.NET Framework Security Vulnerabilities….

July 11th, 2007 Drazen Drazic Posted in Applications, Research, Web Application Security |

Following on from Paul Craig’s research on .NET security weaknesses, Microsoft has today released patch information - MS07-040. Further information at SecurityFocus.

A copy of Paul’s presentation is posted on our site on the Publications page. The full Advisory can be found on this page.

========================================================================
= Multiple .NET Null Byte Injection Vulnerabilities
=
= Vendor Website:
= http://www.microsoft.com
=
= Affected Version:
= .NET FrameWork v1.1 SP1
= .NET FrameWork v2.0.50727
=
= Vendor Notified - October, 2006
= Public Disclosure - July 11th, 2007

========================================================================

== Overview ==
Security-Assessment.com recently completed research into the .NET Framework in relation to the affect a Null byte (%00) has on various aspects of the .NET Common Language Runtime.

This advisory details the findings of that research conducted by Paul Craig.

It was found that certain .NET methods in various sections of the .NET namespace are vulnerable to Null byte injection attacks. Null byte injection occurs when the .NET CLR incorrectly handles user supplied Null bytes.

The .NET CLR considers Null bytes as ‘data’, .NET strings are not Null byte terminated. However, native POSIX compliant function calls terminate all strings at the first found Null byte. Interoperability issues are encountered when data containing a Null byte is used by .NET to directly call a native C function call.

Native function calls terminate strings at the injected Null byte allowing a remote user to arbitrarily terminate a string
parameter used by the vulnerable method.

Security-Assessment.com has discovered five vulnerable methods in the .NET framework which are exploited through Null byte injection.

Three of the discovered vulnerabilities allow strings to be arbitrary terminated through String Termination vulnerabilities. The remaining two resulted in an Arbitrary File Disclosure condition where a remote user is capable of accessing arbitrary files from within the web root.

.NET has a history surrounding Null byte input flaws and associated logic. On September 8th, 2003 WebCohort Research <research@webcohort.com> released an advisory titled “Microsoft ASP.NET Request Validation Null Byte Filter Bypass Vulnerability”. Where by the .NET request validation routine could be bypassed when using a Null byte injection.

Null byte injection is not a new class of attack, and is a well known exploitive method but this is the first time a Null byte
injection vulnerability has been found in methods within the .NET framework.

Security researchers should be aware of Null byte injection attacks within the framework itself and .NET developed
applications.

== Solutions ==

Security-Assessment.com has been in contact with Microsoft and a new .NET patch has been released to address the discovered vulnerabilities. Install patch KB928365 (Security Update for Microsoft .NET Framework 2.0)
and/or KB928366 (Security Update For Microsoft .NET Framework 1.1)

== Credit ==

Discovered and advised to Microsoft October, 2006 by Paul Craig of Security-Assessment.com.

== About Security-Assessment.com ==

Security-Assessment.com is Australasia’s leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients.

Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor’s products. Members of the Security-Assessment.com R&D team are globally recognised through their release of whitepapers and presentations related to new security research.

Security-Assessment.com is an Endorsed Commonwealth Government of Australia supplier and sits on the Australian Government Attorney-General’s Department Critical Infrastructure Project panel.