Sign-up

ID

VAR-200912-0321


CVE

CVE-2009-4444


TITLE

Microsoft IIS Vulnerabilities that allow third-party extension restrictions to be bypassed

Trust: 0.8

sources: JVNDB: JVNDB-2009-005239

DESCRIPTION

Microsoft Internet Information Services (IIS) 5.x and 6.x uses only the portion of a filename before a ; (semicolon) character to determine the file extension, which allows remote attackers to bypass intended extension restrictions of third-party upload applications via a filename with a (1) .asp, (2) .cer, or (3) .asa first extension, followed by a semicolon and a safe extension, as demonstrated by the use of asp.dll to handle a .asp;.jpg file. Microsoft IIS is prone to a security-bypass vulnerability. This vulnerability may cause IIS to interpret unexpected files as CGI applications. Attackers may be able to exploit this vulnerability to bypass intended security restrictions. UPDATE (December 25, 2009): Reports indicate that IIS 7.5 is not vulnerable to this issue. Furthermore, it is currently unknown whether IIS 7.0 is vulnerable. UPDATE (December 29, 2009): Reports indicate that IIS 5.0 SP1 under Windows XP SP 3 and IIS 7.0 under Windows Server 2008 are not affected. NOTE: This BID is being retired. For an exploit to succeed, IIS must be configured in a nondefault way and contrary to the vendor's recommended best practices. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Microsoft IIS ASP Multiple Extensions Security Bypass SECUNIA ADVISORY ID: SA37831 VERIFY ADVISORY: http://secunia.com/advisories/37831/ DESCRIPTION: Soroush Dalili has discovered a vulnerability in Microsoft Internet Information Services (IIS), which can be exploited by malicious people to potentially bypass certain security restrictions and compromise a vulnerable system. The vulnerability is caused due to the web server incorrectly executing e.g. ASP code included in a file having multiple extensions separated by ";", only one internal extension being equal to ".asp" (e.g. "file.asp;.jpg"). This can be exploited to potentially upload and execute arbitrary ASP code via a third-party application using file extensions to restrict uploaded file types. The vulnerability is confirmed on a fully patched Windows Server 2003 R2 SP2 running Microsoft IIS version 6. Other versions may also be affected. SOLUTION: Restrict file uploads to trusted users only. PROVIDED AND/OR DISCOVERED BY: Soroush Dalili ORIGINAL ADVISORY: http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.25

sources: NVD: CVE-2009-4444 // JVNDB: JVNDB-2009-005239 // BID: 79188 // BID: 37460 // PACKETSTORM: 84231

AFFECTED PRODUCTS

vendor:microsoftmodel:iisscope:eqversion:5.0

Trust: 1.2

vendor:microsoftmodel:internet information servicesscope:eqversion:5.0

Trust: 1.0

vendor:microsoftmodel:internet information servicesscope:eqversion:6.0

Trust: 1.0

vendor:microsoftmodel:iisscope:eqversion:6.0

Trust: 0.9

vendor:microsoftmodel:iisscope:eqversion:5.1

Trust: 0.9

vendor:microsoftmodel:iisscope:eqversion:5.x and 6.x

Trust: 0.8

vendor:microsoftmodel:iisscope:eqversion:5.06

Trust: 0.6

vendor:microsoftmodel:internet information serverscope:eqversion:6.0

Trust: 0.6

vendor:microsoftmodel:iisscope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:iisscope:eqversion:3.0

Trust: 0.3

vendor:microsoftmodel:iisscope:eqversion:2.0

Trust: 0.3

vendor:microsoftmodel:iisscope:eqversion:1.0

Trust: 0.3

vendor:microsoftmodel:iisscope:neversion:7.5

Trust: 0.3

sources: BID: 79188 // BID: 37460 // JVNDB: JVNDB-2009-005239 // CNNVD: CNNVD-200912-381 // NVD: CVE-2009-4444

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-4444
value: MEDIUM

Trust: 1.0

NVD: CVE-2009-4444
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200912-381
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2009-4444
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2009-005239 // CNNVD: CNNVD-200912-381 // NVD: CVE-2009-4444

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-20

Trust: 0.8

sources: JVNDB: JVNDB-2009-005239 // NVD: CVE-2009-4444

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200912-381

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-200912-381

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2009-005239

PATCH
title:New Reports of a Vulnerability in IISurl:http://blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2009-005239

EXTERNAL IDS
db:NVDid:CVE-2009-4444
Trust: 2.7
db:BIDid:37460
Trust: 2.2
db:SECTRACKid:1023387
Trust: 1.9
db:SECUNIAid:37831
Trust: 1.7
db:VUPENid:ADV-2009-3634
Trust: 1.6
db:JVNDBid:JVNDB-2009-005239
Trust: 0.8
db:CNNVDid:CNNVD-200912-381
Trust: 0.6
db:BIDid:79188
Trust: 0.3
db:PACKETSTORMid:84231
Trust: 0.1
sources:
            
            
            BID: 79188 // 
            
            
            
            BID: 37460 // 
            
            
            
            JVNDB: JVNDB-2009-005239 // 
            
            
            
            PACKETSTORM: 84231 // 
            
            
            
            CNNVD: CNNVD-200912-381 // 
            
            
            
            NVD: CVE-2009-4444

REFERENCES
url:http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf
Trust: 2.3
url:http://blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx
Trust: 2.2
url:http://securitytracker.com/id?1023387
Trust: 1.9
url:http://www.securityfocus.com/bid/37460
Trust: 1.9
url:http://secunia.com/advisories/37831
Trust: 1.6
url:http://www.vupen.com/english/advisories/2009/3634
Trust: 1.6
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-4444
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-4444
Trust: 0.8
url:http://blog.metasploit.com/2009/12/exploiting-microsoft-iis-with.html
Trust: 0.3
url:http://www.microsoft.com/windowsserver2003/iis/default.mspx
Trust: 0.3
url:http://blogs.iis.net/nazim/archive/2009/12/29/public-disclosure-of-iis-security-issue-with-semi-colons-in-url.aspx
Trust: 0.3
url:http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx
Trust: 0.3
url:/archive/1/508620
Trust: 0.3
url:/archive/1/508604
Trust: 0.3
url:/archive/1/508638
Trust: 0.3
url:http://secunia.com/advisories/37831/
Trust: 0.1
url:http://secunia.com/advisories/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/advisories/business_solutions/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/advisories/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            BID: 79188 // 
            
            
            
            BID: 37460 // 
            
            
            
            JVNDB: JVNDB-2009-005239 // 
            
            
            
            PACKETSTORM: 84231 // 
            
            
            
            CNNVD: CNNVD-200912-381 // 
            
            
            
            NVD: CVE-2009-4444

CREDITS
Soroush Daliliā€» Irsdl@yahoo.com
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200912-381

SOURCES
db:BIDid:79188
db:BIDid:37460
db:JVNDBid:JVNDB-2009-005239
db:PACKETSTORMid:84231
db:CNNVDid:CNNVD-200912-381
db:NVDid:CVE-2009-4444

LAST UPDATE DATE
2025-04-10T23:02:56.450000+00:00

SOURCES UPDATE DATE
db:BIDid:79188date:2009-12-29T00:00:00
db:BIDid:37460date:2009-12-29T21:42:00
db:JVNDBid:JVNDB-2009-005239date:2012-09-25T00:00:00
db:CNNVDid:CNNVD-200912-381date:2020-11-24T00:00:00
db:NVDid:CVE-2009-4444date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:BIDid:79188date:2009-12-29T00:00:00
db:BIDid:37460date:2009-12-23T00:00:00
db:JVNDBid:JVNDB-2009-005239date:2012-09-25T00:00:00
db:PACKETSTORMid:84231date:2009-12-29T10:23:50
db:CNNVDid:CNNVD-200912-381date:2009-12-29T00:00:00
db:NVDid:CVE-2009-4444date:2009-12-29T21:00:24.327