Microsoft Internet Information Services (IIS)

IIS 7.5 Tilde vulnerability enumeration

The enumeration process starts by sending requests with various characters following the tilde:

http://example.com/~a
http://example.com/~b
http://example.com/~c
...
...
http://example.com/~s **[200 ok]**

The enumeration process continues by appending more characters

http://example.com/~se **[200 ok]**
http://example.com/~sf
http://example.com/~sg
...

Continuing this procedure, the short name secret~1 is eventually discovered, files in that directory can be accessed by submitting requests such as:

http://example.com/secret~1/somefile.txt
http://example.com/secret~1/anotherfile.docx

The same IIS tilde directory enumeration technique can also detect 8.3 short file names for files within the directory. After obtaining the short names, those files can be directly accessed using the short names in the requests.

http://example.com/secret~1/somefi~1.txt

In 8.3 short file names, such as somefi~1.txt, the number "1" is a unique identifier that distinguishes files with similar names within the same directory. The numbers following the tilde (~) assist the file system in differentiating between files that share similarities in their names, ensuring each file has a distinct 8.3 short file name.

For example, if two files named somefile.txt and somefile1.txt exist in the same directory, their 8.3 short file names would be:

  • somefi~1.txt for somefile.txt

  • somefi~2.txt for somefile1.txt

Tool:

https://github.com/lijiejie/IIS_shortname_Scanner

Cause:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation was not set as 1

Solution:

  1. Open registry editor

  2. Navigate to below registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

  1. Right-click NtfsDisable8dot3NameCreation, and then click Modify.

  2. In the Value data box, type 1, and then click OK.

Last updated