Microsoft ASP.NET vulnerability, URL obfuscation, more MD5
Microsoft ASP.NET vulnerability (updated Oct. 7th)
Microsoft announced a possible vulnerability in ASP.NET ( http://www.microsoft.com/security/incident/aspnet.mspx ). There are not much details so far, but it refers to the "canonicalization" functionality and suggest to implement then hardening measures outlined in KB887459 ( http://support.microsoft.com/?kbid=887459 ).
It appears that a particularly crafted request may confuse ASP.Net and allow access to otherwise protected directories.
If a web server receives a request for a particular URL (e.g. _http://server/somedirectory/filename), the 'somedirectory/filename' part has to be mapped to a particular file located on the server. This translation has been the source of many "directory traversal" bugs. The IIS unicode exploit is probably the most famous one.
After our original posting of this diary, a few users pointed to the following articles which provide more details then provided by Microsoft's advisory:
(Thanks to Chaouki & Daniel)
http://www.heise.de/security/news/meldung/51730 (german)
http://www.derkeiler.com/Mailing-Lists/NT-Bugtraq/2004-09/0068.html
http://blogs.devleap.com/rob/archive/2004/10/02/1803.aspx (italian)
http://www.k-otik.com/news/10052004.ASPNETFlaw.php (french)
It appears that by switching a '/' character in the URL with '\' or '%5C', the canonicalization routine will be confused. So if the URL:
http://www.example.com/secure/file.apx
is password protected, using the either of the following URLs will bypass the restriction:
http://www.example.com/secure\file.apx
http://www.example.com/secure%5Cfile.apx
In addition to the slash/back-slash confusion, one reader reports that inserting a space will bypass the URL restriction as well:
http://www.example.com/%20/secure/file.apx
(had no chance to validate this method so far)
URL Obfuscation Handler and star SANS instructor Ed Skoudis compiled a comprehensive list of various URL obfuscation methods used in phishing schemes and spam. Some of these methods do not work with all browsers (e.g. the %01 issue in older Internet Explorer versions). In order to preserve the tricky details of some of these methods, we setup a page which includes just the URL methods without our usual header and footer: http://isc.sans.org/presentations/urlobfuscation.php (to view as source: http://isc.sans.org/presentations/urlobfuscation.txt ). Jan Reilink wrote to point us to this page with more details about URL obfuscation and decoding: http://www.pc-help.org/obscure.htm . DDOS in progress A reader noted that a system on his Universities campus participated in a DDOS attack against 69.93.181.74. If you see any machines with excessive traffic to this IP address, please investigate further. We still need a copy of the respective malware to identify the controller. More MD5 sum tools Raul pointed out a nice MD5 sum tool, 'md5deep'. It will traverse directories and supports various hash formats. For details, see http://md5deep.sourceforge.net/ . Another reader suggested digestIT: http://digestit.kennethballard.com/features.html . It integrates with Microsoft Explorer which makes it particularly easy to use. _____________
Johannes Ullrich. jullrich |a_|sans.org
(Thanks to Chaouki & Daniel)
http://www.heise.de/security/news/meldung/51730 (german)
http://www.derkeiler.com/Mailing-Lists/NT-Bugtraq/2004-09/0068.html
http://blogs.devleap.com/rob/archive/2004/10/02/1803.aspx (italian)
http://www.k-otik.com/news/10052004.ASPNETFlaw.php (french)
It appears that by switching a '/' character in the URL with '\' or '%5C', the canonicalization routine will be confused. So if the URL:
http://www.example.com/secure/file.apx
is password protected, using the either of the following URLs will bypass the restriction:
http://www.example.com/secure\file.apx
http://www.example.com/secure%5Cfile.apx
In addition to the slash/back-slash confusion, one reader reports that inserting a space will bypass the URL restriction as well:
http://www.example.com/%20/secure/file.apx
(had no chance to validate this method so far)
URL Obfuscation Handler and star SANS instructor Ed Skoudis compiled a comprehensive list of various URL obfuscation methods used in phishing schemes and spam. Some of these methods do not work with all browsers (e.g. the %01 issue in older Internet Explorer versions). In order to preserve the tricky details of some of these methods, we setup a page which includes just the URL methods without our usual header and footer: http://isc.sans.org/presentations/urlobfuscation.php (to view as source: http://isc.sans.org/presentations/urlobfuscation.txt ). Jan Reilink wrote to point us to this page with more details about URL obfuscation and decoding: http://www.pc-help.org/obscure.htm . DDOS in progress A reader noted that a system on his Universities campus participated in a DDOS attack against 69.93.181.74. If you see any machines with excessive traffic to this IP address, please investigate further. We still need a copy of the respective malware to identify the controller. More MD5 sum tools Raul pointed out a nice MD5 sum tool, 'md5deep'. It will traverse directories and supports various hash formats. For details, see http://md5deep.sourceforge.net/ . Another reader suggested digestIT: http://digestit.kennethballard.com/features.html . It integrates with Microsoft Explorer which makes it particularly easy to use. _____________
Johannes Ullrich. jullrich |a_|sans.org
Keywords:
0 comment(s)
×
Diary Archives
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago