Next Page >>
ASP .NET
The key part of the advisory for me wasn't VIEWSTATE as much as it was the controls, but this statement you made seemed pretty outrageous (with regard to ASP.NET):
'These vulnerabilities show that unsigned client-side viewstates will ALWAYS result in a vulnerability in the affected products.'
I would disagree - it depends how the software developer implemented use of the VIEWSTATE's content. In ASP.NET, the interesting part here was that you appeared to be controlling an innerhtml property of a Form control through the VIEWSTATE. What your example didn't show, I'm assuming, is some code behind that pulled out the <IndexedString> and set the value in the form's innerHtml property/attribute. That's just dangerous coding, akin to trusting client-side input and no different than acting on client input that came from any method, form input, JSON, etc. Your repro was a bit confusing/misleading without that part. Otherwise, were you saying that some controls inherently populate their properties/attributes from VIEWSTATE content automagically?
There have been past discussions on VIEWSTATE's security:
Scott Mitchell documented tampering VIEWSTATE in a 2004 article:
http://msdn.microsoft.com/en-us/library/ms972976.aspx#viewstate_topic12
Rules' for common web application
attacks like SQL Injection, Cross-Site Scripting etc.
It is possible to bypass the ModSecurity Core Rules due to the
difference in behaviour
of ModSecurity and ASP/ASP.NET applications in handling duplicate
HTTP GET/POST/Cookie
parameters. Using duplicate parameters has been termed as HTTP
Parameter Pollution by Luca Carettoni
and Stefano Di Paola.
Hello Bugtraq!
I want to warn you about security vulnerability in Flash Tag Cloud control
for ASP.NET.
-----------------------------
Advisory: Vulnerability in widget Flash Tag Cloud for Blogsa and other
ASP.NET engines
-----------------------------
URL: http://websecurity.com.ua/4213/
management platform. It can be used to host web sites that access shared
workspaces and documents, as well as specialized applications like wikis
and blogs from a browser.
It was found that the download facility of Microsoft SharePoint Team
Services can be abused to reveal the source code of ASP.NET files.
=================
Technical Details
=================
SharePoint Team Services stores a variety of files in its backend
Java
Apache Tomcat
Apache Geronimo
Jetty
Oracle Glassfish
ASP.NET
Python
Plone
CRuby 1.8, JRuby, Rubinius
v8
Vulnerability: Denial of Service through hash table
Credit: David Byrne of Trustwave's SpiderLabs
===============================================
Vendor: Microsoft (http://www.microsoft.com)
Product: ASP.Net (http://www.asp.net)
Versions affected: .Net 3.5 is confirmed vulnerable;
previous versions are likely to be vulnerable as well.
Description:
ASP.Net is a web-application development framework that
Credit: David Byrne of Trustwave's SpiderLabs
===============================================
Vendor: Microsoft (http://www.microsoft.com)
Product: ASP.Net (http://www.asp.net)
Versions affected: .Net 3.5 is confirmed vulnerable;
previous versions are likely to be vulnerable as well.
Description:
ASP.Net is a web-application development framework that
Credit: David Byrne of Trustwave's SpiderLabs
===============================================
Vendor: Microsoft (http://www.microsoft.com)
Product: ASP.Net (http://www.asp.net)
Versions affected: .Net 3.5 is confirmed vulnerable;
previous versions are likely to be vulnerable as well.
Description:
ASP.Net is a web-application development framework that
From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Chris Weber
Sent: Thursday, February 11, 2010 3:43 PM
To: Trustwave Advisories; webappsec@lists.securityfocus.com; websecurity@webappsec.org; full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: [Full-disclosure] (resend) RE: [WEB SECURITY] Trustwave's SpiderLabs Security Advisory TWSL2010-001
The key part of the advisory for me wasn't VIEWSTATE as much as it was the controls, but this statement you made seemed pretty outrageous (with regard to ASP.NET):
'These vulnerabilities show that unsigned client-side viewstates will ALWAYS result in a vulnerability in the affected products.'
I would disagree - it depends how the software developer implemented use of the VIEWSTATE's content. In ASP.NET, the interesting part here was that you appeared to be controlling an innerhtml property of a Form control through the VIEWSTATE. What your example didn't show, I'm assuming, is some code behind that pulled out the <IndexedString> and set the value in the form's innerHtml property/attribute. That's just dangerous coding, akin to trusting client-side input and no different than acting on client input that came from any method, form input, JSON, etc. Your repro was a bit confusing/misleading without that part. Otherwise, were you saying that some controls inherently populate their properties/attributes from VIEWSTATE content automagically?
###################################################################################
####################
1. Description:
####################
QuickerSite is a Content Management System for Windows Servers. It is written in ASP/VBScript with an optional pinch of ASP.NET for true image-resizing capabilities. QuickerSite ships with an Access database, with the option to upsize to SQL Server 2000/2005 for busy sites (>1000 visitors/day).
####################
2. Vulnerabilities:
####################
2.1. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can change admin password.
2.1.1. Exploit:
The IBM Web Application Firewall can be evaded, allowing an attacker to
exploit web vulnerabilities that the product intends to protect. The issue
occurs when an attacker submits repeated occurrences of the same parameter.
The example shown below uses the following environment:
A web environment using Microsoft IIS, ASP .NET technology, Microsoft
SQL Server 2000, being protected by the IBM Web Application Firewall.
As expected, the following request will be identified and blocked
(depending
of configuration) by the IBM Web application firewall.
Release Date. 20-Dec-2010
Last Update. -
Vendor Notification Date. 22-Jan-2010
Product. Elcom Technology's
CommunityManager.NET
Platform. IIS with ASP.NET
Affected versions. v6.7 verified and
possibly others.
Severity Rating. High
Impact. Application "System" user access
Attack Vector. Remote without authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2011-016: EMC SourceOne ASP.NET application tracing information disclosure vulnerability.
EMC Identifier: ESA-2011-016
CVE Identifier: CVE-2011-1424
Severity Rating: CVSS v2 Base Score: 6.8 (AV:N/AC:L/Au:S/C:C/I:N/A:N)
===========================================================
1. Summary
===========================================================
DotNetNuke (DNN) is an open-source Web Application Framework used to create and deploy websites. The default web.config files distributed with DNN include an embedded Machine Key value (both ValidationKey and DecryptionKey). Under certain circumstances these values may not be updated during the installation/upgrade process, resulting in the ability for an attacker to forge arbitrary ASP.NET forms authentication tickets that can then be used to circumvent all security within a DNN installation. This issue was confirmed to affect the production instance of DNN used on the DNN Homepage (www.dotnetnuke.com).
The vendor (DotNetNuke Corporation) was notified of this issue on March 3, 2008. The vendor responded by releasing version 4.8.2 on March 19, 2008 and has also issued a security bulletin (http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspx).
===========================================================
by: S. Streichsbier / SEC Consult / www.sec-consult.com
=======================================================================
Vendor description:
-------------------
I-Load is an ASP.NET component explicitly created to manage image uploading
within ASP.NET applications. Unlike other image manipulation libraries,
I-Load uses a sophisticated graphical interface which allows the uploading,
resizing, cropping and rotating of photos.
source: http://i-load.radactive.com/en/documentation/
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Microsoft .NET framework comes with a request validation feature,
configurable by the ValidateRequest setting. ValidateRequest has been a
feature of ASP.NET since version 1.1. This feature consists of a series
of filters, designed to prevent classic web input validation attacks
such as HTML injection and XSS (Cross-site Scripting). This paper
introduces script injection payloads that bypass ASP .NET web validation
filters and also details the trial-and-error procedure that was followed
to reverse-engineer such filters by analyzing .NET debug errors.
> wrong?
>
> 2008/8/22 ProCheckUp Research <research@procheckup.com>:
> The Microsoft .NET framework comes with a request validation feature,
> configurable by the ValidateRequest setting. ValidateRequest has been a
> feature of ASP.NET since version 1.1. This feature consists of a series
> of filters, designed to prevent classic web input validation attacks
> such as HTML injection and XSS (Cross-site Scripting). This paper
> introduces script injection payloads that bypass ASP .NET web validation
> filters and also details the trial-and-error procedure that was followed
> to reverse-engineer such filters by analyzing .NET debug errors.
(From http://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.html)
It has been a long time since Token Kidnapping presentation (http://www.argeniss.com/research/TokenKidnapping.pdf) was published so I decided to release a PoC exploit for Win2k3 that alows to execute code under SYSTEM account.
Basically if you can run code under any service in Win2k3 then you can own Windows, this is because Windows services accounts can impersonate.
Other process (not services) that can impersonate are IIS 6 worker processes so if you can run code from an ASP .NET or classic ASP web application then you can own Windows too. If you provide shared hosting services then I would recomend to not allow users to run this kind of code from ASP.
-SQL Server is a nice target for the exploit if you are a DBA and want to own Windows:
exec xp_cmdshell 'churrasco "net user /add hacker"'
R7-0036: FCKEditor.NET File Upload Code Execution
August 30, 2010
-- Vulnerability Details:
FCKEditor contains a file renaming bug that allows remote code execution. Specifically, it is possible to upload ASP code via the ASP.NET connector in FCKEditor. The vulnerability requires that the remote server be running IIS. This vulnerability has been confirmed on FCKEditor 2.5.1 and 2.6.6.
CVSS Vector: AV:R/AC:L/Au:NR/C:C/I:C/A:C
Browse to http://<ip>fckeditor/editor/filemanager/connectors/test.html and choose the ASP.NET connector. By uploading a file with the same name as an existing file, that includes an underscore followed by a dot, it is possible to bypass the file renaming mitigation in place. For instance, when uploading a file twice with the name:
_action = '/accounts/AccountActions.asp?ActionType=AddUser'
_forumdir = '\\forum|1'
frmPermission.action = frmPermission.URL.value + _action
frmPermission.Dirroot.value = frmPermission.hcpath.value + _forumdir
if(frmPermission.NewName.value.length>20){
alert('Enter a username less than 20 char like ASPNET');
frmPermission.NewName.focus();
return false;
}else return true;
}
</script>
Bugtraq ID: N/A
Category: Cross Site Scripting
Language: ASP.NET (C#)
Description Armorize-ADV-2008-0001 discloses multiple cross-site scripting vulnerabilities that are found in World Recipe, which is an ASP.NET 2.0 C# application and SQL Database with stored procedure to contain and display recipes in a wide variety of categories.
Discussion World Recipe is vulnerable to cross-site scripting attack because it fails to properly sanitize user-supplied input. Exploiting this vulnerability may allow an attacker to make targeted users executing arbitrary scripts in the context of the affected website. As a result, the attacker may be able to steal authentication credentials such as cookie, to alter the integrity of the visited page, and to launch other attacks such as phishing and force redirect.
> > Security Accounts Manager (SAM) that enable an attacker to create a
> > hidden administrative backdoor account for continued access once a
> > system has been compromised. Once an attacker has compromised a
> > Microsoft Windows computer system using any method, they can either
> > leave behind a regular user or hijack a known user account (Such as
> > ASPNET). This user account will now have all of the rights of the
> > built-in local administrator account from local or remote connections.
> > The user will also share the Administrator's desktop and profile. When
> > inspected by system administrators, the regular user always looks like
> > it is just part of the built-in user's group. The attacker can also
> > make the regular user account hard to detect by creating a user with
CodeScan Labs is a specialist security research and development
organisation, that has developed the cornerstone application, CodeScan.
CodeScan Labs helps organisations secure their web services through the
automated scanning of the web application source code for security
vulnerabilities. The CodeScan product is currently available for ASP,
ASP.NET and PHP.
CodeScan Labs operates with Responsible Disclosure. As a result,
any published advisories will contain information around problems
identified by CodeScan, that have been resolved by the vendor.Additional
code problems which may be identified by CodeScan or its staff which are
Connection: close
Expires: 0
Date: Wed, 12 Dec 2007 17:32:08 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-control: no-cache,max-age=0,must-revalidate
<HTML>
####################
1. Description:
####################
Ferdows CMS is a complete, fully featured CMS in ASP.NET language and
using AJAX technology with MSSQL and became a powerful CMS having
plenty of strong modules.
This CMS is not open-source and is accessible for private use by the
author company for designing their customer's websites.
Connection: close
Expires: 0
Date: Wed, 12 Dec 2007 17:32:08 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-control: no-cache,max-age=0,must-revalidate
<HTML>
Security Accounts Manager (SAM) that enable an attacker to create a
hidden administrative backdoor account for continued access once a
system has been compromised. Once an attacker has compromised a
Microsoft Windows computer system using any method, they can either
leave behind a regular user or hijack a known user account (Such as
ASPNET). This user account will now have all of the rights of the
built-in local administrator account from local or remote connections.
The user will also share the Administrator's desktop and profile. When
inspected by system administrators, the regular user always looks like
it is just part of the built-in user's group. The attacker can also
make the regular user account hard to detect by creating a user with
I. ABOUT THE APPLICATION
________________________
A web-based bug or issue tracker written using ASP.NET,
C#, and SQL Server (SQL Server Express too).
Probably has all the features you need. Easy to setup.
Power and flexibility when you need it. Learn more at
http://ifdefined.com/bugtrackernet.html
####################
- Description:
####################
Blaze Apps is a ASP .NET 2 Content Management System. It uses VB and
C# as backend languages
and uses Microsoft SQL Server as its DBMS.
####################
- Vulnerability:
Connection: close
Expires: 0
Date: Wed, 12 Dec 2007 17:32:08 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-control: no-cache,max-age=0,must-revalidate
<HTML>
Next Page>>
|
