MS05-004: Path vunerability still present in ASP.NET 2.0

[Richard Eke]

http://support.microsoft.com/kb/887219
details a vunerability for all ASP.NET web sites that uee Forms
Authentication. However, it only lists .NET 1.0 and 1.1

Today I've received a report from a third party doing penetration testing on
a web site we developed in ASP.NET 2.0 detailling this as a vunerability.
I've double checked and it indeed is. We have a common base class that
simply throws a default error page if the user isn't authenticated so our app
is OK but the report going to our clients doesn't look very good!

I thought in ASP.NET 2.0 the fix for this problem was going to be 'baked-in'
- it appears not.

Are there any similar patches to those detiled in the security bulletin
mentioned above?

Thanks

Richard

 

[Dominick Baier [DevelopMentor]]

Hi,

can you give us more details...

which OS? Details of the Exploit?

 

[Richard Eke]

The server O/S is W2003 SP2 (IIS 6.0)

The exploit is:
You have a sub-folder on your web site called something like 'Secure'. You
use Forms Authenticatiuon to force authentication before any pages from this
folder can be accessed.
All is OK if the user accesses http://myserver/myapp/secure/mypage.aspx
ASP.NET picks-up the authentication / authorization and re-directs.
However, if you replace one of the slashes with it's hex code %5C e.g.
http://myserver/myapp\secure/mypage ASP.NET fails to recognise it should be
secured and lets the user in.
This is detailed in the KB article I mentioned in my original post.

 

[Dominick Baier [DevelopMentor]]

Hi,

i know that this was the original behavior - this vulnerability never existed
on Windows 2003/IIS6 because IIS sanitized the input...

i have to check that.

 

[Richard Eke]

Thanks for your reply.
I was suprised to get this report also - but I have verified that it does
indeed exist on this ASP.NET 2.0 web site hosted on a W2003 SP2 IIS server.

Let me know if you find anything.

 

[Dominick Baier [DevelopMentor]]

Hi,

unfortunately i cannot reproduce this behavior. can you give me more details
-

i get redirected to the login page - my directory structure

/UrlAuthBug
default.aspx
login.aspx

/secure
default.aspx

the /secure dir is protected with UrlAuthorization

if i try

http://localhost/UrlAuthBug/secure/default.aspx
-> redirect to login.aspx

http://localhost/UrlAuthBug\secure/default.aspx
-> also redirect

(i didn't use IE to try it - i used fiddler and firefox)

is something different in your setup??

 

[Richard Eke]

Domonic,

Thanks forlooking at this.

We don't actually host this site - our clients employ another third party
for hosting. This Penetration Testing Report was also sent to them at the
same time.
Yesterday morning it still failed. Yesterday afternoon it now works
correctly.
I can only presume that the web hoster installed some hot fix/ securiyt fix
to the IIS server without telling us.
However, I can't see how this fixed the problem as this is within the
ASP.NET pipeline...

Thanks for looking anyway

Richard

 

[Dominick Baier [DevelopMentor]]

hi,

i still don't believe it is a vulnerability in ASP.NET/IIS6.

The vulnerability was in the UrlAuthorization module. IIS6 never had this
problem because it does some normalization of the request before it is handed
over to ASP.NET
IIS 5.x was vulnerable


i wrote about that when it happened
http://www.leastprivilege.com/EvenMoreResearchOnTheASPNETVulnerability.aspx
http://www.leastprivilege.com/SeriousASPNETFormsAuthenticationVulnerability.aspx