edit-icon download-icon

[Vulnerability notice] IIS abbreviated file name brute-force cracking vulnerability

Last Updated: Nov 15, 2017

Description

Windows creates corresponding Windows 8.3 abbreviated file names for long file (and folder) names to be compatible with 16-bit MS-DOS programs. You can use the dir /x command to view the corresponding abbreviated file names in Windows. As shown in the following figure, the abbreviated file name corresponding to .gitconfig is GITCON~1.

dir /x

Based on this feature, a file can be accessed indirectly by visiting its abbreviated file name. Because the length of an abbreviated file name is fixed (xxxxxx~xxxx), hackers can directly start brute-force cracking attacks on abbreviated file names to access the corresponding file.

For example, assume that there is a database backup file named backup_www.abc.com_20150101.sql. It corresponds to the abbreviated file name backup~1.sql. Once hackers manage to crack the name backup~1.sql, they can download the file without having the full file name.

Fix

Disable the abbreviated file name feature in Windows.

  1. Use the regedit command to open the Windows registry, and go to the following directory HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem.

  2. Modify the value of NtfsDisable8dot3NameCreation to 1.

  3. After the modification, restart the system to bring the modification into effect.

Thank you! We've received your feedback.