Tag Archives: IIS File Extension Security Bypass

File Upload Attack using XAMLX Files

I have recently published a blog post on use of .XAMLX files to execute command on an IIS based application.

This blog has been has been published by NCC and is accessible here: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/august/getting-shell-with-xamlx-files/

Here is its little Twitter story:

This technique can come in handy when dealing with a file uploader that uses a blacklist approach to stop malicious extensions.

Interestingly, if you just search XAMLX in Google or Bing, this technique will be in the first page so it has taken over so many of its actual legitimate usage!

ASP.NET resource files (.RESX) and deserialization issues

I have recently published a blog post via NCC Group’s website about the deserialization issue by abusing the ASP.NET resource files (.resx and .resources extensions). A number of products were exploited and some file uploaders can also be vulnerable to this type of attack.

The full article can be viewed in NCC Group’s website: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/

PDF version of the blog post published by NCC Group can be downloaded from:

https://soroush.secproject.com/downloadable/aspnet_resource_files_resx_deserialization_issues.pdf

In addition to this, the advisories can be seen via:

Code Execution by Unsafe Resource Handling in Multiple Microsoft Products: https://www.nccgroup.trust/uk/our-research/technical-advisory-code-execution-by-unsafe-resource-handling-in-multiple-microsoft-products/

Code Execution by Viewing Resource Files in .NET Reflector: https://www.nccgroup.trust/uk/our-research/technical-advisory-code-execution-by-viewing-resource-files-in-net-reflector/

I had also reported the same vulnerability in Telerik justDecompile and JetBrains dotPeek:

https://blog.jetbrains.com/dotnet/2018/08/02/resharper-ultimate-2018-1-4-rider-2018-1-4-released/

https://www.telerik.com/support/whats-new/justdecompile/release-history/justdecompile-r2-2018-sp1

Relevant tweets about this:

Microsoft IIS Semi-Colon Vulnerability

I found a vulnerability in Microsoft IIS when I was searching about a method to execute an ASP file when we can only upload a JPG file.

The result was too simple, but interesting! I need only a semicolon between the “.asp” and the “.jpg” to execute an ASP file. So, the answer was “myfilename.asp;,jpg”. I have written some information about this vulnerability in:

http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf

I’ll try to update this PDF file if there was a need to add or change some information.

Description of this vulnerability from Secunia.com is:

Description:
Soroush Dalili has discovered a vulnerability in Microsoft Internet Information Services (IIS), which can be exploited by malicious people to potentially bypass certain security restrictions and compromise a vulnerable system.

The vulnerability is caused due to the web server incorrectly executing e.g. ASP code included in a file having multiple extensions separated by “;”, only one internal extension being equal to “.asp” (e.g. “file.asp;.jpg”). This can be exploited to potentially upload and execute arbitrary ASP code via a third-party application using file extensions to restrict uploaded file types.

The vulnerability is confirmed on a fully patched Windows Server 2003 R2 SP2 running Microsoft IIS version 6. Other versions may also be affected.

There are also several websites which wrote about this weakness:

1. Secunia Advisory: Microsoft IIS ASP Multiple Extensions Security Bypass

2. Securityfocus: Microsoft IIS Malformed Local Filename Security Bypass Vulnerability

3. The Register: Microsoft IIS vuln leaves users open to remote attack

4. VUPEN Security: Microsoft IIS File Extension Processing Security Bypass Vulnerability

5. Securitytracker: Microsoft Internet Information Services (IIS) Filename Extension Parsing Flaw May Let Users Bypass Security Controls