IIS代字号漏洞问题

Question

Here is issue that we have on one of our site:

File/directory name bruteforcing using the Windows file system shorthand characters and status returns codes

It is possible to find an unknown filename up to six characters by using shorthand file characters such as ~1 and
    *Example: site.com/admin/uplo*~1*/.aspx
This attack relies on reading different error codes the webserver responds with when the file(s) exist or not. Let’s say the file upload.aspx exists in the directory admin. Our attacks responses would look like this:
    site.com/admin/uplo*~1*/.aspx – IIS returns HTTP 404 File Not Found (valid file)
    site.com/admin/uplp*~1*/.aspx – IIS returns HTTP 400 Bad Request (invalid file)
        *Note that IIS 7.x responds with different error codes (0×0 when valid) instead of http status codes

More Details http://www.alertlogic.com/internet-information-server-iis-exploitation-2/

One of the possible solutions: ... If possible you may want to look into using URL rewriting to not allow any URL with a tilde character to be accepted ...

Question: How to do that? what regular expression should be used in url rewriting rule in order to discard ~ character in all URL on the website (ASP.NET 3.5)

Answer 1

It can be fixed by doing either of the following:

1. Install .NET 4.0 on the web server. 

OR

2. Install and configure IIS URLScan module (do not allow ~ chars in the URL by adding ~ to [DenyUrlSequences] section).

Find more helpful info here: http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

Answer 2

Need to disable the 8.3 filename generation on IIS. Simple registry change but you need to copy all affected directories, so therefore needs IIS stopped.

How to disable 8.3 file name creation on NTFS partitions

NtfsDisable8dot3NameCreation