Microsoft IIS 7.5 Classic ASP Authentication Bypass

Affected Software:
Microsoft IIS 7.5 with configured Classic ASP and .NET Framework v4.0 installed (.NET Framework 2.0 is unaffected, other .NET frameworks have not been tested)

Details:
By appending “:$i30:$INDEX_ALLOCATION” to the directory serving the classic ASP file access restrictions can be successfully bypassed.

Take this Example:
1.) Microsoft IIS 7.5 has Classic ASP configured (it allows serving .asp files)
2.) There is a password protected directory configured that has administrative asp scripts inside
3.) An attacker requests the directory with :$i30:$INDEX_ALLOCATION appended to the directory name
4.) IIS/7.5 gracefully executes the ASP script without asking for proper credentials

Leave a Reply

Scroll to Top