are my binaries being exposed on my ASP.NET website?

ed.devlin_at_detica.com
Date: 11/25/03

Next message: JimRuddy: "RE: Strange behaviour of MS SQL 2000"

Previous message: Ken Schaefer: "Re: IIS traffic"
Next in thread: Thor: "Re: are my binaries being exposed on my ASP.NET website?"
Reply: Thor: "Re: are my binaries being exposed on my ASP.NET website?"
Reply: Dominick Baier: "RE: are my binaries being exposed on my ASP.NET website?"
Maybe reply: Thor: "Re: are my binaries being exposed on my ASP.NET website?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 25 Nov 2003 11:09:43 -0000
To: focus-ms@securityfocus.com

('binary' encoding is not supported, stored as-is)

We've had some security consultants go over our website looking for vulnerabilities, and they've found a binary file exposure problem, but I can't reproduce it - has anyone seen something like this?

My website runs on SSL and uses forms-based authentication. IIS lockdown and URLScan 2.5 are installed. WebDAV is ENABLED (with restricted verbs) for file transfer by special users (using integrated Windows authentication)

Hacker goes to my login page and logs in using correct credentials. Once logged in, the hacker removes the ".aspx" extension from a URL, and is given a binary file in response to the request!

I can't get this to work on any of my test browsers (I always get a 404), but the consultant assures me he reproduced it using IE 6.0 and a personal proxy.

Could it be IIS handing out a fragment of pre-compiled ASPX code-behind? Might it be to do with debug settings in web.config?

If you have any ideas please let me know

Thanks

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: JimRuddy: "RE: Strange behaviour of MS SQL 2000"

Previous message: Ken Schaefer: "Re: IIS traffic"
Next in thread: Thor: "Re: are my binaries being exposed on my ASP.NET website?"
Reply: Thor: "Re: are my binaries being exposed on my ASP.NET website?"
Reply: Dominick Baier: "RE: are my binaries being exposed on my ASP.NET website?"
Maybe reply: Thor: "Re: are my binaries being exposed on my ASP.NET website?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: easiest `cat` in perl
... It's what you want to run on all code in your cgi-bin ... directory so that a hacker can't r00t your box. ... if, for instance, you were trying to output a binary file. ...
(perl.beginners)
Re: easiest `cat` in perl
... > directory so that a hacker can't r00t your box. ... > if, for instance, you were trying to output a binary file. ... creating a web page in html. ... How could a hacker root my machine if I didn't have the -T ...
(perl.beginners)