The DNN Issue:
If you browse to the following sub-folder on your DNN site “Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx”, you will see a page that looks like this:
The above hack will typically lead to hackers dropping small txt files that have some kind of a notice saying that your website has been hacked!
It is hard to do anything substantial with this hack alone.
But wait there is more…..
The IIS Issue:
On December 25th of 2009, an “Ethical” hacker found a vulnerability in IIS 5 and IIS 6 called the “semi-colon” bug or the “multiple extensions IIS/ASP bug”. Read More.
The semi-colon bug allows any file that has .asp in the file name to execute as an ASP file. This bug occurs in all versions of IIS 6 and prior. This means that a file named “innocusFile.asp;.jpg” will be executed like an ASP file.
The big scary picture:
The 2 bugs on their own were bad, but it still would be hard for anything bad to happen. But together – they open up a can of worms that is going to make everyone in your organization pulling every fire alarm in the building. Here is the big picture:
1. Hacker fabricates an ASP file that uses COM objects such as the FileSystemObject to get complete access to your computer.
2. Hacker names the asp file as “myHack.asp;.jpg”.
3. Hacker navigates to the “Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx” file in his browser and uses the DNN loop hole to upload his myHack.asp;.jpg file. DNN complies because it thinks it is a simple jpg file. This is because DNN looks only at the last extension it finds in a file name.
4. The file uploads to the DNN website to the folder (WITHHELD – to protect unprotected DNN sites).
5. The hacker browses to the file that he uploaded. The file is delivered to the ASP processing engine by IIS and a page that opens up the entire computer to the hacker is displayed. This is because IIS has been coded such that it recognizes a file type based on its extension even if the extension is not the last part of the file name!!
6. The hacker uses his ASP page to get full control of your website (and I mean full control – all disk drives, connection strings, databases, registy, etc.). Nothing is safe after this.
Here is a sample ASP file called the “Smart Shell”, that basically shows the capabilities that an hacker can get over your website: (This kind of an ASP file is also called the 3fexe ASP hack).
How to mitigate:
Because there is no known fix, there are only ways to mitigate this attack (and hence it is a zero-day hack).
1. Rename the fcklinkgallery.aspx file
As fcklinkgallery.aspx is the entry point for this hack attack, the first thing to do is to rename this file. I suggest using a random file name – like a guid. After you rename the file, you will need to update the “LinksGalleryPath” setting in your config file. This will be found in the <dotnetnuke><htmlEditor><providers><add name="FckHtmlEditorProvider"> section. Just look for “LinksGalleryPath” and update the value to the newly named file name.
If the hacker cannot browse to the fcklinkgallery.aspx file, he will not be able to upload a ASP file onto your DNN site.
(Update: 03-30-2010) please note: Gabe has included an extra step that needs to be taken to get the link editor to work after renaming it. Please see the comments below. Basically you need to also rename the "\Providers\HtmlEditorProviders\Fck\App_LocalResources\fcklinkgallery.aspx.resx" to match the renamed fckLinkGallery file.)
2. Remove Execute permission on the Portals folder of your DNN site.
The sub-folder “Portals” in your DNN site typically does not need to be able to run ASP files or any other files. So remove “Execute” permissions on that folder.
Open up IIS.
Expand the website node for your DNN site.
Select the Portals node in the explorer view on the left.
Right click on the Portals node and open the Properties dialog.
Chose the Directory Node.
Set Execute Permissions to “None”.
3. Remove access to FileSystemObject.
This falls into the excessively precautious as it is not really required for you to do. An important note: Do not do this if you know that you have some ASP apps on your site and if those ASP apps use FileSystemObject – you might end up hosing those apps.
There are 2 ways to do this: Remove access to this COM object from the security principal used to run your IIS website (typically ASPNET) or to completely unregister the dll.
1. Registry access:Remember – step 3 is really not required to be done.
Open registry editor.
Browse to “HKEY_CLASSES_ROOT\Scripting.FileSystemObject”, right click and under permissions deny access to the ASPNET user.
2. Completely disable FileSystemObject
Run regsvr32 scrrun.dll .u in the C:\windows\System32 folder.
The only Fix:The only “true” fix is to upgrade to IIS 7 or higher and a DNN version of 4.9.4 or higher.
Securing IIS 6.0:
One way hacking (which is what the above type of hack is known as):
Restricting information available to anonymous users:
DNN LinkGallery Remote File Upload without Extension:
DNN Failure to revalidate file and folder permissions correctly for uploads:
IIS Security Vulnerability and DNN