what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft ASP.NET Forms Authentication Bypass

Microsoft ASP.NET Forms Authentication Bypass
Posted Dec 30, 2011
Authored by K. Gudinavicius | Site sec-consult.com

Microsoft ASP.NET Forms suffers from a null byte termination authentication bypass vulnerability that exists in the CopyStringToUnAlingnedBuffer() function of the webengine4.dll library used by the .NET framework. The unicode string length is determined using the lstrlenW function. The lstrlenW function returns the length of the string, in characters not including the terminating null character. If the unicode string containing a null byte is passed, its length is incorrectly calculated, so only characters before the null byte are copied into the buffer.

tags | advisory, asp, bypass
advisories | CVE-2011-3416
SHA-256 | 294ae2596a2c31be82519bf63b2272b2e6a249e186db2e1ca5fab9dfb9f605e6

Microsoft ASP.NET Forms Authentication Bypass

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20111230-0 >
=======================================================================
title: Microsoft ASP.NET Forms Authentication Bypass
product: Microsoft .NET Framework
vulnerable version: Microsoft .NET Framework Version:4.0.30319;
ASP.NET Version:4.0.30319.237 and below
fixed version: MS11-100
CVE: CVE-2011-3416
impact: critical
homepage: http://www.microsoft.com/net
found: 2011-10-02
by: K. Gudinavicius / SEC Consult Vulnerability Lab
m. / SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
".NET is an integral part of many applications running on Windows and
provides common functionality for those applications to run. This
download is for people who need .NET to run an application on their
computer. For developers, the .NET Framework provides a comprehensive
and consistent programming model for building applications that have
visually stunning user experiences and seamless and secure
communication."

Source: http://www.microsoft.com/net



Vulnerability overview/description:
-----------------------------------
The null byte termination vulnerability exists in the
CopyStringToUnAlingnedBuffer() function of the webengine4.dll library
used by the .NET framework. The unicode string length is determined
using the lstrlenW function. The lstrlenW function returns the length
of the string, in characters not including the terminating null
character. If the unicode string containing a null byte is passed, its
length is incorrectly calculated, so only characters before the null
byte are copied into the buffer.

This vulnerability can be leveraged into an authentication bypass
vulnerability. Microsoft ASP.NET membership system depends on the
FormsAuthentication.SetAuthCookie(username, false) method for certain
functionality. By exploiting this vulnerability an attacker is able to
log on as a different existing user with all the privileges of the
targeted user (e.g. admin).



Proof of concept:
-----------------

Detailed exploit information and source code references have been
removed from this advisory.

An attacker is able to bypass authentication in certain functionality
using null bytes and log on as another user, e.g. admin.


Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in Microsoft .NET Framework
Version:4.0.30319; ASP.NET Version:4.0.30319.237, which was the most
recent version at the time of discovery.

More information regarding affected versions is available within the
advisory of Microsoft:
http://technet.microsoft.com/en-us/security/bulletin/ms11-100


Vendor contact timeline:
------------------------
2011-10-07: Contacted vendor through secure@microsoft.com
2011-10-07: Vendor response, MSRC 11838
2011-10-14: Contacted MSRC asking for status
2011-10-15: Answer from case manager: the vulnerability will be
addressed through a security bulletin, a timeframe is
unknown.
2011-11-23: Contacted MSRC asking for status
2011-11-23: Answer from case manager: a release date of update is
unknown, best guess would be a month before or after the
March (2012) update cycle
2011-12-29: Microsoft publishes out-of-band security patch MS11-100
which also addresses this vulnerability
2011-12-30: SEC Consult releases redacted version of advisory due to
criticality of this issue

SEC Consult will release a more detailed advisory at a later date.



Solution:
---------
Immediately apply the MS11-100 patch:
http://technet.microsoft.com/en-us/security/bulletin/ms11-100


Workaround:
-----------
In .NET 4.0 the vulnerability can be mitigated by setting the
ticketCompatibilityMode attribute in the application or global
web.config file like this:

<system.web>
<authentication mode="Forms">
<forms ticketCompatibilityMode="Framework40" />
</authentication>
</system.web>



Advisory URL:
-------------
https://www.sec-consult.com/en/advisories.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com

EOF K. Gudinavicius, J. Greil / @2011

Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    8 Files
  • 6
    Jul 6th
    8 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close