what you don't know can hurt you

Microsoft .NET Framework XSS / Privilege Escalation

Microsoft .NET Framework XSS / Privilege Escalation
Posted Nov 11, 2015
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

Microsoft .NET Framework suffers from cross site scripting and elevation of privilege vulnerabilities.

tags | advisory, vulnerability, xss
advisories | CVE-2015-6099
MD5 | 0bbe34eb2e8be663cc027898028fdf22

Microsoft .NET Framework XSS / Privilege Escalation

Change Mirror Download
[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-MICROSOFT-XSS-ELEVATION-OF-PRIVILEGE.txt



Vendor:
==================
www.microsoft.com



Product:
===========================
Microsoft .NET Framework


Vulnerability Type:
============================
XSS / Elevation of Privilege


CVE Reference:
==============
CVE-2015-6099



Vulnerability Details:
======================

Microsoft .NET Framework is prone to a cross-site scripting vulnerability
because it fails
to properly sanitize user-supplied input. An attacker may leverage this
issue to execute arbitrary
script code in the browser of an unsuspecting user in the context of the
affected site. This may
allow the attacker to steal cookie-based authentication credentials and
launch other attacks.

.NET Elevation of Privilege Vulnerability - CVE-2015-6099

An elevation of privilege vulnerability exists when ASP.NET improperly
validates values in HTTP requests,
exposing users to a potential cross-site scripting (XSS) attack. An
attacker who successfully exploited the
vulnerability could leverage a vulnerable website to inject client-side
script into a user’s browser and
ultimately modify or spoof content, conduct phishing activities, disclose
information, or perform any action on
the vulnerable website that the target user has permission to perform. To
exploit this vulnerability, user interaction
is required. In a web-browsing scenario a user would have to navigate to a
compromised website.

In an email attack scenario an attacker would have to convince a user who
is logged on to a vulnerable server to
click a specially crafted link in an email. The update addresses the
vulnerability by modifying how ASP.NET validates
the value of an HTTP request.

Microsoft received information about the vulnerability through coordinated
vulnerability disclosure. At the time this security
bulletin was originally issued, Microsoft was unaware of any attack
attempting to exploit this vulnerability.

Microsoft has not identified any mitigating factors for this vulnerability.
Microsoft has not identified any workarounds for this vulnerability.

The following workarounds may be helpful in your situation:

Remove requestPathInvalidCharacters key from web.config
In order to work around this issue, administrators can remove the
<httpRuntime requestPathInvalidCharacters="" />
non-default setting from web.config, or at least include “:” in the
requestPathInvalidCharacters setting.

How to undo the workaround:
Restore the previously removed <httpRuntime requestPathInvalidCharacters=""
/> line.


https://technet.microsoft.com/library/security/MS15-118
http://www.symantec.com/security_response/vulnerability.jsp?bid=77479&om_rssid=sr-advisories
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6099



Disclosure Timeline:
========================================
Vendor Notification: August 15, 2015
November 10, 2015 : Public Disclosure




Exploitation Technique:
=======================
Remote



Severity Level:
===============
High



Description:
================================================

Request Method(s): [+] GET / POST


Vulnerable Product versions:

Microsoft .NET Framework 4.0
Microsoft .NET Framework 4.5
Microsoft .NET Framework 4.5.1
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6
Microsoft Windows 10 for 32-bit Systems
Microsoft Windows 10 for x64-based Systems
Microsoft Windows 10 version 1511 for 32-bit Systems
Microsoft Windows 10 version 1511 for x64-based Systems
Microsoft Windows 7 for 32-bit Systems SP1
Microsoft Windows 7 for x64-based Systems SP1
Microsoft Windows 8 for x64-based Systems
Microsoft Windows 8.1 for 32-bit Systems
Microsoft Windows 8.1 for x64-based Systems
Microsoft Windows RT
Microsoft Windows RT 8.1
Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows Vista SP2
Microsoft Windows Vista x64 Edition SP2


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    10 Files
  • 22
    Jan 22nd
    16 Files
  • 23
    Jan 23rd
    1 Files
  • 24
    Jan 24th
    1 Files
  • 25
    Jan 25th
    36 Files
  • 26
    Jan 26th
    26 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close