login      my ps      about      contact  



home instructor-led training online training blogs


Security Briefs » UrlAuthorization vulnerability in ASP.NET

UrlAuthorization vulnerability in ASP.NET

Heads up, this is serious.

If you are relying on <authorization> sections in subdirectories (or via <location> in your web.config files), you should be aware of a canonicalization bug in ASP.NET that can allow an attacker to slip past the UrlAuthorizationModule by using a backslash instead of a forward slash. For example, an (unauthorized) attacker might be able to get to a secured directory as follows (note the backslash between “bar“ and “secure“ in the sample URL below):

http://quux.com/foo/bar\secure/securedPage.aspx

Microsoft has posted an article detailing steps that you can take to protect yourself in the meantime, while they work on a patch.

I worked with dominick on this one to see if we could reproduce it. I wasn't able to repro on W2K3 (apparently the built-in URLScan capability is fixing the URL before it gets to ASP.NET). Dominick was able to repro on earlier platforms.

Posted Oct 06 2004, 01:02 PM by keith-brown
Filed under: ,

Comments

Girish wrote re: UrlAuthorization vulnerability in ASP.NET
on 10-06-2004 1:56 PM
If one is already using URLScan tool(because of IIS Lockdown wizard), this is not a problem. Correct? [I have tested this yet, though].
Keith Brown wrote re: UrlAuthorization vulnerability in ASP.NET
on 10-06-2004 2:07 PM
That's my understanding, yes. I believe that's why I couldn't repro this on W2K3 (which has much URLScan functionality built right in).

But what worries me is that the MS response says W2K3 is vulnerable, and does NOT mention URLScan.
stefan demetz wrote re: UrlAuthorization vulnerability in ASP.NET
on 10-07-2004 2:06 AM
the vulnerability is on IIS 5 without URLSCAN or with a misconfigured URLSCAN
IIS 6 already incorporates most settings of URLSCAN

http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/10/02/27441.aspx
Dino Esposito's WebLog wrote ASP.NET Vulnerability: Where's Exactly?
on 10-07-2004 2:55 AM
Richard Dudley wrote re: UrlAuthorization vulnerability in ASP.NET
on 10-07-2004 5:21 AM
IIS 5 + URLScan is catching and rejecting the malformed URLs.
http://dotnetjunkies.com/WebLog/richard.dudley/archive/2004/10/06/27788.aspx

Link in comments to more tests with with IIS 6 from Bernard Cheah.
Heybo Blog wrote UrlAuthorization vulnerability in ASP.NET
on 10-07-2004 5:47 AM
Scott Galloway's Personal Blog wrote The ASP.NET vulnerability...not!
on 10-07-2004 11:34 AM
Scott Galloway's Personal Blog wrote The ASP.NET vulnerability...not!
on 10-07-2004 6:47 PM
William D. Bartholomew wrote re: UrlAuthorization vulnerability in ASP.NET
on 10-08-2004 3:29 AM
I have only been able to reproduce this on boxes not running URLScan (tested against Windows 2000 and Windows XP).
Bernard Cheah wrote re: UrlAuthorization vulnerability in ASP.NET
on 10-08-2004 5:48 PM
One important point to take note is that - the exploit is at asp.net filter level (IMHO) and not the IIS server itself. The workarounds by MS are just 'prevention' or 'protection', it's far from FIXing the 'hole'. Hence with urlscan or IIS6 (without urlscan), I strongly urged you guys to apply the MSI package. and hope MS come out a real fix soon, as you never know other types of 'malform' url request may actually skip through those checking ... I don't know what type of malform requests it will be, but the bad guys will figure out soon :) for IIS 6 test result, you can view it at my blog.

Cheers.
Keith Brown wrote re: UrlAuthorization vulnerability in ASP.NET
on 10-08-2004 9:25 PM
Good point, Bernard. This bug appears to have NOTHING to do with IIS. If you're running ASP.NET applications, you need to fix them NOW.
KingDooy wrote re: UrlAuthorization vulnerability in ASP.NET
on 10-09-2004 2:53 PM
I've been installing the vpmodule.msi in our testing environment to prevent this issue
and have yet to see that it is adding the 'microsoft.web.validatepathmodule.dll' to the systems and it definitely is not updating the GAC. The package is updating the machine.config, but nothing more. I've been able to duplicate this on WinXP/IIS 5.1/.NET FW v1.1SP1 and Win2003/IIS6/.NET FWv1.1 SP1. It states it installs successfully every time though.

If I go do the manual steps outlined in KB 887459, then the dll is present and the GAC gets updated.

Am I missing something or is this MSI package not working correctly?
Brent Holliman (aka dirtyb) wrote Security Vulnerability in ASP.NET
on 02-16-2005 8:03 PM

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation