Alert: Microsoft Security Bulletin - MS02-026

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 06/07/02 

Date:         Thu, 6 Jun 2002 19:15:14 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

http://www.microsoft.com/technet/security/bulletin/MS02-026.asp

Unchecked Buffer in ASP.NET Worker Process (Q322289)

Originally posted: June 06, 2002

Summary

Who should read this bulletin: Customers operating web servers running ASP.NET applications.

Impact of vulnerability: Denial of Service, Potentially Run Code of Attacker's Choice.

Maximum Severity Rating: Moderate

Recommendation: Customers using StateServer mode should apply the patch. Customers who do not use StateServer mode need not take any action.

Affected Software:
- Microsoft .NET Framework version 1.0, of which ASP.NET is a component.

Technical description:

ASP.NET is a collection of technologies that help developers to build web-based applications. Web-based applications, including those built using ASP.NET, rely on HTTP to provide connectivity. One characteristic of HTTP as a protocol is that it is stateless, meaning that each page request from a user to a site is reckoned an independent request. To compensate for this, ASP.NET provides for session state management through a variety of modes.

One of these modes is StateServer mode. This mode stores session state information in a separate, running process. That process can run on the same machine or a different machine from the ASP.NET application. There is an unchecked buffer in one of the routines that handles the processing of cookies in StateServer mode. A security vulnerability results because it is possible for an attacker to seek to exploit it by mounting a buffer overrun attack. A successful attack could cause the ASP.NET application to restart. As a result, all current users of the web-based application would see their current session restart and their current session information would be lost.

 The StateServer mode is not the default mode for session state management in ASP.NET. ASP.NET applications using StateServer mode that do not use cookies are not vulnerable.

Mitigating factors:
- StateServer mode is not the default mode for session state management in ASP.NET. That ASP.NET application would have to be specifically configured to use this mode.
- Even if an application was configured to use StateServer mode, it would only be at risk if it also used cookies.

Vulnerability identifier: CAN-2002-0369

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor