Fixing the IIS tilde vulnerability

Try to scan for existing short filenames with fsutil:

  • fsutil 8dot3name scan /s /v E:\inetpub\wwwroot

And strip them if they are found:

  • fsutil 8dot3name strip /s /v E:\inetpub\wwwroot

Also looking at the log with empty magic part (magic part: ""), I wonder could that be a bug in the POC. This line in config.xml looks like it has extra comma after /webresource.axd:

<entry> key="magicFinalPartList">
 <![CDATA[\a.aspx,\a.asp,/a.aspx,/a.asp,/a.shtml,/a.asmx‌​,/a.ashx,/a.config,/a.php,/a.jpg,/webresource.axd,,/a.xxx]]>
</entry>

I've asked dev. via Twitter about it and he responded:

For rare cases in which no extensions were required. But, recently that has caused more problems only! I'll remove it now.

I removed it from the Config file. This was the 2nd complaint so it was the right time for this change.

So, it seems that you're safe now :)

Tags:

Security

Iis