MS05-004: Path vunerability still present in ASP.NET 2.0

Discussion in 'ASP .Net Security' started by Richard Eke, Mar 6, 2006.

  1. Richard Eke

    Richard Eke Guest

    http://support.microsoft.com/kb/887219
    details a vunerability for all ASP.NET web sites that uee Forms
    Authentication. However, it only lists .NET 1.0 and 1.1

    Today I've received a report from a third party doing penetration testing on
    a web site we developed in ASP.NET 2.0 detailling this as a vunerability.
    I've double checked and it indeed is. We have a common base class that
    simply throws a default error page if the user isn't authenticated so our app
    is OK but the report going to our clients doesn't look very good!

    I thought in ASP.NET 2.0 the fix for this problem was going to be 'baked-in'
    - it appears not.

    Are there any similar patches to those detiled in the security bulletin
    mentioned above?

    Thanks

    Richard
    --
    Richard Eke
    MCSD .NET
     
    Richard Eke, Mar 6, 2006
    #1
    1. Advertising

  2. Hi,

    can you give us more details...

    which OS? Details of the Exploit?

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > http://support.microsoft.com/kb/887219 details a vunerability for all
    > ASP.NET web sites that uee Forms Authentication. However, it only
    > lists .NET 1.0 and 1.1
    >
    > Today I've received a report from a third party doing penetration
    > testing on a web site we developed in ASP.NET 2.0 detailling this as a
    > vunerability. I've double checked and it indeed is. We have a common
    > base class that simply throws a default error page if the user isn't
    > authenticated so our app is OK but the report going to our clients
    > doesn't look very good!
    >
    > I thought in ASP.NET 2.0 the fix for this problem was going to be
    > 'baked-in' - it appears not.
    >
    > Are there any similar patches to those detiled in the security
    > bulletin mentioned above?
    >
    > Thanks
    >
    > Richard
    >
     
    Dominick Baier [DevelopMentor], Mar 6, 2006
    #2
    1. Advertising

  3. Richard Eke

    Richard Eke Guest

    The server O/S is W2003 SP2 (IIS 6.0)

    The exploit is:
    You have a sub-folder on your web site called something like 'Secure'. You
    use Forms Authenticatiuon to force authentication before any pages from this
    folder can be accessed.
    All is OK if the user accesses http://myserver/myapp/secure/mypage.aspx
    ASP.NET picks-up the authentication / authorization and re-directs.
    However, if you replace one of the slashes with it's hex code %5C e.g.
    http://myserver/myapp\secure/mypage ASP.NET fails to recognise it should be
    secured and lets the user in.
    This is detailed in the KB article I mentioned in my original post.

    --
    Richard Eke
    MCSD .NET


    "Dominick Baier [DevelopMentor]" wrote:

    > Hi,
    >
    > can you give us more details...
    >
    > which OS? Details of the Exploit?
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > http://support.microsoft.com/kb/887219 details a vunerability for all
    > > ASP.NET web sites that uee Forms Authentication. However, it only
    > > lists .NET 1.0 and 1.1
    > >
    > > Today I've received a report from a third party doing penetration
    > > testing on a web site we developed in ASP.NET 2.0 detailling this as a
    > > vunerability. I've double checked and it indeed is. We have a common
    > > base class that simply throws a default error page if the user isn't
    > > authenticated so our app is OK but the report going to our clients
    > > doesn't look very good!
    > >
    > > I thought in ASP.NET 2.0 the fix for this problem was going to be
    > > 'baked-in' - it appears not.
    > >
    > > Are there any similar patches to those detiled in the security
    > > bulletin mentioned above?
    > >
    > > Thanks
    > >
    > > Richard
    > >

    >
    >
    >
     
    Richard Eke, Mar 6, 2006
    #3
  4. Hi,

    i know that this was the original behavior - this vulnerability never existed
    on Windows 2003/IIS6 because IIS sanitized the input...

    i have to check that.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > The server O/S is W2003 SP2 (IIS 6.0)
    >
    > The exploit is:
    > You have a sub-folder on your web site called something like 'Secure'.
    > You
    > use Forms Authenticatiuon to force authentication before any pages
    > from this
    > folder can be accessed.
    > All is OK if the user accesses
    > http://myserver/myapp/secure/mypage.aspx
    > ASP.NET picks-up the authentication / authorization and re-directs.
    > However, if you replace one of the slashes with it's hex code %5C e.g.
    > http://myserver/myapp\secure/mypage ASP.NET fails to recognise it
    > should be
    > secured and lets the user in.
    > This is detailed in the KB article I mentioned in my original post.
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hi,
    >>
    >> can you give us more details...
    >>
    >> which OS? Details of the Exploit?
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> http://support.microsoft.com/kb/887219 details a vunerability for
    >>> all ASP.NET web sites that uee Forms Authentication. However, it
    >>> only lists .NET 1.0 and 1.1
    >>>
    >>> Today I've received a report from a third party doing penetration
    >>> testing on a web site we developed in ASP.NET 2.0 detailling this as
    >>> a vunerability. I've double checked and it indeed is. We have a
    >>> common base class that simply throws a default error page if the
    >>> user isn't authenticated so our app is OK but the report going to
    >>> our clients doesn't look very good!
    >>>
    >>> I thought in ASP.NET 2.0 the fix for this problem was going to be
    >>> 'baked-in' - it appears not.
    >>>
    >>> Are there any similar patches to those detiled in the security
    >>> bulletin mentioned above?
    >>>
    >>> Thanks
    >>>
    >>> Richard
    >>>
     
    Dominick Baier [DevelopMentor], Mar 6, 2006
    #4
  5. Richard Eke

    Richard Eke Guest

    Thanks for your reply.
    I was suprised to get this report also - but I have verified that it does
    indeed exist on this ASP.NET 2.0 web site hosted on a W2003 SP2 IIS server.

    Let me know if you find anything.
    --
    Richard Eke
    MCSD .NET


    "Dominick Baier [DevelopMentor]" wrote:

    > Hi,
    >
    > i know that this was the original behavior - this vulnerability never existed
    > on Windows 2003/IIS6 because IIS sanitized the input...
    >
    > i have to check that.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > The server O/S is W2003 SP2 (IIS 6.0)
    > >
    > > The exploit is:
    > > You have a sub-folder on your web site called something like 'Secure'.
    > > You
    > > use Forms Authenticatiuon to force authentication before any pages
    > > from this
    > > folder can be accessed.
    > > All is OK if the user accesses
    > > http://myserver/myapp/secure/mypage.aspx
    > > ASP.NET picks-up the authentication / authorization and re-directs.
    > > However, if you replace one of the slashes with it's hex code %5C e.g.
    > > http://myserver/myapp\secure/mypage ASP.NET fails to recognise it
    > > should be
    > > secured and lets the user in.
    > > This is detailed in the KB article I mentioned in my original post.
    > > "Dominick Baier [DevelopMentor]" wrote:
    > >
    > >> Hi,
    > >>
    > >> can you give us more details...
    > >>
    > >> which OS? Details of the Exploit?
    > >>
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>> http://support.microsoft.com/kb/887219 details a vunerability for
    > >>> all ASP.NET web sites that uee Forms Authentication. However, it
    > >>> only lists .NET 1.0 and 1.1
    > >>>
    > >>> Today I've received a report from a third party doing penetration
    > >>> testing on a web site we developed in ASP.NET 2.0 detailling this as
    > >>> a vunerability. I've double checked and it indeed is. We have a
    > >>> common base class that simply throws a default error page if the
    > >>> user isn't authenticated so our app is OK but the report going to
    > >>> our clients doesn't look very good!
    > >>>
    > >>> I thought in ASP.NET 2.0 the fix for this problem was going to be
    > >>> 'baked-in' - it appears not.
    > >>>
    > >>> Are there any similar patches to those detiled in the security
    > >>> bulletin mentioned above?
    > >>>
    > >>> Thanks
    > >>>
    > >>> Richard
    > >>>

    >
    >
    >
     
    Richard Eke, Mar 6, 2006
    #5
  6. Hi,

    unfortunately i cannot reproduce this behavior. can you give me more details
    -

    i get redirected to the login page - my directory structure

    /UrlAuthBug
    default.aspx
    login.aspx

    /secure
    default.aspx

    the /secure dir is protected with UrlAuthorization

    if i try

    http://localhost/UrlAuthBug/secure/default.aspx
    -> redirect to login.aspx

    http://localhost/UrlAuthBug\secure/default.aspx
    -> also redirect

    (i didn't use IE to try it - i used fiddler and firefox)

    is something different in your setup??

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Thanks for your reply.
    > I was suprised to get this report also - but I have verified that it
    > does
    > indeed exist on this ASP.NET 2.0 web site hosted on a W2003 SP2 IIS
    > server.
    > Let me know if you find anything.
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hi,
    >>
    >> i know that this was the original behavior - this vulnerability never
    >> existed on Windows 2003/IIS6 because IIS sanitized the input...
    >>
    >> i have to check that.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> The server O/S is W2003 SP2 (IIS 6.0)
    >>>
    >>> The exploit is:
    >>> You have a sub-folder on your web site called something like
    >>> 'Secure'.
    >>> You
    >>> use Forms Authenticatiuon to force authentication before any pages
    >>> from this
    >>> folder can be accessed.
    >>> All is OK if the user accesses
    >>> http://myserver/myapp/secure/mypage.aspx
    >>> ASP.NET picks-up the authentication / authorization and re-directs.
    >>> However, if you replace one of the slashes with it's hex code %5C
    >>> e.g.
    >>> http://myserver/myapp\secure/mypage ASP.NET fails to recognise it
    >>> should be
    >>> secured and lets the user in.
    >>> This is detailed in the KB article I mentioned in my original post.
    >>> "Dominick Baier [DevelopMentor]" wrote:
    >>>> Hi,
    >>>>
    >>>> can you give us more details...
    >>>>
    >>>> which OS? Details of the Exploit?
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> http://support.microsoft.com/kb/887219 details a vunerability for
    >>>>> all ASP.NET web sites that uee Forms Authentication. However, it
    >>>>> only lists .NET 1.0 and 1.1
    >>>>>
    >>>>> Today I've received a report from a third party doing penetration
    >>>>> testing on a web site we developed in ASP.NET 2.0 detailling this
    >>>>> as a vunerability. I've double checked and it indeed is. We have
    >>>>> a common base class that simply throws a default error page if the
    >>>>> user isn't authenticated so our app is OK but the report going to
    >>>>> our clients doesn't look very good!
    >>>>>
    >>>>> I thought in ASP.NET 2.0 the fix for this problem was going to be
    >>>>> 'baked-in' - it appears not.
    >>>>>
    >>>>> Are there any similar patches to those detiled in the security
    >>>>> bulletin mentioned above?
    >>>>>
    >>>>> Thanks
    >>>>>
    >>>>> Richard
    >>>>>
     
    Dominick Baier [DevelopMentor], Mar 7, 2006
    #6
  7. Richard Eke

    Richard Eke Guest

    Domonic,

    Thanks forlooking at this.

    We don't actually host this site - our clients employ another third party
    for hosting. This Penetration Testing Report was also sent to them at the
    same time.
    Yesterday morning it still failed. Yesterday afternoon it now works
    correctly.
    I can only presume that the web hoster installed some hot fix/ securiyt fix
    to the IIS server without telling us.
    However, I can't see how this fixed the problem as this is within the
    ASP.NET pipeline...

    Thanks for looking anyway

    Richard
    --
    Richard Eke
    MCSD .NET


    "Dominick Baier [DevelopMentor]" wrote:

    > Hi,
    >
    > unfortunately i cannot reproduce this behavior. can you give me more details
    > -
    >
    > i get redirected to the login page - my directory structure
    >
    > /UrlAuthBug
    > default.aspx
    > login.aspx
    >
    > /secure
    > default.aspx
    >
    > the /secure dir is protected with UrlAuthorization
    >
    > if i try
    >
    > http://localhost/UrlAuthBug/secure/default.aspx
    > -> redirect to login.aspx
    >
    > http://localhost/UrlAuthBug\secure/default.aspx
    > -> also redirect
    >
    > (i didn't use IE to try it - i used fiddler and firefox)
    >
    > is something different in your setup??
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Thanks for your reply.
    > > I was suprised to get this report also - but I have verified that it
    > > does
    > > indeed exist on this ASP.NET 2.0 web site hosted on a W2003 SP2 IIS
    > > server.
    > > Let me know if you find anything.
    > >
    > > "Dominick Baier [DevelopMentor]" wrote:
    > >
    > >> Hi,
    > >>
    > >> i know that this was the original behavior - this vulnerability never
    > >> existed on Windows 2003/IIS6 because IIS sanitized the input...
    > >>
    > >> i have to check that.
    > >>
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>> The server O/S is W2003 SP2 (IIS 6.0)
    > >>>
    > >>> The exploit is:
    > >>> You have a sub-folder on your web site called something like
    > >>> 'Secure'.
    > >>> You
    > >>> use Forms Authenticatiuon to force authentication before any pages
    > >>> from this
    > >>> folder can be accessed.
    > >>> All is OK if the user accesses
    > >>> http://myserver/myapp/secure/mypage.aspx
    > >>> ASP.NET picks-up the authentication / authorization and re-directs.
    > >>> However, if you replace one of the slashes with it's hex code %5C
    > >>> e.g.
    > >>> http://myserver/myapp\secure/mypage ASP.NET fails to recognise it
    > >>> should be
    > >>> secured and lets the user in.
    > >>> This is detailed in the KB article I mentioned in my original post.
    > >>> "Dominick Baier [DevelopMentor]" wrote:
    > >>>> Hi,
    > >>>>
    > >>>> can you give us more details...
    > >>>>
    > >>>> which OS? Details of the Exploit?
    > >>>>
    > >>>> ---------------------------------------
    > >>>> Dominick Baier - DevelopMentor
    > >>>> http://www.leastprivilege.com
    > >>>>> http://support.microsoft.com/kb/887219 details a vunerability for
    > >>>>> all ASP.NET web sites that uee Forms Authentication. However, it
    > >>>>> only lists .NET 1.0 and 1.1
    > >>>>>
    > >>>>> Today I've received a report from a third party doing penetration
    > >>>>> testing on a web site we developed in ASP.NET 2.0 detailling this
    > >>>>> as a vunerability. I've double checked and it indeed is. We have
    > >>>>> a common base class that simply throws a default error page if the
    > >>>>> user isn't authenticated so our app is OK but the report going to
    > >>>>> our clients doesn't look very good!
    > >>>>>
    > >>>>> I thought in ASP.NET 2.0 the fix for this problem was going to be
    > >>>>> 'baked-in' - it appears not.
    > >>>>>
    > >>>>> Are there any similar patches to those detiled in the security
    > >>>>> bulletin mentioned above?
    > >>>>>
    > >>>>> Thanks
    > >>>>>
    > >>>>> Richard
    > >>>>>

    >
    >
    >
     
    Richard Eke, Mar 8, 2006
    #7
  8. hi,

    i still don't believe it is a vulnerability in ASP.NET/IIS6.

    The vulnerability was in the UrlAuthorization module. IIS6 never had this
    problem because it does some normalization of the request before it is handed
    over to ASP.NET
    IIS 5.x was vulnerable


    i wrote about that when it happened
    http://www.leastprivilege.com/EvenMoreResearchOnTheASPNETVulnerability.aspx
    http://www.leastprivilege.com/SeriousASPNETFormsAuthenticationVulnerability.aspx

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Domonic,
    >
    > Thanks forlooking at this.
    >
    > We don't actually host this site - our clients employ another third
    > party
    > for hosting. This Penetration Testing Report was also sent to them at
    > the
    > same time.
    > Yesterday morning it still failed. Yesterday afternoon it now works
    > correctly.
    > I can only presume that the web hoster installed some hot fix/
    > securiyt fix
    > to the IIS server without telling us.
    > However, I can't see how this fixed the problem as this is within the
    > ASP.NET pipeline...
    > Thanks for looking anyway
    >
    > Richard
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hi,
    >>
    >> unfortunately i cannot reproduce this behavior. can you give me more
    >> details -
    >>
    >> i get redirected to the login page - my directory structure
    >>
    >> /UrlAuthBug
    >> default.aspx
    >> login.aspx
    >> /secure
    >> default.aspx
    >> the /secure dir is protected with UrlAuthorization
    >>
    >> if i try
    >>
    >> http://localhost/UrlAuthBug/secure/default.aspx
    >> -> redirect to login.aspx
    >> http://localhost/UrlAuthBug\secure/default.aspx
    >> -> also redirect
    >> (i didn't use IE to try it - i used fiddler and firefox)
    >>
    >> is something different in your setup??
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Thanks for your reply.
    >>> I was suprised to get this report also - but I have verified that it
    >>> does
    >>> indeed exist on this ASP.NET 2.0 web site hosted on a W2003 SP2 IIS
    >>> server.
    >>> Let me know if you find anything.
    >>> "Dominick Baier [DevelopMentor]" wrote:
    >>>
    >>>> Hi,
    >>>>
    >>>> i know that this was the original behavior - this vulnerability
    >>>> never existed on Windows 2003/IIS6 because IIS sanitized the
    >>>> input...
    >>>>
    >>>> i have to check that.
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> The server O/S is W2003 SP2 (IIS 6.0)
    >>>>>
    >>>>> The exploit is:
    >>>>> You have a sub-folder on your web site called something like
    >>>>> 'Secure'.
    >>>>> You
    >>>>> use Forms Authenticatiuon to force authentication before any pages
    >>>>> from this
    >>>>> folder can be accessed.
    >>>>> All is OK if the user accesses
    >>>>> http://myserver/myapp/secure/mypage.aspx
    >>>>> ASP.NET picks-up the authentication / authorization and
    >>>>> re-directs.
    >>>>> However, if you replace one of the slashes with it's hex code %5C
    >>>>> e.g.
    >>>>> http://myserver/myapp\secure/mypage ASP.NET fails to recognise
    >>>>> it
    >>>>> should be
    >>>>> secured and lets the user in.
    >>>>> This is detailed in the KB article I mentioned in my original
    >>>>> post.
    >>>>> "Dominick Baier [DevelopMentor]" wrote:
    >>>>>> Hi,
    >>>>>>
    >>>>>> can you give us more details...
    >>>>>>
    >>>>>> which OS? Details of the Exploit?
    >>>>>>
    >>>>>> ---------------------------------------
    >>>>>> Dominick Baier - DevelopMentor
    >>>>>> http://www.leastprivilege.com
    >>>>>>> http://support.microsoft.com/kb/887219 details a vunerability
    >>>>>>> for all ASP.NET web sites that uee Forms Authentication.
    >>>>>>> However, it only lists .NET 1.0 and 1.1
    >>>>>>>
    >>>>>>> Today I've received a report from a third party doing
    >>>>>>> penetration testing on a web site we developed in ASP.NET 2.0
    >>>>>>> detailling this as a vunerability. I've double checked and it
    >>>>>>> indeed is. We have a common base class that simply throws a
    >>>>>>> default error page if the user isn't authenticated so our app is
    >>>>>>> OK but the report going to our clients doesn't look very good!
    >>>>>>>
    >>>>>>> I thought in ASP.NET 2.0 the fix for this problem was going to
    >>>>>>> be 'baked-in' - it appears not.
    >>>>>>>
    >>>>>>> Are there any similar patches to those detiled in the security
    >>>>>>> bulletin mentioned above?
    >>>>>>>
    >>>>>>> Thanks
    >>>>>>>
    >>>>>>> Richard
    >>>>>>>
     
    Dominick Baier [DevelopMentor], Mar 8, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ralf Wahner
    Replies:
    5
    Views:
    646
    Bob Foster
    Dec 24, 2003
  2. Tea Pot
    Replies:
    55
    Views:
    1,320
    James Kuyper
    Jun 7, 2009
  3. Pete Butler

    Makefile for 5.6 when 5.004 is default

    Pete Butler, Jul 18, 2003, in forum: Perl Misc
    Replies:
    2
    Views:
    89
    Pete Butler
    Jul 18, 2003
  4. Sherman Willden
    Replies:
    1
    Views:
    144
    Sisyphus
    Jul 25, 2003
  5. foolishbrat
    Replies:
    1
    Views:
    101
    Tad McClellan
    May 9, 2007
Loading...

Share This Page