Microsoft IIS contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered during the parsing of a request that contains a tilde character (~). This may allow a remote attacker to gain access to file and folder name information.
It is possible to detect short names of files and directories which have an 8.3 equivalent in Windows by using some vectors in several versions of Microsoft IIS. For instance, it is possible to detect all short-names of “.aspx” files as they have 4 letters in their extensions.
Latest Change : 02/03/2015 :
Removing no-extension case from the Config file Testing without any extensions caused some problems and false-positives
– it can be added later manually if it was needed
Note: new techniques have been introduced to the latest versions of this scanner and it can now scan IIS8.5 when it is vulnerable.
It is not easy to find the original file or folder names based on the short names. However, the following methods are recommended as examples:
If you can guess the full extension (for instance .ASPX when the 8.3 extension is .ASP), always try the short name with the full extension.
Sometimes short names are listed in Google which can be used to find the actual names
Using text dictionary files is also recommended. If a name starts with another word, the second part should be guessed based on a dictionary file separately. For instance, ADDACC~1.ASP can be AddAccount.aspx, AddAccounts.aspx, AddAccurateMargine.aspx, etc
Searching in the website contents and resources can also be useful to find the full name. This can be achieved for example by searching Site Map in the Burp Suite tool.
Installation :
It has been compiled by using JDK 7. You only need to download the following files if you do not want to build this yourself:
+ IIS_shortname_scanner.jar
+ config.xml
+ run.bat
Remember to use Java v7.
You can also compile this application yourself. Please submit any issues in GitHub for further investigation. It should be straight forward to open this project in Eclipse as well.
Original research file: http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf
Sample Usage :
Download : Master.zip | Clone Url
Source : https://code.google.com/p/iis-shortname-scanner-poc/