Microsoft IIS Tilde Character Short File/Folder Name Disclosure

medium Web App Scanning Plugin ID 112442

Language:

Synopsis

Microsoft IIS Tilde Character Short File/Folder Name Disclosure

Description

Microsoft Internet Information Server (IIS) suffers from a vulnerability which allows the detection of short names of files and directories which have en equivalent in the 8.3 version of the file naming scheme. By crafting specific requests containing the tilde '~‘ character, an attacker could leverage this vulnerability to find files or directories that are normally not visible and gain access to sensitive information. Given the underlying filesystem calls generated by the remote server, the attacker could also attempt a denial of service on the target application.

Solution

As a workaround, disable the 8.3 file and directories name creation, manually remove names already present in the fileystem and ensure that URL requests containing the tilde character (and its unicode equivalences) are discarded before reaching the IIS server.
If possible, upgrade to the latest version of the .NET framework and IIS server.

See Also

https://github.com/irsdl/IIS-ShortName-Scanner

https://soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/

https://soroush.secproject.com/blog/2014/08/iis-short-file-name-disclosure-is-back-is-your-server-vulnerable/

https://support.microsoft.com/en-gb/help/121007/how-to-disable-8-3-file-name-creation-on-ntfs-partitions

Plugin Details

Severity: Medium

ID: 112442

Type: remote

Family: Component Vulnerability

Published: 6/19/2020

Updated: 9/7/2021

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.0

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CVSS Score Source: Tenable

Vulnerability Information

CPE: cpe:2.3:a:microsoft:internet_information_server:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

CWE: 20

OWASP: 2010-A4, 2013-A4, 2013-A9, 2017-A5, 2017-A9, 2021-A3, 2021-A6

WASC: Improper Input Handling

CAPEC: 10, 101, 104, 108, 109, 110, 120, 13, 135, 136, 14, 153, 182, 209, 22, 23, 230, 231, 24, 250, 261, 267, 28, 3, 31, 42, 43, 45, 46, 47, 473, 52, 53, 588, 63, 64, 67, 7, 71, 72, 73, 78, 79, 8, 80, 81, 83, 85, 88, 9

DISA STIG: APSC-DV-002560, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.1.3

PCI-DSS: 3.2-6.2, 3.2-6.5