Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition

Editor's Notes

1. Hi everyone, thank you for joining me and NahamCon to watch this presentation.
2. My name is Soroush Dalili, I live and work in the UK. I'm a pentester and a bug bounty hunter. I specialise in web application security, but I also enjoy finding vulnerabilities in all kinds of applications. To make my daily tasks easier, I sometimes create small tools. You might have heard of some of them, such as Burp Suite Sharpener or IIS Short Name Scanner. I am also one of the judges of top 10 web hacking techniques for a few years now. My journey into security began in the early 2000s when I was an ASP classic developer. This is perhaps where my love of IIS comes from.
3. Today I will start with an introduction on what short and long file names are in Windows, then I will continue by explaining the IIS Short File Name Disclosure automatically and manually. Hopefully after this presentation, you can use a simple web proxy to identify an IIS Short File Name disclosure issue manually. In the end, I will mention some methods to guess the long file names using their short version. I will also talk about a special case when the whole long file name can be enumerated using IIS!
4. Originally FAT file systems were limited and could only support short names. Short file or directory names contain a maximum of 8 characters in their name and if there is an extension, they would need a dot following by a maximum of 3 characters as the extension. So in total their maximum length was 12 characters. SFNs are case insensitive (characters are uppercase), they only contain alphanumerical and some special characters, there is no space and they should only contain one dot character following by an extension.
5. By introduction of VFAT, Windows started supporting long file names since Windows 95. In NTFS, short file names are not needed anymore but they are still being created by Windows for backwards compatibility when file names do not follow short file names’ rules for example when they are long or contain unsupported characters or have more than one dot.
6. In order to create short file names for incompatible file names, Windows follow certain rules. Short names normally starts with the first 6 characters of the real file name following by a tilde character following by a number. If it has an extension, the first 3 characters of the extension will be included after a dot character. It also removes disallowed characters, or additional dot or space characters. It also changes + sign to underscore. If a short name equivalent already exists for another file, it increases the number after the tilde character. If you want to see the created short names in Windows, you can use dir /x or /-n commands to view them.
7. As you can guess, many long names might have the same short names due to its limited space. Before Windows 2000, Windows allowed the number after the tilde character to go as high as 9 but since Windows 2000, this has been limited to 4. The question is, what would happen if there are more than 4 files with the same short name now that Windows does not use ~5? The formula for making short name changes: it uses the first two characters of the file name following by 4 Hex characters made by an algorithm. If the filename only has 1 character, it will use that 1 character instead of 2 characters. The hex algorithm has been explored by Thomas Galvin and you can read it if you are interested. I also recommend reading these resources and follow their references if you want to go deeper.
8. Here is where the fun begins, IIS can disclose short file names using DOS wildcard characters. I initially reported this issue to Microsoft back in 2010, and it still works. Back then, you could also cause a temporary denial of service by causing many file reads by a single request but that’s not an issue as of today.
9. Before we go any further, let’s discuss how we can secure it so boring stuffs will be over! Since the initial report, Microsoft has made some efforts perhaps indirectly to stop this and similar attacks by disallowing use of wildcard characters in the URL. But this solution only works for GET/POST/HEAD HTTP methods and so using the DEBUG or OPTIONS method you can still exploit it. Also sometimes developers need to allow all characters to be included in the URL for their special application to work. Microsoft also limited number of directories in the URL to 32 to stop the temporary denial of service attack which is a good solution. It is not recommended to increase the default value, and perhaps it is better to even decrease it further. It is also recommended to disable the short file name creation in Windows before creating the website there. But the real issue when you find a vulnerable file is not the disclosure of short names. The vulnerability stays even if you do not disclose the file names. It is therefore recommended to have security tests!
10. Here is how IIS short file name disclosure works. We need a number of ingredients for the attack to work, first we want to use wildcard characters to enumerate the short names, we also need to use a tilde character following by 1 to 4, we then need to append a suffix to the URL so IIS responses would start changing, we also need to use an appropriate HTTP method.
11. If you are using my IIS Shortname Scanner, I really recommend you to have a look at its config.xml file as you probably need to customize it for you target. For example, you can add cookies or additional required headers or you can use it to debug the tool. You can also change its accuracy according to your target to prevent some false positives or true negatives.
12. If you want to check this manually, here is how I would do it. I choose several methods and several suffix as you can see in this slide to target short file name that should exist and one that should not exist. If the response changes, then I have a winner.
13. You can automate this yourself using Burp Intruder, for a simple case, you need to use the attack type of cluster bomb and set the payload positions for the HTTP method, path, and the suffix. You can then identify differences in responses
14. Or if you are like me and would like to create hundreds of colorful repeater tabs, then you can do it all manually for different cases!
15. Sometimes things do not follow the normal rules. When I face some difficulties or restrictions, I try to use long file names that I know may actually exist to see whether there is a short name for them. Use of the OPTIONS method with a suffix without a wildcard also works on a long file name so we can use it to detect whether or not a long file name actually exist. We cannot enumerate them due to the lack of wildcard though. When we have a confirmation that a long file name exists, we can then try to see whether a short file name has been created for them without a wildcard. If we know the system is still making the short file names, fingers crossed, we can then try harder to find a potential method to use the wildcards again.
16. Here are some tips and tricks that I would like to share with you. First of all do not only rely on the HTTP response status code and compare the whole response as smallest changes such as additional headers or something in the body might be a key for enumeration. Kestrel and HTTP.sys driver are not affected and do not confuse them with IIS. ASP pages can be served without extensions – mind that when trying to find the real file name. The disclosure issue only affects physical files so virtual files or virtual and application IIS paths cannot be enumerated. Wildcards can be replaced with some other characters if they are not allowed. You may or may not need URL encoding, the ? Mark should always be url encoded though. Mind the WAFs as they can cause anomalies. Space and period in the end of file or directory names in Windows can be considered as padding which may come in handy sometimes.
17. Here is how I normally run the IIS short name scanner tool. 2 in here means that it will show me the outputs as it goes and 20 shows the number of threads. I don’t recommend to set it to a high number as it often can create false results. The third argument is the website url with the path you want to scan. Finally the config file is passed as the last argument, it will be ignored if you don’t specify it.
18. As the second example, I thought to show you how IIS can disclose short names even from a restricted path. We will get an error if we want to access anything inside the Bin directory as we should otherwise the application’s source code could be disclosed. However, it is still possible to get the list of short names from the bin directory using ::$index_allocation or its equivalent alternate data stream. Although we still cannot download anything from the Bin directory, it may help us a little bit to understand what libraries might have been used by the web application. Also remember to escape the $ sign if for example you are using PowerShell to run your tools. Other alternate data streams can also be used but there is no real benefit if you can detect the files even without them.
19. Now that we have got a list of short names, how can we find the real file names as that is the final goal. People have approached this differently. Here are some common methodologies that we can use. It is often possible to guess the real names if we have already crawled the website and have some of its contents, search the sitemap for the start of the files to see if you can get a hit. This is also useful to see the website’s naming convention to see whether files normally end with a suffix or follow a specific pattern. Most long file names contain multiple words so try to mix them with other words that are common. For example, if you have tried fileupload.aspx and fileuploader.aspx, try fileuploadmanager.aspx as well. Use word lists or dictionaries. If a website is in a different language, you may need to include those words as well. The new hot topic is to use AI to complete the files! I have also included 2 tools here which might be useful although I haven’t tried them yet myself.
20. Now here is an example that ChatGPT did not provide me with some good answers using my prompt. My short file name was generr~1.asp. I expected that Gen is a prefix for Err and ChatGPT would detect this but it initially completed the prefix as well rather than keeping the 6 first characters the same. So Gen became General. The online browsing was also interesting, it kept the first 6 characters but it did not change Err to Error in any of them. We can still work with these results but it will require more filtering and changes.
21. Back in MDSec a colleague of mine (Mohammad Salah) asked me what would happen if a file has the tilde character in it already. This gave me an idea and I realized that in very special cases we can enumerate the long file name and nost just the short name using IIS. This when a file has a ~ character following by a number anywhere in the file name. The enumeration is exactly the same as before but we do not stop after finding the first 6 characters.
22. Here I show how we can find the real file name when it contains a tilde character following by a number. Let’s say we have tested the path already and we know it is vulnerable and some short file names exist. In order to find this special kind of long file names, we can use 7 questions marks following by the asterisk character and then a tilde character and a number from 0 to 9. As we have used 7 ? Marks rather than 6, this should not work normally unless we have a special long file name with ~ character and a digit in it. If we get a positive hit (in this case a 404), we can continue our enumeration as normal until the whole special file name is revealed. Unfortunately the job of finding the real file name can still be tricky if higher ASCII characters than 7F in hex or + sign has been used.
23. Thank you everyone for staying with us until this point. I hope this talk has been useful and you have enjoyed it.