Signature corrupted after uploading MSI file to WebDav folder on IIS 6

  • Article

 

Symptom

========

Download one public MSI file which has digital signature from https://go.microsoft.com/fwlink/?LinkId=95743 , view its Digital Signature property:

 

 webdav1

It shows the signature is OK.

 

1. On IIS 6, enable WebDav folder (For detailed steps can refer to Using WebDAV with IIS), upload the MSI file to this folder, check the uploaded MSI signature property:

webdav2

We can see the Signature is not valid now.

 

If we put other files, such as .exe, or .zip, this symptom will not happen.

 

Analysis

=============

I have performed Live debugging in good scenario (by putting a .exe file to webdav folder) and problematic scenario (by putting a .msi file to webdav folder).

 

Found out the issue is caused by the fact that the MSI file is a type of OLE doc file, and it doesn’t have the 'CONTENTS' stream in the 'Bagaaqy23kudbhchAaq5u2chNd' storage. When WEBDAV is going to update the file properties (by the PropPatch verb), the 'CONTENTS' stream will be created in the Bagaaqy23kudbhchAaq5u2chNd' storage by the OLE32.dll module’s persisting stream logic. When this happened, the original digital signature that file has could be impacted as we see.

 

0:004> kL

ChildEBP RetAddr 

0132f634 776dbdb6 ole32!CExposedDocFile::OpenStorage+0xcd

0132f6f8 7777367f ole32!CPropertySetStorage::Open+0x100

0132f77c 77773e56 ole32!CPropertyBagEx::OpenPropStg+0x5a

0132fbb0 6711bea5 ole32!CPropertyBagEx::WriteMultiple+0xab

0132fbd4 6711dac3 httpext!CFSProp::ScSetProps+0x29

0132fc0c 6711e7fc httpext!CFSPatch::ScPatch+0xaf

0132fc68 6711f1ee httpext!CPropPatchRequest::DoPatch+0x194

0132fc84 6711f4a8 httpext!CPropPatchRequest::ParseBody+0x39

0132fca8 6711f542 httpext!CPropPatchRequest::Execute+0x195

0132fccc 671296d2 httpext!DAVPropPatch+0x86

0132fd1c 67117bc6 httpext!CDAVExt::DwMain+0x12e

0132fe40 5a322991 httpext!DwDavFSExtensionProc+0x3f

0132fe60 5a3968ff w3isapi!ProcessIsapiRequest+0x214

0132fe94 5a3a66f1 w3core!W3_ISAPI_HANDLER::IsapiDoWork+0x3fd

0132feac 5a394c6f w3core!W3_ISAPI_HANDLER::OnCompletion+0x7e

0132fec4 5a394bf0 w3core!W3_HANDLER::MainOnCompletion+0x52

0132fee8 5a394baf w3core!W3_CONTEXT::ExecuteHandlerCompletion+0x23

0132ff08 5a394fab w3core!W3_MAIN_CONTEXT::DoWork+0x91

0132ff20 5a3618b2 w3core!W3_MAIN_CONTEXT::OnIoCompletion+0x37

0132ff38 5a361650 w3dt!UL_NATIVE_REQUEST::DoStateProcess+0x48

 

0:004> du 0x0132f6b4

0132f6b4 ".Bagaaqy23kudbhchAaq5u2chNd"

 

0:004> r eax

eax=80030002

 

0:004> !error 80030002

Error code: (HRESULT) 0x80030002 (2147680258) - %1 could not be found.

 

0:004> du ole32!g_oszPropertyContentsStreamName

77680108 "CONTENTS"

 

Based on the analysis result, we know that zip or exe file will not be impacted as it is not the ole doc file format.

 

To verify if a file is an OLE doc file, can use this stg.exe file to open it.

 

https://support.microsoft.com/kb/139545

 

 If the file is an ole doc file and the Bagaaqy23kudbhchAaq5u2chNd storage exists, it will be displayed like:

 

 webdav3

 

Summary

========

While uploading OLE files to IIS 6 webdav folder, it may be filled with CONTENTS information and then may cause digital signature becomes invalid. To workaround this, just zip the files. On IIS 7, there is no such a problem based on our tests.

 

Regards,

 

Freist Li