Microsoft IIS Multiple Extensions Security Bypass Clarifications

By Alin Rad Pop

The vulnerability described in SA37831 has recently raised some questions due to Microsoft avoiding to acknowledge it as a security risk.

Secunia views this issue as a vulnerability from the perspective of an administrator running a web application, which allows users to upload files to a certain directory. Upload scripts normally restrict uploaded file types by allowing only files having e.g. the ".jpg" or ".gif" extension to be uploaded.

This vulnerability allows an attacker to completely bypass these types of otherwise sound restrictions, allowing the upload of arbitrary files, which are interpreted by IIS as e.g. ASP scripts. While we agree that removing "execute" permissions for upload directories is best practice and a good Defense-in-Depth approach, administrators relying on the restrictions imposed by the upload script are at risk without expecting it.

Additionally, it should be noted that setting "write" permissions for the upload directory, as required by upload scripts, does not warn administrators or automatically remove already set "execute" permissions from that directory to protect against what Microsoft refers to as a poor configuration.

For the reasons stated above and due to the additional requirement of having an upload script installed, SA37831 was released with a potential "System access" impact and a "Less critical" rating.

While administrators are encouraged to follow best practices, we believe that referring to the documentation is not enough for a vendor to fully mitigate an unexpected behaviour that clearly has a security impact and allows bypassing of third-party restrictions otherwise believed to be secure.

As a comment to the latest response made by Microsoft and the quote: "The IIS folks are evaluating a change to bring the behavior of IIS 6.0 in line with the other versions", Carsten Eiram, Chief Security Specialist at Secunia, had the following comment:

"It seems that while Microsoft attempts to put the blame on their customers for not configuring their IIS servers according to best practises, then they still do acknowledge that there is a problem and will be fixing it. So, it ultimately seems like we're just discussing semantics and whether Microsoft prefers to call this a "vulnerability", "weakness", "feature", or something else is up to them as long as they plan on issuing a (security) fix".

Stay Secure,

Alin Rad Pop
Security Specialist