Basic search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24171
HistoryJul 07, 2010 - 12:00 a.m.

IIS5.1 Directory Authentication Bypass by using “:$I30:$Index_Allocation”

2010-07-0700:00:00
vulners.com
515

Description:
Although IIS5 is very old, finding one is not impossible! Therefore, I want to introduce a technique to
bypass the IIS authentication methods on a directory.
This vulnerability is because of using Alternate Data Stream to open a protected folder.
All of IIS authentication methods can be circumvented. In this technique, we can add a
“:$i30:$INDEX_ALLOCATION” to a directory name to bypass the authentication.
In a protected folder such as “AuthNeeded” which includes “secretfile.asp”:
It is possible to run “secretfile.asp” by using:
“/AuthNeeded:$i30:$INDEX_ALLOCATION/secretfile.asp”
Instead of:
“/AuthNeeded/secretfile.asp”

More description:
Why IIS6 and 7 are not vulnerable:

  • In these versions, IIS does not accept colon (“:”) character from the URL before the querystring.

Why we cannot use “::$Data” in IIS 5.1 anymore:

  • IIS rejects the request if its URL contains “::$” (before querystring).

Why IIS5 is vulnerable to “Directory Authentication Bypass” by using “:$I30:$Index_Allocation”:

Is it possible to bypass something else by using “:$I30:$Index_Allocation” on a NTFS partition:

  • If a checking is only based on the directory name, it can be bypassed by using this method.

Download this advisory from: http://soroush.secproject.com/downloadable/IIS5.1_Authentication_Bypass.pdf
or: http://0me.me/demo/IIS/IIS5.1_Authentication_Bypass.pdf

More here:

http://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/