IIS Shortname Vulnerability
9 min readJan 23, 2023
What are 8.3 File Names?
An 8.3 filename[1] (also called a short filename or SFN) is a filename convention used by old versions of DOS and versions of Microsoft Windows prior to Windows 95 and Windows NT 3.5. It is also used in modern Microsoft operating systems as an alternate filename to the long filename for compatibility with legacy programs […]
These names must adhere to the following:
- An 8.3 filename MUST only contain characters that can be represented in ASCII, in the range below 0x80.
- An 8.3 filename MUST NOT contain the “ “ space character.
- An 8.3 filename MUST NOT contain more than one “.” period character.
- The general form of a valid 8.3 filename is a base filename, optionally followed by the “.” period character and a filename extension
- The base filename MUST be 1–8 characters in length and MUST NOT contain a “.” period character.
- The base filename MUST be 1–8 characters in length and MUST NOT contain a “.” period character.
- The filename extension, if present, MUST be 1–3 characters in length and MUST NOT contain a “.” period character.
What Should We Care?
This vulnerability will show the first six character of a file/directory name and the first three character of extension name.
The idea is that if you request something like this:
/file*~1*/.aspxAnd you have in fact a file called “fileone.aspx”, the server would reply with 404. So, you now know there is a something that starts with “file”.
Next request you would guess the next letter.
/filen*~1*/.aspxThe idea is simple, if server return 404 you are on the right track. If server returned 400 (could be another status code based on IIS version) you got the wrong character.
How To Scan For 8dot3 File Names?
Dir Command
Here, we have several options.
First, you can use any of the following commands:
dir /x # shows long and short names in present directory
dir /-n # shows only short names in present diretoryExample “dir /x”:
C:\sites\Site02>dir /x
Directory of C:\sites\Site02
01/23/2023 02:39 PM <DIR> .
01/23/2023 02:38 PM <DIR> ..
01/23/2023 02:36 PM 0 FILE~1.ASP file.aspx
01/23/2023 02:36 PM 0 FILETH~1.ASP fileThree.aspx
01/23/2023 02:36 PM 0 FILETW~1.ASP fileTwo.aspx
01/23/2023 02:39 PM 11 INDEX~1.HTM index.html
01/19/2023 03:43 PM 120 VARS~1.ASP vars.aspx
5 File(s) 131 bytes
2 Dir(s) 86,635,954,176 bytes freeExample “dir /-x”:
C:\sites\Site02>dir /-x
Directory of C:\sites\Site02
01/23/2023 02:39 PM <DIR> .
01/23/2023 02:38 PM <DIR> ..
01/23/2023 02:36 PM 0 FILE~1.ASP file.aspx
01/23/2023 02:36 PM 0 FILETH~1.ASP fileThree.aspx
01/23/2023 02:36 PM 0 FILETW~1.ASP fileTwo.aspx
01/23/2023 02:39 PM 11 INDEX~1.HTM index.html
01/19/2023 03:43 PM 120 VARS~1.ASP vars.aspx
5 File(s) 131 bytes
2 Dir(s) 86,635,581,440 bytes freeFsutil Tool
Command:
fsutil 8dot3name scan /s /v <LOCATION>Example:
C:\Users\azureuser>fsutil 8dot3name scan /s /v C:\sites\Site01
Scanning registry...
Registry Data Registry Key Path
------------------------------------------------------------------------------- ------------------------------------------
Total affected registry keys: 0
Scanning 8dot3 names...
8dot3 Name FileId Full Path
------------- ------------------- -------------------------------------------------------------------------------------
FILE~1.ASP 0x300000001a1f7 "C:\sites\Site01\file.aspx"
FILETH~1.ASP 0x300000001a1fa "C:\sites\Site01\fileThree.aspx"
FILETW~1.ASP 0x300000001a200 "C:\sites\Site01\fileTwo.aspx"
INDEX~1.HTM 0x400000001a229 "C:\sites\Site01\index.html"
VARS~1.ASP 0x300000001a1f1 "C:\sites\Site01\vars.aspx"
Total files and directories scanned: 5
Total 8dot3 names found: 5
Total 8dot3 names stripped: 0
For details on the operations performed please see the log:
"C:\Users\AZUREU~1\AppData\Local\Temp\2\8dot3_removal_log @(GMT 2023-01-23 16-06-18).log"IIS Scanner
We also can use this GitHub repository. You will need to install download Java.
Go to “release” folder and open the “run.bat”.
Enter the target, in my case “http:localhost”.
What is the target (e.g. http://localhost:8080/folder/)? http://localhost
Do you want to use a new config file [Y=Yes, Anything Else=No]? no
Do you want to only verify whether or not the target is vulnerable without scanning it thoroughly [Y=Yes, Anything Else=No]? no
Scan Mode [0=Show final results only, 1=Show final results step by step, 2=Show Progress (default)]?
Number of threads [0-50 (20 default)]?
magicFileName: *~1*
requestMethodDelimiter: ,
requestMethod: DEBUG,OPTIONS,GET,POST,HEAD,TRACE
nameStartsWith:
extStartsWith:
hassleFree: true
cookies: IIS_Tilde_Scanner=1;
outputFile: iis_shortname_scanner_logfile.txt
proxyServerName:
acceptableDifferenceLengthBetweenResponses: 10
proxyServerPort:
magicFinalPartList: \a.aspx,\a.asp,/a.aspx,/a.asp,/a.shtml,/a.asmx,/a.ashx,/a.config,/a.php,/a.jpg,/webresource.axd,/a.xxx
headersDelimiter: @@
saveOutput: false
maxNumericalPart: 3
headers: X-Forwarded-For: 127.0.0.1@@X-Originating-IP: 127.0.0.1@@X-Cluster-Client-Ip: 127.0.0.1
useProvidedURLWithoutChange: false
debug: false
maxConnectionTimeOut: 20000
magicFinalPartDelimiter: ,
forceNumericalPart: 1
userAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
inScopeCharacters: ETAONRISHDLFCMUGYPWBVKJXQZ0123456789_-$~()&!#%'@^`{}
asteriskSymbol: *
showActualNames: true
maxRetryTimes: 10
maxDelayAfterEachRequest: 1
magicFileExtension: *
URLSuffix: ?&aspxerrorpath=/
questionMarkSymbol: ?
-- Current Configuration -- Begin
Scan Mode: ALL
Number of threads: 20
Config file: config.xml
Scanner version: 2.4
-- Current Configuration -- End
Max delay after each request in milliseconds = 1
No proxy has been used.
Scanning...
Testing request method: "DEBUG" with magic part: "\a.aspx" ...
File: WEB~1.CON
File: FILE~1.ASP
Dir: ASPNET~1
File: FILETH~1.ASP
File: VARS~1.ASP
File: FILETW~1.ASP
# IIS Short Name (8.3) Scanner version 2.4 - scan initiated 2023/01/23 15:21:40
Target: http://localhost/
|_ Result: Vulnerable!
|_ Used HTTP method: DEBUG
|_ Suffix (magic part): \a.aspx
|_ Extra information:
|_ Number of sent requests: 581
|_ Identified directories: 1
|_ ASPNET~1
|_ Identified files: 5
|_ FILETH~1.ASP
|_ FILETW~1.ASP
|_ FILE~1.ASP
|_ Actual file name = FILE
|_ VARS~1.ASP
|_ Actual file name = VARS
|_ WEB~1.CON
|_ Actual file name = WEB
Finished in: 2 second(s)
Press ENTER to quit...Great, we now know how to scan our directories for short name file names.
Now we need to remediate this vulnerability.
Remediating 8.3 File Names Vulnerability
According to this repo Microsoft will not patch this issue:
Thank you for contacting the Microsoft Security Response Center.
We appreciate your bringing this to our attention. Our previous guidance stands: deploy IIS with 8.3 names disabled. What they recommend is to deploy IIS with 8.3 names disabled.
This can be done with the following registry:
Key: HKLM\SYSTEM\CurrentControlSet\Control\FileSystem
Name: NtfsDisable8dot3NameCreation
Value: 1 There are a couple of ways in which we can ‘fix’ this issue.
Let us try the first one.
NtfsDisable8dot3NameCreation Registry
This key can have the following values:
- 0 => Enable 8Dot3 Creation on all Volume
- 1 => Disable 8Dot3 Creation on all Volumes.
- 2 => Set 8dot3 name creation per volume using FSUTIL (Windows 7 or later)
- 3 => Disable 8Dot3 name creation on all volumes except system volume (Windows 7 or later).
The recommended value is “1”.
Set it to “1”.
We should no longer have short name file names.
Let us test!
C:\Users\azureuser>cd C:\inetpub\wwwroot
C:\inetpub\wwwroot>dir /x
Directory of C:\inetpub\wwwroot
01/23/2023 02:37 PM <DIR> .
01/23/2023 02:35 PM <DIR> ..
01/20/2023 01:03 PM <DIR> ASPNET~1 aspnet_client
01/23/2023 02:36 PM 0 FILE~1.ASP file.aspx
01/23/2023 02:36 PM 0 FILETH~1.ASP fileThree.aspx
01/23/2023 02:36 PM 0 FILETW~1.ASP fileTwo.aspx
01/23/2023 02:35 PM <DIR> folder
01/11/2023 09:49 PM 703 iisstart.htm
01/11/2023 09:49 PM 99,710 iisstart.png
01/19/2023 03:43 PM 120 VARS~1.ASP vars.aspx
01/20/2023 12:44 PM 155 WEB~1.CON web.config
7 File(s) 100,688 bytes
4 Dir(s) 86,399,369,216 bytes free
Hmmm…
GitHub Scanner Repo has an important note:
Note: The web folder needs to be recreated, as the change to the NtfsDisable8dot3NameCreation registry entry affects only files and directories that are created after the change, so the files that already exist are not affected.
We need to recreate our folder(s)!
I will use “wwwroot” folder as an example.
- Make a copy of it.
2. Rename the copy to “wwwrootNEW”.
3. Rename “wwwroot” to “wwwrootOLD”.
4. Rename “wwwrootNEW” to “wwwroot”.
At the end of the day, we just have to recreate the folder.
We no longer have short names:
C:\Users\azureuser>cd C:\inetpub\wwwroot
C:\inetpub\wwwroot>dir /-n
Directory of C:\inetpub\wwwroot
. <DIR> 01/23/2023 03:40 PM
.. <DIR> 01/23/2023 03:43 PM
aspnet_clien <DIR> 01/23/2023 02:35 PM
file asp 0 01/23/2023 02:36 PM
fileThreeasp 0 01/23/2023 02:36 PM
fileTwo asp 0 01/23/2023 02:36 PM
folder <DIR> 01/23/2023 03:40 PM
iisstart htm 703 01/11/2023 09:49 PM
iisstart png 99,710 01/11/2023 09:49 PM
vars asp 120 01/19/2023 03:43 PM
web con 155 01/20/2023 12:44 PM
7 File(s) 100,688 bytes
4 Dir(s) 86,398,124,032 bytes freeBut let us test with the scanner:
# IIS Short Name (8.3) Scanner version 2.4 - scan initiated 2023/01/23 15:45:49
Target: http://localhost/
|_ Result: Not vulnerable or no item was found. It was not possible to get proper/different error messages from the server. Check the inputs and try again.
|_ Warning(s):
|_ Question mark character was blocked: you may have a lot of false positives. -> manual check is needed.
|_ File extensions could not be verified. you may have false positive results. -> manual check is needed.
|_ Extra information:
|_ Number of sent requests: 144
Finished in: 1 second(s)Fsutil Tool 8dot3name
Command:
fsutil 8dot3name strip /s /v <LOCATION>Example:
C:\Users\azureuser>fsutil 8dot3name strip /s /v C:\sites\Site01
Scanning registry...
Registry Data Registry Key Path
------------------------------------------------------------------------------- ------------------------------------------
Total affected registry keys: 0
Stripping 8dot3 names...
8dot3 Name FileId Full Path
------------- ------------------- -------------------------------------------------------------------------------------
FILE~1.ASP 0x300000001a1f7 "C:\sites\Site01\file.aspx"
FILETH~1.ASP 0x300000001a1fa "C:\sites\Site01\fileThree.aspx"
FILETW~1.ASP 0x300000001a200 "C:\sites\Site01\fileTwo.aspx"
INDEX~1.HTM 0x400000001a229 "C:\sites\Site01\index.html"
VARS~1.ASP 0x300000001a1f1 "C:\sites\Site01\vars.aspx"
Total files and directories scanned: 5
Total 8dot3 names found: 5
Total 8dot3 names stripped: 5
For details on the operations performed please see the log:
"C:\Users\AZUREU~1\AppData\Local\Temp\2\8dot3_removal_log @(GMT 2023-01-23 16-12-15).log"
Let us test with scanner!
# IIS Short Name (8.3) Scanner version 2.4 - scan initiated 2023/01/23 16:13:55
Target: http://localhost:8000/
|_ Result: Not vulnerable or no item was found. It was not possible to get proper/different error messages from the server. Check the inputs and try again.
|_ Warning(s):
|_ Question mark character was blocked: you may have a lot of false positives. -> manual check is needed.
|_ File extensions could not be verified. you may have false positive results. -> manual check is needed.
|_ Extra information:
|_ Number of sent requests: 144
Finished in: 1 second(s)
Press ENTER to quit...Request Filtering Module
What we can do with this module is to block request that contains “~” character. This does nothing to 8dot3 file name creation.
Open IIS Manger.
Go at site or server level.
Open Request Filtering Module and go the URL tab.
Deny “~” character.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering>
<denyUrlSequences>
<add sequence="~" />
</denyUrlSequences>
</requestFiltering>
</security>
</system.webServer>
</configuration>Test with scanner!
# IIS Short Name (8.3) Scanner version 2.4 - scan initiated 2023/01/23 16:20:52
Target: http://localhost:8001/
|_ Result: Not vulnerable or no item was found. It was not possible to get proper/different error messages from the server. Check the inputs and try again.
|_ Warning(s):
|_ Question mark character was blocked: you may have a lot of false positives. -> manual check is needed.
|_ File extensions could not be verified. you may have false positive results. -> manual check is needed.
|_ Extra information:
|_ Number of sent requests: 144
Finished in: 1 second(s)
Press ENTER to quit...URL Rewrite Module
Same idea, block requests that contains “~” character. This does nothing to 8dot3 file name creation.
Requests that contain “~” will be blocked.
Again, this can be set at site or server level.
Open IIS Manger.
Go at site or server level.
Open URL Rewrite Module.
Add Rule > Inbound Rule > Request blocking > Ok
- Block access based on: URL Path.
- Block request that: Matched the Pattern: \~
- Using: Regular Expressions.
- How to block: Abort Request.
Syntax:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="RequestBlockingRule1" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{URL}" pattern="\~" />
</conditions>
<action type="AbortRequest" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>Test with scanner!
# IIS Short Name (8.3) Scanner version 2.4 - scan initiated 2023/01/23 16:35:01
Target: http://localhost:8001/
|_ Result: Not vulnerable or no item was found. It was not possible to get proper/different error messages from the server. Check the inputs and try again.
|_ Warning(s):
|_ Question mark character was blocked: you may have a lot of false positives. -> manual check is needed.
|_ File extensions could not be verified. you may have false positive results. -> manual check is needed.
|_ Extra information:
|_ Number of sent requests: 1134
Finished in: 4 second(s)
Press ENTER to quit...Resources:
- https://serverfault.com/questions/670658/fixing-the-iis-tilde-vulnerability
- https://serverfault.com/questions/836736/iis-tilde-vulnerability
- https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf
- https://blog.liquidsec.net/2021/03/02/iis-shortnames-the-bug-that-became-a-feature/#:~:text=Also%20known%20as%20the%20%E2%80%9CIIS%20Shortname%E2%80%9D%20vulnerability%2C%20it,of%20an%20extension%20on%20a%20vulnerable%20IIS%20server.
- https://github.com/irsdl/IIS-ShortName-Scanner
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff621566(v=ws.11)
- Java Archive Downloads — Java SE 17 (oracle.com)
- MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (admx.help)
- Performance Tuning for NFS File Servers | Microsoft Learn
- 8.3 filename — Wikipedia
- [MS-FSCC]: 8.3 Filename | Microsoft Learn
