Alert: Microsoft Security Bulletin - MS02-026From: Russ (Russ.Cooper@RC.ON.CA)
- Previous message: Jouko Pynnonen: "Buffer overflow in MSIE gopher code (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 6 Jun 2002 19:15:14 -0400 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Unchecked Buffer in ASP.NET Worker Process (Q322289)
Originally posted: June 06, 2002
Who should read this bulletin: Customers operating web servers running ASP.NET applications.
Impact of vulnerability: Denial of Service, Potentially Run Code of Attacker's Choice.
Maximum Severity Rating: Moderate
Recommendation: Customers using StateServer mode should apply the patch. Customers who do not use StateServer mode need not take any action.
- Microsoft .NET Framework version 1.0, of which ASP.NET is a component.
ASP.NET is a collection of technologies that help developers to build web-based applications. Web-based applications, including those built using ASP.NET, rely on HTTP to provide connectivity. One characteristic of HTTP as a protocol is that it is stateless, meaning that each page request from a user to a site is reckoned an independent request. To compensate for this, ASP.NET provides for session state management through a variety of modes.
One of these modes is StateServer mode. This mode stores session state information in a separate, running process. That process can run on the same machine or a different machine from the ASP.NET application. There is an unchecked buffer in one of the routines that handles the processing of cookies in StateServer mode. A security vulnerability results because it is possible for an attacker to seek to exploit it by mounting a buffer overrun attack. A successful attack could cause the ASP.NET application to restart. As a result, all current users of the web-based application would see their current session restart and their current session information would be lost.
- StateServer mode is not the default mode for session state management in ASP.NET. That ASP.NET application would have to be specifically configured to use this mode.
- Even if an application was configured to use StateServer mode, it would only be at risk if it also used cookies.
Vulnerability identifier: CAN-2002-0369
This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]
I can only hope that the information it does contain can be read well enough to serve its purpose.
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor