the same as the original report and therefore this does not count as a new issue but a new technique.

I have also updated my Java scanner which is accessible via my GitHub repository: https://github.com/irsdl/iis-shortname-scanner/tree/master/

I have successfully tested this scanner on a freshly installed IIS7.5 on Windows 2008 R2 and also on an IIS8.0 on Windows 2012. It seems 8.3 names are still enabled by default… and Microsoft does not seem to be keen to patch this low risk issue after a few years. Well, it is a feature now just like the semi-colon vulnerability in IIS6! ;-)

Test your IIS server and see if it is vulnerable! You may need to add valid headers and cookies to the scanner to be able to scan some special servers.

Microsoft IIS tilde character “~” Vulnerability/Feature – Short File/Folder Name Disclosure

Click here to download the paper.

Two security issues have been reported via this security research:

1- IIS Short File/Folder Name Disclosure by using tilde “~” character:

        Click here for the advisory

2- .Net Framework Tilde Character DoS:

        Click here for the advisory

Workaround and Prevention:

We are working with security vendors to come up with a solution to mitigate the risk of these vulnerabilities. The paper PDF file will be updated accordingly.

IIS Shortname Scanner PoC – Source Codehttp://code.google.com/p/iis-shortname-scanner-poc/

PoC Video:

Click here to download the paper.
Download Link:

http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf