Windows 短文件名(8.3) - 一个安全噩梦?

看不懂英文?没关系,用谷歌翻译……

Each time you create a new file on Windows, the operating system also generates an MS-DOS-compatible short file name in 8.3 format, to allow MS-DOS-based or 16-bit Windows-based programs to access files which have a long name. You can see these MS-DOS-compatible short file names by using the /X switch with the dir command. On my system I get something like this:

directory-shortnames-listing

There have been a lot of security problems in the past related to short file names. Just yesterday, I found another paper that talks about this subject. The paper was written by Soroush Dalili and is called Microsoft IIS tilde character “~” Vulnerability/Feature – Short File/Folder Name Disclosure.

When using IIS, you can get a list of all the shortnames (both files and directories) from a certain directory. This can be a big problem if you can manage to guess, or bruteforce the full file or directory names from these short names. While working on a security script for Acunetix Web Vulnerability Scanner, I thought “Why you have to guess the full names once you have the short names? Why you cannot use the short names? It turns out that IIS doesn’t accept short names for a variety of reasons, most of which are security related”. But what about Apache? Apache SUPPORTS short file names, and this is a security problem.

Think of following scenario; a web application running on Apache on Windows, is creating a file with a long name that should not be guessed by an attacker. For example it creates a session file or an SQL backup file. In this case the security of this application relies on the fact that the name of this file cannot be guessed.

Let’s assume that this file name is backup-082119f75623eb7abd7bf357698ff66c.sql. Windows will create a short name for this file, BACKUP~1.SQL. If I can access this  file using the short file name then all the security is broken. I just request BACKUP~1.SQL and get the file, which includes a backup of an SQL database.

Being curious if this problem is a real life problem, I looked at two of the most popular backup plugins for WordPress. Both of them are affected by this problem, which is explained in detail below.

After installing one of the plugins, I have requested a backup of my WordPress blog:

backup-options-saveserver

The plugin creates a custom directory for this backup (backup-88456). Once the backup is completed, the directory contained a file named wordpress_wp_20120702_576.sql, which is the WordPress database backup. This should be pretty hard to guess. We have 5 numbers in the directory name (100 000 combinations) plus the date and plus 3 more numbers. In total it should be at least 100,000,000 combinations if we ignore the date. What do you think are the short names for this directory and file? Using short names this is pretty easy to guess.

file-name

Directory name is BACKUP~1 and file name is WORDPR~1.SQL. That’s ONE combination. 100,000,000 combinations were reduced to ONE combination because of  Windows short names. As expected I can read the SQL backup file from the first try:

vulnerability

What can you do to protect yourself against this problem, and who’s fault is it?

Is Microsoft’s fault that they still support the short names in 2012? Maybe. I’m not sure but legacy and security do not go well together. Or is it Apache’s fault that they support the short names? Maybe.  I don’t think it is the fault of the person who wrote the WordPress plugin.

The solution

There is a way to disable Windows 8.3 short name creation.You can create a registry key named NtfsDisable8dot3NameCreation in HKLM\SYSTEM\CurrentControlSet\Control\FileSystem and set it to 1.  That should disable short names creation. Refer to this Microsoft TechNet article to read more about the solution.

Be Sociable, Share!

转自:http://www.acunetix.com/blog/web-security-zone/articles/windows-short-8-3-filenames-web-security-problem/

相关资料:

关于8.3格式短文件名规范、DOS时代的8.3格式文件名规范

相关内容:

IIS短文件和文件夹泄漏漏洞

Windows short (8.3) filenames – a security nightmare?

Windows short filenames “漏洞”、利用 Windows 短文件名猜文件

站长评论:

其实这是个很鸡肋的“漏洞”……

首先,如果文件名符合8.3规范的文件(文件名主体部分小于等于8个字节、扩展名部分小于等于3个字节),则根本没有短文件名。

其次,汉字和特殊符号等字符的猜解,也是很蛋疼的问题……

最后,即使猜出来了,也只有前六位,只能靠运气碰碰看了……

不过,它还是有不小的用处,也算是很另类的一个“漏洞”吧……

(提示:如果目标站自定义了 400、404 错误页面,那么该扫描器是无法判断的……)

可以参考下表: 

2012/07/04  20:46    <DIR>    !@#!@#~1.TXT    !@#!@#!@#.txt
2012/07/04  20:46    <DIR>                    !@#!@#.txt
2012/07/04  20:44    <DIR>    012345~1        0123456789
2012/07/04  20:44    <DIR>                    1
2012/07/04  20:44    <DIR>                    123
2012/07/04  20:44    <DIR>                    123456
2012/07/04  20:44    <DIR>                    1234567
2012/07/04  20:44    <DIR>                    12345678
2012/07/04  20:44    <DIR>    123456~1        123456789
2012/07/04  20:46    <DIR>                    啊.txt
2012/07/04  20:46    <DIR>    啊啊啊~1.TXT    啊啊啊啊啊啊啊啊啊.txt
2012/07/04  20:43    29       012345~1.TXT    0123456789.txt
2012/07/04  20:43    29                       1.txt
2012/07/04  20:43    29                       123.txt
2012/07/04  20:43    29                       123456.txt
2012/07/04  20:43    29                       1234567.txt
2012/07/04  20:43    29                       12345678.txt
2012/07/04  20:43    29       123456~1.TXT    123456789.txt