2022/03/22

[滲透測試] 修正 IIS 目錄列舉弱點問題

markdown ### 問題 近期收到客戶傳來的滲透測試報告,其中一項弱點為 IIS 目錄列舉 弱點描述:Microsoft IIS 中的部分版本可以利用特殊手法對 Windows 8.3 短文件名規範的檔案或目錄進行猜測。 ### 網站環境 - Windows Server 2019 - IIS 10 - ASP.NET Core 3.1 ### 掃描工具 [IIS Short Name Scanner](https://github.com/irsdl/iis-shortname-scanner/) ``` java -jar iis_shortname_scanner.jar 0 20 http://192.168.0.220:8000 ``` 測試結果 ``` # IIS Short Name (8.3) Scanner version 2.3.9 (05 February 2017) - scan initiated 2022/03/22 00:22:15 Target: http://192.168.0.220:8000/ |_ Result: Vulnerable! |_ Used HTTP method: DEBUG |_ Suffix (magic part): \a.aspx |_ Extra information: |_ Number of sent requests: 703 |_ Identified directories: 0 |_ Indentified files: 10 |_ APPSET~1.JSO |_ APPSET~2.JSO |_ NETCOR~1.DLL |_ NETCOR~1.EXE |_ NETCOR~1.JSO |_ NETCOR~1.PDB |_ NETCOR~2.DLL |_ NETCOR~2.JSO |_ NETCOR~2.PDB |_ WEB~1.CON |_ Actual file name = WEB ``` ### 解決方法 1. 關閉 NtfsDisable8dot3NameCreation 執行 `regedit` 修改機碼 `HKEY_Local_Machine\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation`
2. 移除指定目錄及其子目錄的 8.3 檔案名 ``` fsutil 8dot3name strip /l mylogfile.log /s d:\Web\MySite ``` 3. 在 IIS 的站台 - 篩選要求 在 URL 項目中,增加拒絕序列 `~`
再測試結果:Not vulnerable or no item was found. ``` # IIS Short Name (8.3) Scanner version 2.3.9 (05 February 2017) - scan initiated 2022/03/22 00:23:28 Target: http://192.168.0.220:8000/ |_ Result: Not vulnerable or no item was found. It was not possible to get proper/different error messages from the server. Check the inputs and try again. |_ Warning(s): |_ Question mark character was blocked: you may have a lot of false positives. -> manual check is needed. |_ File extensions could not be verified. you may have false positive results. -> manual check is needed. |_ Extra information: |_ Number of sent requests: 144 ``` ### 結語 我自己的測試,在 IIS 增加篩選要求的拒絕序列 ~ 即可達到防掃目的,但若有主機權限,當然最好從根本直接關閉機碼。 此次的測試網站是以 IIS + .NET Core 的網站來做測試,會出現這弱點,我也另外而針對 ASP.NET MVC 的網站做相同的測試並沒有出現此問題。所以若是用 IIS 來架設 .NET Core 的網站時,最好多做第三項的篩選要求動作! ### References - [IIS Short Name Scanner](https://github.com/irsdl/iis-shortname-scanner/) - [NtfsDisable8dot3NameCreation](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?WT.mc_id=DT-MVP-5002629) - [fsutil 8dot3name](https://docs.microsoft.com/zh-tw/windows-server/administration/windows-commands/fsutil-8dot3name?WT.mc_id=DT-MVP-5002629) - [web中間件漏洞之IIS篇](https://kknews.cc/code/l3rjb4z.html) - [如何修復IIS列舉 8.3filename 的風險](https://hackmd.io/@Not/HkYCJET2S)

沒有留言:

張貼留言