AOH :: HP Unsorted I :: B1A-1399.HTM

IIS5.1 Directory Authentication Bypass by using “:$I30:$Index_Allocation”



IIS5.1 Directory Authentication Bypass by using “:$I30:$Index_Allocation”
IIS5.1 Directory Authentication Bypass by using “:$I30:$Index_Allocation”



Description:=0D
Although IIS5 is very old, finding one is not impossible! Therefore, I want to introduce a technique to bypass the IIS authentication methods on a directory.=0D
This vulnerability is because of using Alternate Data Stream to open a protected folder.=0D
All of IIS authentication methods can be circumvented. In this technique, we can add a =93:$i30:$INDEX_ALLOCATION=94 to a directory name to bypass the authentication.=0D
In a protected folder such as =93AuthNeeded=94 which includes =93secretfile.asp=94:=0D
It is possible to run =93secretfile.asp=94 by using:=0D
=93/AuthNeeded:$i30:$INDEX_ALLOCATION/secretfile.asp=94=0D
Instead of:=0D
=93/AuthNeeded/secretfile.asp=94=0D
=0D
More description:=0D
Why IIS6 and 7 are not vulnerable:=0D
- In these versions, IIS does not accept colon (=93:=94) character from the URL before the querystring.=0D
=0D
Why we cannot use =93::$Data=94 in IIS 5.1 anymore:=0D
- IIS rejects the request if its URL contains =93::$=94 (before querystring).=0D
=0D
Why IIS5 is vulnerable to =93Directory Authentication Bypass=94 by using =93:$I30:$Index_Allocation=94:=0D
- IIS only verifies the directory name to check for authentication. Therefore, we can use =93http://victim.com/SecretFolder:$I30:$Index_Allocation/=94 instead of =93http://victim.com/SecretFolder=94 to bypass the authentication.=0D 
=0D
Is it possible to bypass something else by using =93:$I30:$Index_Allocation=94 on a NTFS partition:=0D
- If a checking is only based on the directory name, it can be bypassed by using this method.=0D
=0D
Download this advisory from: http://soroush.secproject.com/downloadable/IIS5.1_Authentication_Bypass.pdf=0D 
or: http://0me.me/demo/IIS/IIS5.1_Authentication_Bypass.pdf=0D 
=0D
=0D
=0D
=0D
More here:=0D
=0D
http://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/ 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.