[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-MICROSOFT-XSS-ELEVATION-OF-PRIVILEGE.txt



Vendor:
==================
www.microsoft.com



Product:
===========================
Microsoft .NET Framework


Vulnerability Type:
============================
XSS / Elevation of Privilege


CVE Reference:
==============
CVE-2015-6099



Vulnerability Details:
======================

Microsoft .NET Framework is prone to a cross-site scripting vulnerability
because it fails
to properly sanitize user-supplied input. An attacker may leverage this
issue to execute arbitrary
script code in the browser of an unsuspecting user in the context of the
affected site. This may
allow the attacker to steal cookie-based authentication credentials and
launch other attacks.

.NET Elevation of Privilege Vulnerability - CVE-2015-6099

An elevation of privilege vulnerability exists when ASP.NET improperly
validates values in HTTP requests,
exposing users to a potential cross-site scripting (XSS) attack. An
attacker who successfully exploited the
vulnerability could leverage a vulnerable website to inject client-side
script into a user’s browser and
ultimately modify or spoof content, conduct phishing activities, disclose
information, or perform any action on
the vulnerable website that the target user has permission to perform. To
exploit this vulnerability, user interaction
is required. In a web-browsing scenario a user would have to navigate to a
compromised website.

In an email attack scenario an attacker would have to convince a user who
is logged on to a vulnerable server to
click a specially crafted link in an email. The update addresses the
vulnerability by modifying how ASP.NET validates
the value of an HTTP request.

Microsoft received information about the vulnerability through coordinated
vulnerability disclosure. At the time this security
bulletin was originally issued, Microsoft was unaware of any attack
attempting to exploit this vulnerability.

Microsoft has not identified any mitigating factors for this vulnerability.
Microsoft has not identified any workarounds for this vulnerability.

The following workarounds may be helpful in your situation:

Remove requestPathInvalidCharacters key from web.config
In order to work around this issue, administrators can remove the
<httpRuntime requestPathInvalidCharacters="" />
non-default setting from web.config, or at least include “:” in the
requestPathInvalidCharacters setting.

How to undo the workaround:
Restore the previously removed <httpRuntime requestPathInvalidCharacters=""
/> line.


https://technet.microsoft.com/library/security/MS15-118
http://www.symantec.com/security_response/vulnerability.jsp?bid=77479&om_rssid=sr-advisories
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6099



Disclosure Timeline:
========================================
Vendor Notification: August 15, 2015
November 10, 2015  : Public Disclosure




Exploitation Technique:
=======================
Remote



Severity Level:
===============
High



Description:
================================================

Request Method(s):              [+]  GET / POST


Vulnerable Product versions:

Microsoft .NET Framework 4.0
Microsoft .NET Framework 4.5
Microsoft .NET Framework 4.5.1
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6
Microsoft Windows 10 for 32-bit Systems
Microsoft Windows 10 for x64-based Systems
Microsoft Windows 10 version 1511 for 32-bit Systems
Microsoft Windows 10 version 1511 for x64-based Systems
Microsoft Windows 7 for 32-bit Systems SP1
Microsoft Windows 7 for x64-based Systems SP1
Microsoft Windows 8 for x64-based Systems
Microsoft Windows 8.1 for 32-bit Systems
Microsoft Windows 8.1 for x64-based Systems
Microsoft Windows RT
Microsoft Windows RT 8.1
Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows Vista SP2
Microsoft Windows Vista x64 Edition SP2


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx