[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Briefing - 553/2004 - Canonicalisation issue in ASP.NET



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                                  UNIRAS (UK Gov CERT)
                                Advisory Type: Briefing

Id: 20041008-00754               Ref: 553/2004             Date: 08 October 2004   Time: 16:01
- ------------------------------------------------------------------------------------------
Title: Canonicalisation issue in ASP.NET
Abstract: An exploit has been recently disclosed for Microsoft IIS servers with 
ASP.NET enabled.  By sending a specially crafted URL, application level authentication can be bypassed, potentially exposing sensitive information and programs.
Comment: Microsoft have released an email alert on this issue with a subject of
         "Alert - ASP.NET Security Issue and Guidance", which, due to the
         appearance of some of its links and header information, may appear to
         be unauthentic.  Microsoft have confirmed that this email is authentic,
         and that discrepancies in the email are due to their third-party email
         service.

- ------------------------------------------------------------------------------------------
- ------------------------------------------------------------------------------------------
 
Title
=====

Canonicalisation issue in ASP.NET

Detail
====== 

An exploit has been recently disclosed for Microsoft IIS servers with 
ASP.NET enabled.  By sending a specially crafted URL, application level authentication can be bypassed, potentially exposing sensitive information and programs.



                     Canonicalisation issue in ASP.NET
                              8 October 2004


Product:                Microsoft IIS web server with ASP.NET
Operating System:       Windows
Impact:                 Access Confidential Data
                        Inappropriate Access
Access:                 Remote/Unauthenticated

Comment: Microsoft have released an email alert on this issue with a subject of
         "Alert - ASP.NET Security Issue and Guidance", which, due to the
         appearance of some of its links and header information, may appear to
         be unauthentic.  Microsoft have confirmed that this email is authentic,
         and that discrepancies in the email are due to their third-party email
         service.

- - - --------------------------BEGIN INCLUDED TEXT--------------------

PROBLEM:

	An exploit has been recently disclosed for Microsoft IIS servers with 
	ASP.NET enabled.  By sending a specially crafted URL, application level
	authentication can be bypassed, potentially exposing sensitive
	information and programs.

	Web applications in ASP.NET may use a web.config file to control
	authentication mechanisms.  If a website visitor uses a backslash 
	character in a URL string in place of an expected forward slash, these
	authentication mechanisms are bypassed and access is granted to
	underlying components that should be secured.  Please note that
	Internet Explorer automatically converts backslashes to forward
	slashes, but the hex-encoded value of a backslash can be substituted
	to successfully run this exploit.

VERSIONS:

	All Windows servers running IIS with ASP.NET are potentially
	vulnerable.  Anecdotal evidence suggests that Windows Server 2003 may
	not be vulnerable, but this has	not been verified by AusCERT.

IMPACT:

	ASP.NET application authentication mechanisms are bypassed and access
	may be granted to underlying components and data that should be 
	secured.

MITIGATION:

	An official mitigation method is yet to be announced, but the 
	following techniques have been suggested by Microsoft and others.
	Microsoft will be updating infomation on their website [1] about
	mitigating this vulnerability as information becomes available.

	1. Install the Microsoft HTTP module to check for canonicalization 
	   issues.  Instructions and downloads are available from the
	   Microsoft website [2].

	2. Install URLScan to block incoming URLs with blackslash characters.
	   Note that URLScan configuration should be tested before deploying
	   to a production environment; otherwise, unexpected filtering
	   behavior may occur.  URLScan can be downloaded from the Microsoft
	   website [3].

	Please note that AusCERT has not verified or tested either of these 
	techniques - it is recommended that sites test their configurations to
	check for their exposure to this vulnerability before and after
	applying fixes.

	Due to the ease of execution of this exploit and potential
	consequences, it is recommended that IIS server operators undertake
	immediate preventative action against this flaw.  AusCERT will
	continue to monitor the situation and will release updates as
	appropriate.

REFERENCES:

	[1] http://www.microsoft.com/security/incident/aspnet.mspx
	[2] http://support.microsoft.com/?kbid=887289
	[3] http://www.microsoft.com/technet/security/tools/urlscan.mspx


- - - --------------------------END INCLUDED TEXT--------------------
- - ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- - ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Microsoft for the information 
contained in this Briefing. 
- - ----------------------------------------------------------------------------------


- ----------------------------------------------------------------------------------
Acknowledgements

UNIRAS wishes to acknowledge the contributions of AusCERT for the information
contained in this Briefing.
- ----------------------------------------------------------------------------------
Digital Signature

This advisory has been digitally signed by GnuGP so that its readership
is able to confirm its integrity. The NISCC Public key is available
from http://www.niscc.gov.uk/niscc/faq-en.html.

NB: This is currently the sole purpose for this particular key, if you
need to send Not Protectively Marked or sensitive material to UNIRAS then
its PGP Public Key should be used and this is also available from
http://www.niscc.gov.uk/niscc/faq-en.html.
- ----------------------------------------------------------------------------------
Updates

This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.
- ----------------------------------------------------------------------------------
Legal Disclaimer

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.
- ----------------------------------------------------------------------------------
FIRST

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large.
- ----------------------------------------------------------------------------------
Contacts

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFBZqxzu3T4tp2zMUkRAs3WAJ9zeV1qDJiwHNMLYdTm4MMtnM4wvgCbBkHm
IxMMapL1za4T+w8pRtfprog=
=CcAh
-----END PGP SIGNATURE-----