SEC Consult Vulnerability Lab Security Advisory < 20111230-0 > ======================================================================= title: Microsoft ASP.NET Forms Authentication Bypass product: Microsoft .NET Framework vulnerable version: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.237 and below fixed version: MS11-100 CVE: CVE-2011-3416 impact: critical homepage: http://www.microsoft.com/net found: 2011-10-02 by: K. Gudinavicius / SEC Consult Vulnerability Lab m. / SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- ".NET is an integral part of many applications running on Windows and provides common functionality for those applications to run. This download is for people who need .NET to run an application on their computer. For developers, the .NET Framework provides a comprehensive and consistent programming model for building applications that have visually stunning user experiences and seamless and secure communication." Source: http://www.microsoft.com/net Vulnerability overview/description: ----------------------------------- The null byte termination vulnerability exists in the CopyStringToUnAlingnedBuffer() function of the webengine4.dll library used by the .NET framework. The unicode string length is determined using the lstrlenW function. The lstrlenW function returns the length of the string, in characters not including the terminating null character. If the unicode string containing a null byte is passed, its length is incorrectly calculated, so only characters before the null byte are copied into the buffer. This vulnerability can be leveraged into an authentication bypass vulnerability. Microsoft ASP.NET membership system depends on the FormsAuthentication.SetAuthCookie(username, false) method for certain functionality. By exploiting this vulnerability an attacker is able to log on as a different existing user with all the privileges of the targeted user (e.g. admin). Proof of concept: ----------------- Detailed exploit information and source code references have been removed from this advisory. An attacker is able to bypass authentication in certain functionality using null bytes and log on as another user, e.g. admin. Vulnerable / tested versions: ----------------------------- The vulnerability has been verified to exist in Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.237, which was the most recent version at the time of discovery. More information regarding affected versions is available within the advisory of Microsoft: http://technet.microsoft.com/en-us/security/bulletin/ms11-100 Vendor contact timeline: ------------------------ 2011-10-07: Contacted vendor through secure@microsoft.com 2011-10-07: Vendor response, MSRC 11838 2011-10-14: Contacted MSRC asking for status 2011-10-15: Answer from case manager: the vulnerability will be addressed through a security bulletin, a timeframe is unknown. 2011-11-23: Contacted MSRC asking for status 2011-11-23: Answer from case manager: a release date of update is unknown, best guess would be a month before or after the March (2012) update cycle 2011-12-29: Microsoft publishes out-of-band security patch MS11-100 which also addresses this vulnerability 2011-12-30: SEC Consult releases redacted version of advisory due to criticality of this issue SEC Consult will release a more detailed advisory at a later date. Solution: --------- Immediately apply the MS11-100 patch: http://technet.microsoft.com/en-us/security/bulletin/ms11-100 Workaround: ----------- In .NET 4.0 the vulnerability can be mitigated by setting the ticketCompatibilityMode attribute in the application or global web.config file like this: Advisory URL: ------------- https://www.sec-consult.com/en/advisories.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com EOF K. Gudinavicius, J. Greil / @2011 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/