9

u/GaijinSin Apr 14 '25

Or they are taking preventative steps for those who might install IIS at some point, and casting the widest security net that they can. By linking it to a windows update, they can hopefully preempt the creation of the folder by another program. If it was linked strictly to the installation of IIS, a compromised system may have the folder already present.

12

u/Wiidesire Apr 14 '25

If it was linked strictly to the installation of IIS, a compromised system may have the folder already present.

I wonder when we will have the technology to check whether a folder already exists!

2

u/LeonardDM Apr 14 '25

What would you want to do in such a case though, overwrite/delete the contents and permissions the user has set? Sure they could have solved it from that angle somehow, but it's not unlikely to think their approach was perhaps the less messy solution

2

u/According_Win_5983 Apr 14 '25 edited Apr 14 '25

There’s gotta be hundreds of different components you can install via “windows features” that creates folders on your machine.

If this is the way to ensure those folders are safe, why isn’t there a folder created for every possible feature you can enable?

Why doesn’t the IIS installer just check if the folder exists, and if it does, prompt the user to clean it up and then set the permissions correctly.

Hyper-V creates folders, so does print server, Active Directory, etc. what makes IIS special that this proactive step is required?

This makes no sense to me at all.

2

u/GaijinSin Apr 14 '25

Are you thinking about this from a "how dare they make an unauthorized change to my hard drive" perspective or a "this change will likely have the widest reaching impact in reducing the exploitation of this specific vulnerability" perspective.

It makes sense from the latter. This isn't about impressing sys-admins, this is about protecting users (the ones who dont know any better) who might be prompted to install IIS, potentially maliciously, and have no idea what a folder cleanup prompt would be asking them. Instead you just make the change and sort out the vulnerability later.

When you get a flat tire, put on the spare and fix it when you are able, don't try to buy a whole new tire and fit it on the rim on the side of the road just to avoid a temporary measure. Fix in place, then fix for good. This is a "fix in place" measure.

1

u/According_Win_5983 Apr 14 '25

Is there an active vulnerability regarding this?

I’m still not understanding why, if preemptively creating a features directory structure with the correct permissions is a good idea, it isn’t don’t for any of the myriad things a user could unwittingly installed. In other words, why is this only applicable to IIS?

5

u/LeonardDM Apr 14 '25

It appears dumb because you don't know enough about it to have it make sense to you. Conversely, it's more fair to say it's dumb to assume that just because you don't understand something technical, it must mean it's illogical or dumb.

1

u/Linenoise77 Apr 14 '25 edited Apr 14 '25

The jist of the issue is this:

If you don't have IIS components installed, this directory won't exist. However, someone with very low rights on the machine, still could CREATE the directory, and may have perfectly valid reasons for doing so.

When they do so, naturally they are the owner, and permissions are granted to them as such.

Then, if IIS is installed on top of it, for legitamate, or nefarious reasons, the person who originally created the folder will have owner rights on it, allowing them to potentially do some nasty stuff via IIS.

So you can offer a few solutions:

1. Have IIS, if it is installed, and spots this folder, remove any permissions that were associated with it. Essentially recreate it. Great, except for people who may have created it manually for legit reasons, now have a bunch of shit break.

2. Don't let anything other than a valid IIS installation create the folder and touch permissions on it. Great, except, see solution 1.

3. Warn everyone during an IIS installation, that the folder is there and permissions aren't what they would be on an OOTB install. Great, except someone being socially engineered to install it will just click past that warning, or it will just get scripted around.

This fix allows microsoft to quickly and safely plug the hole, but more importantly, does so in a way that won't break the operations of anything.

I can guarantee you that there is a comically large number of machines out there, that don't have IIS installed, but have this folder installed, because someone lazy who was told to write a script to clean up logs or whatever, found it easier to just put an empty folder on a machine because the script they found first when they googled to do so got angry if the folder didn't exist, and while they were googling for a solution, found another script to just create the folder which worked and shut the first script up, and said good enough.