Jan 23

9 min read

IIS Shortname Vulnerability

What are 8.3 File Names?

An 8.3 filename[1] (also called a short filename or SFN) is a filename convention used by old versions of DOS and versions of Microsoft Windows prior to Windows 95 and Windows NT 3.5. It is also used in modern Microsoft operating systems as an alternate filename to the long filename for compatibility with legacy programs […]

These names must adhere to the following:

An 8.3 filename MUST only contain characters that can be represented in ASCII, in the range below 0x80.
An 8.3 filename MUST NOT contain the “ “ space character.
An 8.3 filename MUST NOT contain more than one “.” period character.
The general form of a valid 8.3 filename is a base filename, optionally followed by the “.” period character and a filename extension
The base filename MUST be 1–8 characters in length and MUST NOT contain a “.” period character.
The base filename MUST be 1–8 characters in length and MUST NOT contain a “.” period character.
The filename extension, if present, MUST be 1–3 characters in length and MUST NOT contain a “.” period character.

What Should We Care?

This vulnerability will show the first six character of a file/directory name and the first three character of extension name.

The idea is that if you request something like this:

/file*~1*/.aspx

And you have in fact a file called “fileone.aspx”, the server would reply with 404. So, you now know there is a something that starts with “file”.

Next request you would guess the next letter.

 /filen*~1*/.aspx

The idea is simple, if server return 404 you are on the right track. If server returned 400 (could be another status code based on IIS version) you got the wrong character.

How To Scan For 8dot3 File Names?

Dir Command

Here, we have several options.

First, you can use any of the following commands:

dir /x # shows long and short names in present directory
dir /-n # shows only short names in present diretory

Example “dir /x”:

C:\sites\Site02>dir /x

 Directory of C:\sites\Site02

01/23/2023  02:39 PM    <DIR>                       .
01/23/2023  02:38 PM    <DIR>                       ..
01/23/2023  02:36 PM                 0 FILE~1.ASP   file.aspx
01/23/2023  02:36 PM                 0 FILETH~1.ASP fileThree.aspx
01/23/2023  02:36 PM                 0 FILETW~1.ASP fileTwo.aspx
01/23/2023  02:39 PM                11 INDEX~1.HTM  index.html
01/19/2023  03:43 PM               120 VARS~1.ASP   vars.aspx
               5 File(s)            131 bytes
               2 Dir(s)  86,635,954,176 bytes free

Example “dir /-x”:

C:\sites\Site02>dir /-x

 Directory of C:\sites\Site02

01/23/2023  02:39 PM    <DIR>                       .
01/23/2023  02:38 PM    <DIR>                       ..
01/23/2023  02:36 PM                 0 FILE~1.ASP   file.aspx
01/23/2023  02:36 PM                 0 FILETH~1.ASP fileThree.aspx
01/23/2023  02:36 PM                 0 FILETW~1.ASP fileTwo.aspx
01/23/2023  02:39 PM                11 INDEX~1.HTM  index.html
01/19/2023  03:43 PM               120 VARS~1.ASP   vars.aspx
               5 File(s)            131 bytes
               2 Dir(s)  86,635,581,440 bytes free

Fsutil Tool

Command:

fsutil 8dot3name scan /s /v <LOCATION>

Example:


C:\Users\azureuser>fsutil 8dot3name scan /s /v C:\sites\Site01
Scanning registry...
Registry Data                                                                     Registry Key Path
-------------------------------------------------------------------------------   ------------------------------------------

Total affected registry keys:                   0

Scanning 8dot3 names...

8dot3 Name      FileId                Full Path
-------------   -------------------   -------------------------------------------------------------------------------------
FILE~1.ASP      0x300000001a1f7       "C:\sites\Site01\file.aspx"
FILETH~1.ASP    0x300000001a1fa       "C:\sites\Site01\fileThree.aspx"
FILETW~1.ASP    0x300000001a200       "C:\sites\Site01\fileTwo.aspx"
INDEX~1.HTM     0x400000001a229       "C:\sites\Site01\index.html"
VARS~1.ASP      0x300000001a1f1       "C:\sites\Site01\vars.aspx"

Total files and directories scanned:            5
Total 8dot3 names found:                        5
Total 8dot3 names stripped:                     0

For details on the operations performed please see the log:
  "C:\Users\AZUREU~1\AppData\Local\Temp\2\8dot3_removal_log @(GMT 2023-01-23 16-06-18).log"

IIS Scanner

We also can use this GitHub repository. You will need to install download Java.

Go to “release” folder and open the “run.bat”.

Enter the target, in my case “http:localhost”.

What is the target (e.g. http://localhost:8080/folder/)? http://localhost
Do you want to use a new config file [Y=Yes, Anything Else=No]? no
Do you want to only verify whether or not the target is vulnerable without scanning it thoroughly [Y=Yes, Anything Else=No]? no
Scan Mode [0=Show final results only, 1=Show final results step by step, 2=Show Progress (default)]?
Number of threads [0-50 (20 default)]?
magicFileName: *~1*
requestMethodDelimiter: ,
requestMethod: DEBUG,OPTIONS,GET,POST,HEAD,TRACE
nameStartsWith:
extStartsWith:
hassleFree: true
cookies: IIS_Tilde_Scanner=1;
outputFile: iis_shortname_scanner_logfile.txt
proxyServerName:
acceptableDifferenceLengthBetweenResponses: 10
proxyServerPort:
magicFinalPartList: \a.aspx,\a.asp,/a.aspx,/a.asp,/a.shtml,/a.asmx,/a.ashx,/a.config,/a.php,/a.jpg,/webresource.axd,/a.xxx
headersDelimiter: @@
saveOutput: false
maxNumericalPart: 3
headers: X-Forwarded-For: 127.0.0.1@@X-Originating-IP: 127.0.0.1@@X-Cluster-Client-Ip: 127.0.0.1
useProvidedURLWithoutChange: false
debug: false
maxConnectionTimeOut: 20000
magicFinalPartDelimiter: ,
forceNumericalPart: 1
userAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
inScopeCharacters: ETAONRISHDLFCMUGYPWBVKJXQZ0123456789_-$~()&!#%'@^`{}
asteriskSymbol: *
showActualNames: true
maxRetryTimes: 10
maxDelayAfterEachRequest: 1
magicFileExtension: *
URLSuffix: ?&aspxerrorpath=/
questionMarkSymbol: ?

-- Current Configuration -- Begin
Scan Mode: ALL
Number of threads: 20
Config file: config.xml
Scanner version: 2.4
-- Current Configuration -- End
Max delay after each request in milliseconds = 1
No proxy has been used.

Scanning...

Testing request method: "DEBUG" with magic part: "\a.aspx" ...
File: WEB~1.CON
File: FILE~1.ASP
Dir: ASPNET~1
File: FILETH~1.ASP
File: VARS~1.ASP
File: FILETW~1.ASP

# IIS Short Name (8.3) Scanner version 2.4 - scan initiated 2023/01/23 15:21:40
Target: http://localhost/
|_ Result: Vulnerable!
|_ Used HTTP method: DEBUG
|_ Suffix (magic part): \a.aspx
|_ Extra information:
  |_ Number of sent requests: 581
  |_ Identified directories: 1
    |_ ASPNET~1
  |_ Identified files: 5
    |_ FILETH~1.ASP
    |_ FILETW~1.ASP
    |_ FILE~1.ASP
      |_ Actual file name = FILE
    |_ VARS~1.ASP
      |_ Actual file name = VARS
    |_ WEB~1.CON
      |_ Actual file name = WEB

Finished in: 2 second(s)

Press ENTER to quit...

Great, we now know how to scan our directories for short name file names.

Now we need to remediate this vulnerability.

Remediating 8.3 File Names Vulnerability

According to this repo Microsoft will not patch this issue:

Thank you for contacting the Microsoft Security Response Center.  

We appreciate your bringing this to our attention.  Our previous guidance stands: deploy IIS with 8.3 names disabled.

What they recommend is to deploy IIS with 8.3 names disabled.

This can be done with the following registry:

 Key:   HKLM\SYSTEM\CurrentControlSet\Control\FileSystem
 Name:  NtfsDisable8dot3NameCreation 
 Value:        1

There are a couple of ways in which we can ‘fix’ this issue.

Let us try the first one.

NtfsDisable8dot3NameCreation Registry

This key can have the following values:

0 => Enable 8Dot3 Creation on all Volume
1 => Disable 8Dot3 Creation on all Volumes.
2 => Set 8dot3 name creation per volume using FSUTIL (Windows 7 or later)
3 => Disable 8Dot3 name creation on all volumes except system volume (Windows 7 or later).

The recommended value is “1”.

Set it to “1”.

We should no longer have short name file names.

Let us test!


C:\Users\azureuser>cd C:\inetpub\wwwroot

C:\inetpub\wwwroot>dir /x

 Directory of C:\inetpub\wwwroot

01/23/2023  02:37 PM    <DIR>                       .
01/23/2023  02:35 PM    <DIR>                       ..
01/20/2023  01:03 PM    <DIR>          ASPNET~1     aspnet_client
01/23/2023  02:36 PM                 0 FILE~1.ASP   file.aspx
01/23/2023  02:36 PM                 0 FILETH~1.ASP fileThree.aspx
01/23/2023  02:36 PM                 0 FILETW~1.ASP fileTwo.aspx
01/23/2023  02:35 PM    <DIR>                       folder
01/11/2023  09:49 PM               703              iisstart.htm
01/11/2023  09:49 PM            99,710              iisstart.png
01/19/2023  03:43 PM               120 VARS~1.ASP   vars.aspx
01/20/2023  12:44 PM               155 WEB~1.CON    web.config
               7 File(s)        100,688 bytes
               4 Dir(s)  86,399,369,216 bytes free

Hmmm…

GitHub Scanner Repo has an important note:

Note: The web folder needs to be recreated, as the change to the NtfsDisable8dot3NameCreation registry entry affects only files and directories that are created after the change, so the files that already exist are not affected.

We need to recreate our folder(s)!

I will use “wwwroot” folder as an example.

Make a copy of it.

2. Rename the copy to “wwwrootNEW”.

3. Rename “wwwroot” to “wwwrootOLD”.

4. Rename “wwwrootNEW” to “wwwroot”.

At the end of the day, we just have to recreate the folder.

We no longer have short names:


C:\Users\azureuser>cd C:\inetpub\wwwroot

C:\inetpub\wwwroot>dir /-n


 Directory of C:\inetpub\wwwroot

.             <DIR>             01/23/2023  03:40 PM
..            <DIR>             01/23/2023  03:43 PM
aspnet_clien  <DIR>             01/23/2023  02:35 PM
file     asp                  0 01/23/2023  02:36 PM
fileThreeasp                  0 01/23/2023  02:36 PM
fileTwo  asp                  0 01/23/2023  02:36 PM
folder        <DIR>             01/23/2023  03:40 PM
iisstart htm                703 01/11/2023  09:49 PM
iisstart png             99,710 01/11/2023  09:49 PM
vars     asp                120 01/19/2023  03:43 PM
web      con                155 01/20/2023  12:44 PM
               7 File(s)        100,688 bytes
               4 Dir(s)  86,398,124,032 bytes free

But let us test with the scanner:


# IIS Short Name (8.3) Scanner version 2.4 - scan initiated 2023/01/23 15:45:49
Target: http://localhost/
|_ Result: Not vulnerable or no item was found. It was not possible to get proper/different error messages from the server. Check the inputs and try again.
|_ Warning(s):
  |_ Question mark character was blocked: you may have a lot of false positives. -> manual check is needed.
  |_ File extensions could not be verified. you may have false positive results. -> manual check is needed.
|_ Extra information:
  |_ Number of sent requests: 144

Finished in: 1 second(s)

Fsutil Tool 8dot3name

Command:

fsutil 8dot3name strip /s /v <LOCATION>

Example:



C:\Users\azureuser>fsutil 8dot3name strip /s /v  C:\sites\Site01
Scanning registry...
Registry Data                                                                     Registry Key Path
-------------------------------------------------------------------------------   ------------------------------------------

Total affected registry keys:                   0

Stripping 8dot3 names...

8dot3 Name      FileId                Full Path
-------------   -------------------   -------------------------------------------------------------------------------------
FILE~1.ASP      0x300000001a1f7       "C:\sites\Site01\file.aspx"
FILETH~1.ASP    0x300000001a1fa       "C:\sites\Site01\fileThree.aspx"
FILETW~1.ASP    0x300000001a200       "C:\sites\Site01\fileTwo.aspx"
INDEX~1.HTM     0x400000001a229       "C:\sites\Site01\index.html"
VARS~1.ASP      0x300000001a1f1       "C:\sites\Site01\vars.aspx"

Total files and directories scanned:            5
Total 8dot3 names found:                        5
Total 8dot3 names stripped:                     5

For details on the operations performed please see the log:
  "C:\Users\AZUREU~1\AppData\Local\Temp\2\8dot3_removal_log @(GMT 2023-01-23 16-12-15).log"

Let us test with scanner!



# IIS Short Name (8.3) Scanner version 2.4 - scan initiated 2023/01/23 16:13:55
Target: http://localhost:8000/
|_ Result: Not vulnerable or no item was found. It was not possible to get proper/different error messages from the server. Check the inputs and try again.
|_ Warning(s):
  |_ Question mark character was blocked: you may have a lot of false positives. -> manual check is needed.
  |_ File extensions could not be verified. you may have false positive results. -> manual check is needed.
|_ Extra information:
  |_ Number of sent requests: 144

Finished in: 1 second(s)

Press ENTER to quit...

Request Filtering Module

What we can do with this module is to block request that contains “~” character. This does nothing to 8dot3 file name creation.

Open IIS Manger.

Go at site or server level.

Open Request Filtering Module and go the URL tab.

Deny “~” character.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <requestFiltering>
                <denyUrlSequences>
                    <add sequence="~" />
                </denyUrlSequences>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

Test with scanner!

# IIS Short Name (8.3) Scanner version 2.4 - scan initiated 2023/01/23 16:20:52
Target: http://localhost:8001/
|_ Result: Not vulnerable or no item was found. It was not possible to get proper/different error messages from the server. Check the inputs and try again.
|_ Warning(s):
  |_ Question mark character was blocked: you may have a lot of false positives. -> manual check is needed.
  |_ File extensions could not be verified. you may have false positive results. -> manual check is needed.
|_ Extra information:
  |_ Number of sent requests: 144

Finished in: 1 second(s)

Press ENTER to quit...

URL Rewrite Module

Same idea, block requests that contains “~” character. This does nothing to 8dot3 file name creation.

Requests that contain “~” will be blocked.

Again, this can be set at site or server level.

Open IIS Manger.

Go at site or server level.

Open URL Rewrite Module.

Add Rule > Inbound Rule > Request blocking > Ok

Block access based on: URL Path.
Block request that: Matched the Pattern: \~
Using: Regular Expressions.
How to block: Abort Request.

Syntax:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="RequestBlockingRule1" stopProcessing="true">
                    <match url=".*" />
                    <conditions>
                        <add input="{URL}" pattern="\~" />
                    </conditions>
                    <action type="AbortRequest" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>