Asp.Net.Vulnerability: Asp.Net buffer overflows (potential security problems)

[Dinis Cruz]

Have anybody tested if the latest RPC vulnerabilities can be executed
from an Asp.Net page running in an un-patched server? Since it is
possible to make direct Win32 API calls from Asp.Net there is a high
change that these vulnerabilities will work.

If that is possible, please provide the test code in order for me to
add it to our ANSA (Asp.Net Security Analyser, see
[url]http://www.gotdotnet.com/Community/Workspaces/Workspace.aspx?id=36ae9a2c-8740-4b52-924e-320edf64fba5[/url])
so that system administrators can quickly identify the vulnerable
servers and patch them.

Note that at the moment there is no 'real' solution to disabling Win32
API calls in IIS 5.0 and IIS 6.0. Which means that if these
vulnerabilities exist, then it would be a critical problem, because
everybody that hosts .Net websites in shared hosting environments
would be affected.

Best regards

Dinis Cruz
..Net Security Consultant
DDPlus ([url]www.ddplus.net[/url])

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Dinis ..why not forward this as it should be to [email]secure@microsoft.com[/email]

The Microsoft Security Response Center (MSRC) draws on the hundreds of
security professionals at Microsoft to form virtual teams that respond
to reports of security issues with Microsoft products or technologies.
To report a suspected vulnerability, please send e-mail to
[email]Secure@microsoft.com[/email].

Posting a potential vulnerablity to a public newsgroup is not showing
good judgement for dislosure of vulnerabilities assuming these are valid.

Report responsbility for all of our benefit on the Internet.

Susan

Dinis Cruz wrote:

> Have anybody tested if the latest RPC vulnerabilities can be executed
> from an Asp.Net page running in an un-patched server? Since it is
> possible to make direct Win32 API calls from Asp.Net there is a high
> change that these vulnerabilities will work.
>
> If that is possible, please provide the test code in order for me to
> add it to our ANSA (Asp.Net Security Analyser, see
> [url]http://www.gotdotnet.com/Community/Workspaces/Workspace.aspx?id=36ae9a2c-8740-4b52-924e-320edf64fba5[/url])
> so that system administrators can quickly identify the vulnerable
> servers and patch them.
>
> Note that at the moment there is no 'real' solution to disabling Win32
> API calls in IIS 5.0 and IIS 6.0. Which means that if these
> vulnerabilities exist, then it would be a critical problem, because
> everybody that hosts .Net websites in shared hosting environments
> would be affected.
>
> Best regards
>
> Dinis Cruz
> .Net Security Consultant
> DDPlus ([url]www.ddplus.net[/url])

--
"Don't lose sight of security. Security is a state of being,
not a state of budget. He with the most firewalls still does
not win. Put down that honeypot and keep up to date on your patches.
Demand better security from vendors and hold them responsible.
Use what you have, and make sure you know how to use it properly
and effectively."
~Rain Forest Puppy
[url]http://www.wiretrip.net/rfp/txt/evolution.txt[/url]