Microsoft IIS Tilde Vulnerability

This vulnerability is caused by the tilde character (~) with the old DOS 8.3 name convention (SFN) in a HTTP request. It allows a remote attacker to disclose file and folder names (that are not supposed to be accessible) under the web root. Attackers could find important files that are normally not accessible from the outside and gain intelligence about the application’s infrastructure.

What can happen?

Exploiting this vulnerability may cause the leakage of files containing sensitive information such as credentials, configuration files, maintenance scripts and other data.

Example of IIS tilde vulnerability

In the 8.3 naming convention:

- A file named examples.txt will be named EXAMPLES.TXT

- A file whose name is longer than 8 characters will be named with the 6 first letters followed by a ~ and an incrementing number.

- exampletest.txt will be named EXAMPL~1.txt

- Another file beginning with EXAMPL (for example examplefile.txt) will be named EXAMPL~2.TXT

An attacker can use HTTP GET requests to determine if a file is on a Microsoft IIS server. A Microsoft IIS server will respond with status code 400 if the file exists or 404 if the file does not exist on the server.

For a file named exampletest.txt, the attacker will send these requests to the server to know if the file is present or not on the server:

http:/example.com/*~1*/.aspx   
//Response: 404 
Valid: One or more file with short names are found in the server

http:/example.com/e*~1*/.aspx  
//Response: 404 
Valid: One or more files beginning with “e” are present on the server

http:/example.com/eb*~1*/.aspx 
//Response: 400
Invalid: There is no file whose  name starts with “eb” on the server

http:/example.com/ex*~1*/.aspx 
//Response: 404 
Valid: There is a file whose name starts with “ex”.

And so on. An attacker will iterate these requests until all interesting files and subdirectories are found.

Remediation

Discard all web requests using the tilde character and add a registry key named NtfsDisable8dot3NameCreation to HKLM\SYSTEM\CurrentControlSet\Control\FileSystem. Set the value of the key to 1 to mitigate all 8.3 name conventions on the server.