[AppSecInc Security Alert] Microsoft Active Server Pages Cookie Retrieval Issue

From: Aaron C. Newman (Application Security, Inc.) (anewman_at_APPSECINC.COM)
Date: 05/06/04

  • Next message: Russ: "Administrivia #30711: New Surveying system and my request for your participation in our Sasser survey"
    Date:         Wed, 5 May 2004 19:24:19 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Microsoft Active Server Pages Cookie Retrieval Issue

    5 May 2004

    Risk Level: Low

    Summary:
    The Active Server Pages (ASP) engine does not properly handle special
    cookie values when they are retrieved. Because of this, an unhandled
    error is returned to the client. This behavior can be used maliciously
    to gather sensitive information from web applications.

    Versions Affected:
    All Microsoft Internet Information Server (IIS) web applications using
    Active Server Pages (ASP).

    Details:
    ASP is an extension to IIS which allows HTML pages to be dynamically
    generated on the server side. When the server receives a request for an
    ASP file, it processes server-side scripts contained in the file to
    build the page that is sent back to the browser. ASP files can also
    contain HTML, including related client-side scripts, as well as calls to
    COM components that perform a variety of tasks such as connecting to a
    database or processing business logic. ASP pages are supported on all
    Microsoft Web Servers including Personal Web Server and Internet
    Information Server.

    ASP exposes many objects to enable easy development of web applications.
    These objects are used to allow browsers and web applications to easily
    exchange information over HTTP. When a special value, ("="), is sent in
    a Cookie header value and an ASP page tries to access this value, an
    unhandled error is returned by the ASP engine.

    Example HTTP request:

    GET /somepage.asp HTTP/1.0
    Host: hostname
    Cookie: =

    Source code snippet for somepage.asp:

    value=request.cookies("cookiename") 'here the error is triggered

    Value returned by the IIS server:

    (0x80004005)
    Unespecified error
    /file.inc, line 2

    In this example, the attacker was able to determine the name of the
    include file by setting the cookie to "=". Revealing information such as
    the include file name could be used to find other more sensitive
    information.

    Other possible problems include being able to tell when a cookie is
    being read. If a cookie is set to "=" and the following return value is
    generated:

    (0x80004005)
    Unespecified error
    /somepage.asp, line 19

    The attacker has verified that the cookie was accessed on this page.

    This vulnerability can be executed remotely and allows an attacker to
    map web application logic determining when cookies are read, etc... This
    allows an attacker to generate errors messages possibly exposing
    sensitive information that can be used in further attacks.

    Fix:
    IIS Web Servers should be configured to return custom error pages which
    do not reveal details about the script which caused the error.
    Information about how to create custom error pages is available at
    http://support.microsoft.com/?id=834452.

    Microsoft was contacted on December 2003.

    Credit:
    This vulnerability was researched and discovered by Cesar Cerrudo of
    Application Security, Inc.

    -----
    Earn up to 10 credit course hours toward the TruSecure ICSA Practitioner (TICSA) Credential and receive a TICSA exam coupon by attending the Infosecurity Canada 2004 conference. Featured speaker, Marcus J. Ranum, TruSecure inventor of the proxy firewall will present on June 3 at 11:30 AM. Visit <https://ticsa.trusecure.com> for certification details and <http://www.infosecuritycanada.com> for conference information. Become TICSA certified and see what happens!
    -----


  • Next message: Russ: "Administrivia #30711: New Surveying system and my request for your participation in our Sasser survey"

    Relevant Pages