Asp.Net.Vulnerability: Asp.Net buffer overflows (potential security problems)

Discussion in 'ASP .Net Security' started by Dinis Cruz, Oct 16, 2003.

  1. Dinis Cruz

    Dinis Cruz Guest

    Have anybody tested if the latest RPC vulnerabilities can be executed
    from an Asp.Net page running in an un-patched server? Since it is
    possible to make direct Win32 API calls from Asp.Net there is a high
    change that these vulnerabilities will work.

    If that is possible, please provide the test code in order for me to
    add it to our ANSA (Asp.Net Security Analyser, see
    http://www.gotdotnet.com/Community/Workspaces/Workspace.aspx?id=36ae9a2c-8740-4b52-924e-320edf64fba5)
    so that system administrators can quickly identify the vulnerable
    servers and patch them.

    Note that at the moment there is no 'real' solution to disabling Win32
    API calls in IIS 5.0 and IIS 6.0. Which means that if these
    vulnerabilities exist, then it would be a critical problem, because
    everybody that hosts .Net websites in shared hosting environments
    would be affected.

    Best regards

    Dinis Cruz
    ..Net Security Consultant
    DDPlus (www.ddplus.net)
     
    Dinis Cruz, Oct 16, 2003
    #1
    1. Advertising

  2. Re: Asp.Net.Vulnerability: Asp.Net buffer overflows (potential securityproblems)

    Dinis ..why not forward this as it should be to

    The Microsoft Security Response Center (MSRC) draws on the hundreds of
    security professionals at Microsoft to form virtual teams that respond
    to reports of security issues with Microsoft products or technologies.
    To report a suspected vulnerability, please send e-mail to
    .

    Posting a potential vulnerablity to a public newsgroup is not showing
    good judgement for dislosure of vulnerabilities assuming these are valid.

    Report responsbility for all of our benefit on the Internet.

    Susan

    Dinis Cruz wrote:

    > Have anybody tested if the latest RPC vulnerabilities can be executed
    > from an Asp.Net page running in an un-patched server? Since it is
    > possible to make direct Win32 API calls from Asp.Net there is a high
    > change that these vulnerabilities will work.
    >
    > If that is possible, please provide the test code in order for me to
    > add it to our ANSA (Asp.Net Security Analyser, see
    > http://www.gotdotnet.com/Community/Workspaces/Workspace.aspx?id=36ae9a2c-8740-4b52-924e-320edf64fba5)
    > so that system administrators can quickly identify the vulnerable
    > servers and patch them.
    >
    > Note that at the moment there is no 'real' solution to disabling Win32
    > API calls in IIS 5.0 and IIS 6.0. Which means that if these
    > vulnerabilities exist, then it would be a critical problem, because
    > everybody that hosts .Net websites in shared hosting environments
    > would be affected.
    >
    > Best regards
    >
    > Dinis Cruz
    > .Net Security Consultant
    > DDPlus (www.ddplus.net)


    --
    "Don't lose sight of security. Security is a state of being,
    not a state of budget. He with the most firewalls still does
    not win. Put down that honeypot and keep up to date on your patches.
    Demand better security from vendors and hold them responsible.
    Use what you have, and make sure you know how to use it properly
    and effectively."
    ~Rain Forest Puppy
    http://www.wiretrip.net/rfp/txt/evolution.txt
     
    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP], Oct 17, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Steve C. Orr [MVP, MCSD]

    ASP.NET Security Vulnerability Discovered. Install the patch!

    Steve C. Orr [MVP, MCSD], Oct 8, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    343
    =?Utf-8?B?U3RldmVS?=
    Nov 11, 2004
  2. Robert J. Hansen

    stringstream str(), buffer overflows

    Robert J. Hansen, Feb 9, 2006, in forum: C++
    Replies:
    12
    Views:
    929
    Dietmar Kuehl
    Feb 11, 2006
  3. jacob navia

    Buffer overflows and C A simple example

    jacob navia, Nov 4, 2009, in forum: C Programming
    Replies:
    4
    Views:
    391
    Keith Thompson
    Nov 11, 2009
  4. Dinis Cruz
    Replies:
    2
    Views:
    332
    Dinis Cruz
    Oct 20, 2003
  5. Dinis Cruz
    Replies:
    1
    Views:
    238
    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
    Oct 17, 2003
Loading...

Share This Page