Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)
2011-12-30T00:00:00
ID OPENVAS:902806 Type openvas Reporter Copyright (C) 2011 SecPod Modified 2017-02-20T00:00:00
Description
This host is missing a critical security update according to
Microsoft Bulletin MS11-100.
###############################################################################
# OpenVAS Vulnerability Test
# $Id: secpod_ms11-100.nasl 5362 2017-02-20 12:46:39Z cfi $
#
# Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)
#
# Authors:
# Sooraj KS <kssooraj@secpod.com>
#
# Copyright:
# Copyright (c) 2011 SecPod, http://www.secpod.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
tag_impact = "Successful exploitation could allow attacker to cause a denial of service,
conduct spoofing attacks or bypass certain security restrictions.
Impact Level: System/Application";
tag_affected = "Microsoft .NET Framework 4
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 1.1 Service Pack 1";
tag_insight = "- An error within ASP.NET when hashing form posts and updating a hash table.
This can be exploited to cause a hash collision resulting in high CPU
consumption via a specially crafted form sent in a HTTP POST request.
- Open redirect vulnerability in the Forms Authentication feature in the
ASP.NET subsystem allows remote attackers to redirect users to arbitrary
web sites and conduct phishing attacks via a crafted return URL.
- The Forms Authentication feature in the ASP.NET subsystem allows remote
authenticated users to obtain access to arbitrary user accounts via a
crafted username.
- The Forms Authentication feature in the ASP.NET subsystem when sliding
expiry is enabled, does not properly handle cached content, which allows
remote attackers to obtain access to arbitrary user accounts via a crafted
URL.";
tag_solution = "Run Windows Update and update the listed hotfixes or download and
update mentioned hotfixes in the advisory from the below link,
http://technet.microsoft.com/en-us/security/bulletin/ms11-100";
tag_summary = "This host is missing a critical security update according to
Microsoft Bulletin MS11-100.";
if(description)
{
script_id(902806);
script_version("$Revision: 5362 $");
script_bugtraq_id(51186);
script_cve_id("CVE-2011-3414", "CVE-2011-3415", "CVE-2011-3416", "CVE-2011-3417");
script_tag(name:"cvss_base", value:"9.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_tag(name:"last_modification", value:"$Date: 2017-02-20 13:46:39 +0100 (Mon, 20 Feb 2017) $");
script_tag(name:"creation_date", value:"2011-12-30 10:10:10 +0530 (Fri, 30 Dec 2011)");
script_name("Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)");
script_xref(name : "URL" , value : "http://secunia.com/advisories/47323");
script_xref(name : "URL" , value : "http://www.kb.cert.org/vuls/id/903934");
script_xref(name : "URL" , value : "http://www.ocert.org/advisories/ocert-2011-003.html");
script_xref(name : "URL" , value : "http://www.nruns.com/_downloads/advisory28122011.pdf");
script_xref(name : "URL" , value : "http://technet.microsoft.com/en-us/security/bulletin/ms11-100");
script_xref(name : "URL" , value : "http://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2011 SecPod");
script_family("Windows : Microsoft Bulletins");
script_dependencies("secpod_reg_enum.nasl");
script_require_ports(139, 445);
script_mandatory_keys("SMB/WindowsVersion");
script_tag(name : "impact" , value : tag_impact);
script_tag(name : "affected" , value : tag_affected);
script_tag(name : "insight" , value : tag_insight);
script_tag(name : "solution" , value : tag_solution);
script_tag(name : "summary" , value : tag_summary);
script_tag(name:"qod_type", value:"registry");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("smb_nt.inc");
include("secpod_reg.inc");
include("version_func.inc");
include("secpod_smb_func.inc");
## Check for OS and Service Pack
if(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){
exit(0);
}
## Confirm .NET
key = "SOFTWARE\Microsoft\ASP.NET\";
if(!registry_key_exists(key:key)){
exit(0);
}
## Try to Get Version
foreach item (registry_enum_keys(key:key))
{
path = registry_get_sz(key:key + item, item:"Path");
if("\Microsoft.NET\Framework" >< path)
{
if("v4.0" >< path){
dllv4 = fetch_file_version(sysPath:path, file_name:"System.Web.Extensions.dll");
}
if("v2.0" >< path){
dllv2 = fetch_file_version(sysPath:path, file_name:"System.Web.dll");
}
if("v1.1" >< path){
dllv1 = fetch_file_version(sysPath:path, file_name:"System.Web.dll");
}
}
}
## .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7
if((hotfix_missing(name:"2656351") == 1) && dllv4)
{
if(version_in_range(version:dllv4, test_version:"4.0.30319.000", test_version2:"4.0.30319.271")||
version_in_range(version:dllv4, test_version:"4.0.30319.500", test_version2:"4.0.30319.546"))
{
security_message(0);
exit(0);
}
}
## .NET Framework 2 on Windows XP and Windows Server 2003
if((hotfix_missing(name:"2656352") == 1) && (hotfix_check_sp(xp:4, win2003:3) > 0) && dllv2)
{
if(version_in_range(version:dllv2, test_version:"2.0.50727.0000", test_version2:"2.0.50727.3633")||
version_in_range(version:dllv2, test_version:"2.0.50727.5000", test_version2:"2.0.50727.5709"))
{
security_message(0);
exit(0);
}
}
## .NET Framework 2 on Windows Vista and Windows Server 2008
if((hotfix_missing(name:"2656362") == 1) && (hotfix_check_sp(winVista:3, win2008:3) > 0) && dllv2)
{
if(version_in_range(version:dllv2, test_version:"2.0.50727.0000", test_version2:"2.0.50727.4222")||
version_in_range(version:dllv2, test_version:"2.0.50727.5000", test_version2:"2.0.50727.5709"))
{
security_message(0);
exit(0);
}
}
## .NET Framework 1.1 SP1 on Windows Server 2003 SP2, Windows XP, Windows Vista, and Windows Server 2008
if(dllv1 && (((hotfix_missing(name:"2656358") == 1) && (hotfix_check_sp(win2003:3) > 0)) ||
((hotfix_missing(name:"2656353") == 1) && (hotfix_check_sp(xp:4, winVista:3, win2008:3) > 0))))
{
if(version_in_range(version:dllv1, test_version:"1.1.4322.0", test_version2:"1.1.4322.2493"))
{
security_message(0);
exit(0);
}
}
## Get .NET Framework 3.5 Path
key = "SOFTWARE\Microsoft\.NETFramework\AssemblyFolders\v3.5";
if(!registry_key_exists(key:key)){
exit(0);
}
path = registry_get_sz(key:key, item:"All Assemblies In");
if(! path) {
exit(0);
}
## Get Version
dllv3 = fetch_file_version(sysPath:path, file_name:"System.Web.Extensions.dll");
if(! dllv3) {
exit(0);
}
## .NET Framework 3.5 SP1 on Windows Server 2003, Windows Server 2008, Windows Vista, and Windows XP
if((hotfix_missing(name:"2657424") == 1) && (hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3) > 0))
{
if(version_in_range(version:dllv3, test_version:"3.5.30729.3000", test_version2:"3.5.30729.3677")||
version_in_range(version:dllv3, test_version:"3.5.30729.5000", test_version2:"3.5.30729.5768"))
{
security_message(0);
exit(0);
}
}
## .NET Framework 3.5.1 on Windows 7
if((hotfix_missing(name:"2656355") == 1) && (hotfix_missing(name:"2656356") == 1) && (hotfix_check_sp(win7:2) > 0))
{
if(version_in_range(version:dllv3, test_version:"3.5.30729.4000", test_version2:"3.5.30729.4957")||
version_in_range(version:dllv3, test_version:"3.5.30729.5700", test_version2:"3.5.30729.5769")||
version_in_range(version:dllv3, test_version:"3.5.30729.5400", test_version2:"3.5.30729.5445")){
security_message(0);
}
}
{"id": "OPENVAS:902806", "type": "openvas", "bulletinFamily": "scanner", "title": "Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS11-100.", "published": "2011-12-30T00:00:00", "modified": "2017-02-20T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=902806", "reporter": "Copyright (C) 2011 SecPod", "references": ["http://www.nruns.com/_downloads/advisory28122011.pdf", "http://www.kb.cert.org/vuls/id/903934", "http://www.ocert.org/advisories/ocert-2011-003.html", "http://secunia.com/advisories/47323", "http://technet.microsoft.com/en-us/security/bulletin/ms11-100", "http://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx"], "cvelist": ["CVE-2011-3414", "CVE-2011-3417", "CVE-2011-3416", "CVE-2011-3415"], "lastseen": "2017-07-02T21:13:28", "viewCount": 12, "enchantments": {"score": {"value": 7.9, "vector": "NONE", "modified": "2017-07-02T21:13:28", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-3416", "CVE-2011-3417", "CVE-2011-3415", "CVE-2011-3414"]}, {"type": "nessus", "idList": ["SMB_NT_MS11-100.NASL", "JUNIPER_PSN-2012-07-650.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:27499", "SECURITYVULNS:VULN:12121"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310902806"]}, {"type": "mskb", "idList": ["KB2638420"]}, {"type": "seebug", "idList": ["SSV:26128", "SSV:26122", "SSV:26123", "SSV:26129"]}, {"type": "jvn", "idList": ["JVN:71256611"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:111277"]}, {"type": "cert", "idList": ["VU:903934"]}], "modified": "2017-07-02T21:13:28", "rev": 2}, "vulnersScore": 7.9}, "pluginID": "902806", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms11-100.nasl 5362 2017-02-20 12:46:39Z cfi $\n#\n# Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow attacker to cause a denial of service,\n conduct spoofing attacks or bypass certain security restrictions.\n Impact Level: System/Application\";\ntag_affected = \"Microsoft .NET Framework 4\n Microsoft .NET Framework 3.5.1\n Microsoft .NET Framework 3.5 Service Pack 1\n Microsoft .NET Framework 2.0 Service Pack 2\n Microsoft .NET Framework 1.1 Service Pack 1\";\ntag_insight = \"- An error within ASP.NET when hashing form posts and updating a hash table.\n This can be exploited to cause a hash collision resulting in high CPU\n consumption via a specially crafted form sent in a HTTP POST request.\n - Open redirect vulnerability in the Forms Authentication feature in the\n ASP.NET subsystem allows remote attackers to redirect users to arbitrary\n web sites and conduct phishing attacks via a crafted return URL.\n - The Forms Authentication feature in the ASP.NET subsystem allows remote\n authenticated users to obtain access to arbitrary user accounts via a\n crafted username.\n - The Forms Authentication feature in the ASP.NET subsystem when sliding\n expiry is enabled, does not properly handle cached content, which allows\n remote attackers to obtain access to arbitrary user accounts via a crafted\n URL.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://technet.microsoft.com/en-us/security/bulletin/ms11-100\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS11-100.\";\n\nif(description)\n{\n script_id(902806);\n script_version(\"$Revision: 5362 $\");\n script_bugtraq_id(51186);\n script_cve_id(\"CVE-2011-3414\", \"CVE-2011-3415\", \"CVE-2011-3416\", \"CVE-2011-3417\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 13:46:39 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-12-30 10:10:10 +0530 (Fri, 30 Dec 2011)\");\n script_name(\"Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/47323\");\n script_xref(name : \"URL\" , value : \"http://www.kb.cert.org/vuls/id/903934\");\n script_xref(name : \"URL\" , value : \"http://www.ocert.org/advisories/ocert-2011-003.html\");\n script_xref(name : \"URL\" , value : \"http://www.nruns.com/_downloads/advisory28122011.pdf\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms11-100\");\n script_xref(name : \"URL\" , value : \"http://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Check for OS and Service Pack\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){\n exit(0);\n}\n\n## Confirm .NET\nkey = \"SOFTWARE\\Microsoft\\ASP.NET\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\n## Try to Get Version\nforeach item (registry_enum_keys(key:key))\n{\n path = registry_get_sz(key:key + item, item:\"Path\");\n if(\"\\Microsoft.NET\\Framework\" >< path)\n {\n if(\"v4.0\" >< path){\n dllv4 = fetch_file_version(sysPath:path, file_name:\"System.Web.Extensions.dll\");\n }\n\n if(\"v2.0\" >< path){\n dllv2 = fetch_file_version(sysPath:path, file_name:\"System.Web.dll\");\n }\n\n if(\"v1.1\" >< path){\n dllv1 = fetch_file_version(sysPath:path, file_name:\"System.Web.dll\");\n }\n }\n}\n\n## .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7\nif((hotfix_missing(name:\"2656351\") == 1) && dllv4)\n{\n if(version_in_range(version:dllv4, test_version:\"4.0.30319.000\", test_version2:\"4.0.30319.271\")||\n version_in_range(version:dllv4, test_version:\"4.0.30319.500\", test_version2:\"4.0.30319.546\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n## .NET Framework 2 on Windows XP and Windows Server 2003\nif((hotfix_missing(name:\"2656352\") == 1) && (hotfix_check_sp(xp:4, win2003:3) > 0) && dllv2)\n{\n if(version_in_range(version:dllv2, test_version:\"2.0.50727.0000\", test_version2:\"2.0.50727.3633\")||\n version_in_range(version:dllv2, test_version:\"2.0.50727.5000\", test_version2:\"2.0.50727.5709\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n## .NET Framework 2 on Windows Vista and Windows Server 2008\nif((hotfix_missing(name:\"2656362\") == 1) && (hotfix_check_sp(winVista:3, win2008:3) > 0) && dllv2)\n{\n if(version_in_range(version:dllv2, test_version:\"2.0.50727.0000\", test_version2:\"2.0.50727.4222\")||\n version_in_range(version:dllv2, test_version:\"2.0.50727.5000\", test_version2:\"2.0.50727.5709\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n## .NET Framework 1.1 SP1 on Windows Server 2003 SP2, Windows XP, Windows Vista, and Windows Server 2008\nif(dllv1 && (((hotfix_missing(name:\"2656358\") == 1) && (hotfix_check_sp(win2003:3) > 0)) ||\n ((hotfix_missing(name:\"2656353\") == 1) && (hotfix_check_sp(xp:4, winVista:3, win2008:3) > 0))))\n{\n if(version_in_range(version:dllv1, test_version:\"1.1.4322.0\", test_version2:\"1.1.4322.2493\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n## Get .NET Framework 3.5 Path\nkey = \"SOFTWARE\\Microsoft\\.NETFramework\\AssemblyFolders\\v3.5\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\npath = registry_get_sz(key:key, item:\"All Assemblies In\");\nif(! path) {\n exit(0);\n}\n\n## Get Version\ndllv3 = fetch_file_version(sysPath:path, file_name:\"System.Web.Extensions.dll\");\nif(! dllv3) {\n exit(0);\n}\n\n## .NET Framework 3.5 SP1 on Windows Server 2003, Windows Server 2008, Windows Vista, and Windows XP\nif((hotfix_missing(name:\"2657424\") == 1) && (hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3) > 0))\n{\n if(version_in_range(version:dllv3, test_version:\"3.5.30729.3000\", test_version2:\"3.5.30729.3677\")||\n version_in_range(version:dllv3, test_version:\"3.5.30729.5000\", test_version2:\"3.5.30729.5768\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n## .NET Framework 3.5.1 on Windows 7\nif((hotfix_missing(name:\"2656355\") == 1) && (hotfix_missing(name:\"2656356\") == 1) && (hotfix_check_sp(win7:2) > 0))\n{\n if(version_in_range(version:dllv3, test_version:\"3.5.30729.4000\", test_version2:\"3.5.30729.4957\")||\n version_in_range(version:dllv3, test_version:\"3.5.30729.5700\", test_version2:\"3.5.30729.5769\")||\n version_in_range(version:dllv3, test_version:\"3.5.30729.5400\", test_version2:\"3.5.30729.5445\")){\n security_message(0);\n }\n}\n", "naslFamily": "Windows : Microsoft Bulletins"}
{"openvas": [{"lastseen": "2020-01-08T14:05:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-3414", "CVE-2011-3417", "CVE-2011-3416", "CVE-2011-3415"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS11-100.", "modified": "2020-01-07T00:00:00", "published": "2011-12-30T00:00:00", "id": "OPENVAS:1361412562310902806", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902806", "type": "openvas", "title": "Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902806\");\n script_version(\"2020-01-07T09:06:32+0000\");\n script_bugtraq_id(51186);\n script_cve_id(\"CVE-2011-3414\", \"CVE-2011-3415\", \"CVE-2011-3416\", \"CVE-2011-3417\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-12-30 10:10:10 +0530 (Fri, 30 Dec 2011)\");\n script_name(\"Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)\");\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/903934\");\n script_xref(name:\"URL\", value:\"http://www.ocert.org/advisories/ocert-2011-003.html\");\n script_xref(name:\"URL\", value:\"http://www.nruns.com/_downloads/advisory28122011.pdf\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-100\");\n script_xref(name:\"URL\", value:\"http://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/registry_enumerated\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow attacker to cause a denial of service,\n conduct spoofing attacks or bypass certain security restrictions.\");\n script_tag(name:\"affected\", value:\"- Microsoft .NET Framework 4\n\n - Microsoft .NET Framework 3.5.1\n\n - Microsoft .NET Framework 3.5 Service Pack 1\n\n - Microsoft .NET Framework 2.0 Service Pack 2\n\n - Microsoft .NET Framework 1.1 Service Pack 1\");\n script_tag(name:\"insight\", value:\"- An error within ASP.NET when hashing form posts and updating a hash table.\n This can be exploited to cause a hash collision resulting in high CPU\n consumption via a specially crafted form sent in a HTTP POST request.\n\n - Open redirect vulnerability in the Forms Authentication feature in the\n ASP.NET subsystem allows remote attackers to redirect users to arbitrary\n web sites and conduct phishing attacks via a crafted return URL.\n\n - The Forms Authentication feature in the ASP.NET subsystem allows remote\n authenticated users to obtain access to arbitrary user accounts via a\n crafted username.\n\n - The Forms Authentication feature in the ASP.NET subsystem when sliding\n expiry is enabled, does not properly handle cached content, which allows\n remote attackers to obtain access to arbitrary user accounts via a crafted\n URL.\");\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS11-100.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\ASP.NET\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nforeach item (registry_enum_keys(key:key))\n{\n path = registry_get_sz(key:key + item, item:\"Path\");\n if(\"\\Microsoft.NET\\Framework\" >< path)\n {\n if(\"v4.0\" >< path){\n dllv4 = fetch_file_version(sysPath:path, file_name:\"System.Web.Extensions.dll\");\n }\n\n if(\"v2.0\" >< path){\n dllv2 = fetch_file_version(sysPath:path, file_name:\"System.Web.dll\");\n }\n\n if(\"v1.1\" >< path){\n dllv1 = fetch_file_version(sysPath:path, file_name:\"System.Web.dll\");\n }\n }\n}\n\n## .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7\nif((hotfix_missing(name:\"2656351\") == 1) && dllv4)\n{\n if(version_in_range(version:dllv4, test_version:\"4.0.30319.000\", test_version2:\"4.0.30319.271\")||\n version_in_range(version:dllv4, test_version:\"4.0.30319.500\", test_version2:\"4.0.30319.546\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\n## .NET Framework 2 on Windows XP and Windows Server 2003\nif((hotfix_missing(name:\"2656352\") == 1) && (hotfix_check_sp(xp:4, win2003:3) > 0) && dllv2)\n{\n if(version_in_range(version:dllv2, test_version:\"2.0.50727.0000\", test_version2:\"2.0.50727.3633\")||\n version_in_range(version:dllv2, test_version:\"2.0.50727.5000\", test_version2:\"2.0.50727.5709\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\n## .NET Framework 2 on Windows Vista and Windows Server 2008\nif((hotfix_missing(name:\"2656362\") == 1) && (hotfix_check_sp(winVista:3, win2008:3) > 0) && dllv2)\n{\n if(version_in_range(version:dllv2, test_version:\"2.0.50727.0000\", test_version2:\"2.0.50727.4222\")||\n version_in_range(version:dllv2, test_version:\"2.0.50727.5000\", test_version2:\"2.0.50727.5709\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\n## .NET Framework 1.1 SP1 on Windows Server 2003 SP2, Windows XP, Windows Vista, and Windows Server 2008\nif(dllv1 && (((hotfix_missing(name:\"2656358\") == 1) && (hotfix_check_sp(win2003:3) > 0)) ||\n ((hotfix_missing(name:\"2656353\") == 1) && (hotfix_check_sp(xp:4, winVista:3, win2008:3) > 0))))\n{\n if(version_in_range(version:dllv1, test_version:\"1.1.4322.0\", test_version2:\"1.1.4322.2493\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\nkey = \"SOFTWARE\\Microsoft\\.NETFramework\\AssemblyFolders\\v3.5\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\npath = registry_get_sz(key:key, item:\"All Assemblies In\");\nif(! path) {\n exit(0);\n}\n\ndllv3 = fetch_file_version(sysPath:path, file_name:\"System.Web.Extensions.dll\");\nif(! dllv3) {\n exit(0);\n}\n\n## .NET Framework 3.5 SP1 on Windows Server 2003, Windows Server 2008, Windows Vista, and Windows XP\nif((hotfix_missing(name:\"2657424\") == 1) && (hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3) > 0))\n{\n if(version_in_range(version:dllv3, test_version:\"3.5.30729.3000\", test_version2:\"3.5.30729.3677\")||\n version_in_range(version:dllv3, test_version:\"3.5.30729.5000\", test_version2:\"3.5.30729.5768\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\n## .NET Framework 3.5.1 on Windows 7\nif((hotfix_missing(name:\"2656355\") == 1) && (hotfix_missing(name:\"2656356\") == 1) && (hotfix_check_sp(win7:2) > 0))\n{\n if(version_in_range(version:dllv3, test_version:\"3.5.30729.4000\", test_version2:\"3.5.30729.4957\")||\n version_in_range(version:dllv3, test_version:\"3.5.30729.5700\", test_version2:\"3.5.30729.5769\")||\n version_in_range(version:dllv3, test_version:\"3.5.30729.5400\", test_version2:\"3.5.30729.5445\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:45", "bulletinFamily": "software", "cvelist": ["CVE-2011-3414", "CVE-2011-3417", "CVE-2011-3416", "CVE-2011-3415"], "description": "DoS, multiple vulnerabilities in forms authentication.", "edition": 1, "modified": "2012-03-26T00:00:00", "published": "2012-03-26T00:00:00", "id": "SECURITYVULNS:VULN:12121", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12121", "title": "Microsoft .Net multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:43", "bulletinFamily": "software", "cvelist": ["CVE-2011-3416"], "description": "SEC Consult Vulnerability Lab Security Advisory < 20111230-0 >\r\n=======================================================================\r\n title: Microsoft ASP.NET Forms Authentication Bypass\r\n product: Microsoft .NET Framework\r\n vulnerable version: Microsoft .NET Framework Version:4.0.30319; \r\n ASP.NET Version:4.0.30319.237 and below\r\n fixed version: MS11-100\r\n CVE: CVE-2011-3416\r\n impact: critical\r\n homepage: http://www.microsoft.com/net\r\n found: 2011-10-02\r\n by: K. Gudinavicius / SEC Consult Vulnerability Lab \r\n m. / SEC Consult Vulnerability Lab\r\n https://www.sec-consult.com \r\n=======================================================================\r\n\r\nVendor description:\r\n-------------------\r\n".NET is an integral part of many applications running on Windows and\r\nprovides common functionality for those applications to run. This\r\ndownload is for people who need .NET to run an application on their\r\ncomputer. For developers, the .NET Framework provides a comprehensive\r\nand consistent programming model for building applications that have\r\nvisually stunning user experiences and seamless and secure\r\ncommunication."\r\n\r\nSource: http://www.microsoft.com/net\r\n\r\n\r\n\r\nVulnerability overview/description:\r\n-----------------------------------\r\nThe null byte termination vulnerability exists in the\r\nCopyStringToUnAlingnedBuffer() function of the webengine4.dll library\r\nused by the .NET framework. The unicode string length is determined\r\nusing the lstrlenW function. The lstrlenW function returns the length\r\nof the string, in characters not including the terminating null\r\ncharacter. If the unicode string containing a null byte is passed, its\r\nlength is incorrectly calculated, so only characters before the null\r\nbyte are copied into the buffer.\r\n\r\nThis vulnerability can be leveraged into an authentication bypass\r\nvulnerability. Microsoft ASP.NET membership system depends on the\r\nFormsAuthentication.SetAuthCookie(username, false) method for certain\r\nfunctionality. By exploiting this vulnerability an attacker is able to\r\nlog on as a different existing user with all the privileges of the\r\ntargeted user (e.g. admin).\r\n\r\n\r\n\r\nProof of concept:\r\n-----------------\r\n\r\nDetailed exploit information and source code references have been\r\nremoved from this advisory.\r\n\r\nAn attacker is able to bypass authentication in certain functionality\r\nusing null bytes and log on as another user, e.g. admin.\r\n\r\n\r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe vulnerability has been verified to exist in Microsoft .NET Framework\r\nVersion:4.0.30319; ASP.NET Version:4.0.30319.237, which was the most\r\nrecent version at the time of discovery.\r\n\r\nMore information regarding affected versions is available within the\r\nadvisory of Microsoft:\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms11-100\r\n\r\n\r\nVendor contact timeline:\r\n------------------------\r\n2011-10-07: Contacted vendor through secure@microsoft.com\r\n2011-10-07: Vendor response, MSRC 11838\r\n2011-10-14: Contacted MSRC asking for status\r\n2011-10-15: Answer from case manager: the vulnerability will be\r\n addressed through a security bulletin, a timeframe is\r\n unknown.\r\n2011-11-23: Contacted MSRC asking for status\r\n2011-11-23: Answer from case manager: a release date of update is\r\n unknown, best guess would be a month before or after the\r\n March (2012) update cycle\r\n2011-12-29: Microsoft publishes out-of-band security patch MS11-100\r\n which also addresses this vulnerability\r\n2011-12-30: SEC Consult releases redacted version of advisory due to\r\n criticality of this issue\r\n\r\nSEC Consult will release a more detailed advisory at a later date.\r\n\r\n\r\n\r\nSolution:\r\n---------\r\nImmediately apply the MS11-100 patch:\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms11-100\r\n\r\n\r\nWorkaround:\r\n-----------\r\nIn .NET 4.0 the vulnerability can be mitigated by setting the\r\nticketCompatibilityMode attribute in the application or global\r\nweb.config file like this:\r\n\r\n<system.web>\r\n <authentication mode="Forms">\r\n <forms ticketCompatibilityMode="Framework40" />\r\n </authentication>\r\n</system.web>\r\n\r\n\r\n\r\nAdvisory URL:\r\n-------------\r\nhttps://www.sec-consult.com/en/advisories.html\r\n\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nSEC Consult Unternehmensberatung GmbH\r\n\r\nOffice Vienna\r\nMooslackengasse 17\r\nA-1190 Vienna\r\nAustria\r\n\r\nTel.: +43 / 1 / 890 30 43 - 0\r\nFax.: +43 / 1 / 890 30 43 - 25\r\nMail: research at sec-consult dot com\r\nhttps://www.sec-consult.com\r\n\r\nEOF K. Gudinavicius, J. Greil / @2011\r\n", "edition": 1, "modified": "2012-01-02T00:00:00", "published": "2012-01-02T00:00:00", "id": "SECURITYVULNS:DOC:27499", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27499", "title": "SEC Consult SA-20111230-0 :: Critical authentication bypass in Microsoft ASP.NET Forms - CVE-2011-3416", "type": "securityvulns", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-02-01T06:14:58", "description": "The remote Windows host is running a version of the Microsoft ASP.NET\nFramework that has multiple vulnerabilities. These include:\n\n - A flaw exists in the way ASP.NET generates hash tables\n for user-supplied values. By sending a small number of\n specially crafted posts to an ASP.NET server, an\n attacker can take advantage of this flaw to cause a\n denial of service condition. (CVE-2011-3414)\n\n - The Framework does not properly validate return URLs\n during the forms authentication process, which could\n allow an attacker to redirect a victim to a malicious\n website. (CVE-2011-3415)\n\n - ASP.NET forms authentication contains a vulnerability\n that could allow an attacker that already has a\n registered user on an application to gain the\n privileges of another known user. (CVE-2011-3416)\n\n - An elevation of privilege vulnerability exists in the\n way that ASP.NET Framework handles cached content when\n Forms Authentication is used with sliding expiry. An\n attacker can take advantage of this vulnerability to\n execute code in the context of a target user by\n tricking the user into visiting a specially crafted\n link. (CVE-2011-3417)", "edition": 26, "published": "2011-12-29T00:00:00", "title": "MS11-100: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-3414", "CVE-2011-3417", "CVE-2011-3416", "CVE-2011-3415"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:.net_framework"], "id": "SMB_NT_MS11-100.NASL", "href": "https://www.tenable.com/plugins/nessus/57414", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(57414);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\n \"CVE-2011-3414\",\n \"CVE-2011-3415\",\n \"CVE-2011-3416\",\n \"CVE-2011-3417\"\n );\n script_bugtraq_id(51186, 51201, 51202, 51203);\n script_xref(name:\"CERT\", value:\"903934\");\n script_xref(name:\"MSFT\", value:\"MS11-100\");\n script_xref(name:\"MSKB\", value:\"2656351\");\n script_xref(name:\"MSKB\", value:\"2656356\");\n script_xref(name:\"MSKB\", value:\"2657424\");\n script_xref(name:\"MSKB\", value:\"2656352\");\n script_xref(name:\"MSKB\", value:\"2656362\");\n script_xref(name:\"MSKB\", value:\"2656355\");\n script_xref(name:\"MSKB\", value:\"2656358\");\n script_xref(name:\"MSKB\", value:\"2656353\");\n\n script_name(english:\"MS11-100: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)\");\n script_summary(english:\"Checks version of System.Web.dll / System.web.Extensions.dll\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The version of ASP.NET Framework installed on the remote host is\naffected by multiple vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote Windows host is running a version of the Microsoft ASP.NET\nFramework that has multiple vulnerabilities. These include:\n\n - A flaw exists in the way ASP.NET generates hash tables\n for user-supplied values. By sending a small number of\n specially crafted posts to an ASP.NET server, an\n attacker can take advantage of this flaw to cause a\n denial of service condition. (CVE-2011-3414)\n\n - The Framework does not properly validate return URLs\n during the forms authentication process, which could\n allow an attacker to redirect a victim to a malicious\n website. (CVE-2011-3415)\n\n - ASP.NET forms authentication contains a vulnerability\n that could allow an attacker that already has a\n registered user on an application to gain the\n privileges of another known user. (CVE-2011-3416)\n\n - An elevation of privilege vulnerability exists in the\n way that ASP.NET Framework handles cached content when\n Forms Authentication is used with sliding expiry. An\n attacker can take advantage of this vulnerability to\n execute code in the context of a target user by\n tricking the user into visiting a specially crafted\n link. (CVE-2011-3417)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nruns.com/_downloads/advisory28122011.pdf\");\n # https://www.sec-consult.com/files/20120328-1_asp.net_authentication_bypass_v1.0.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f313f636\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-100\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for the .NET Framework on\nWindows XP, 2003, Vista, 2008, 7, and 2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/12/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/12/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:.net_framework\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS11-100';\nkbs = make_list('2656351', '2656356', '2657424', '2656352', '2656362', '2656355', '2656358', '2656353');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (\"Windows Embedded\" >< productname) exit(0, \"The host is running \"+productname+\" and hence is not affected.\");\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nvuln = 0;\nass_dir = hotfix_get_programfilesdir() + \"\\Reference Assemblies\\Microsoft\\Framework\";\n\n# .NET Framework 1.1 on XP, Windows Server 2003 64-bit, Vista, and Server 2008\nmissing = 0;\nmissing += hotfix_is_vulnerable(os:\"5.1\", arch:\"x86\", sp:3, file:\"System.Web.dll\", version:\"1.1.4322.2494\", dir:\"\\Microsoft.NET\\Framework\\v1.1.4322\");\nmissing += hotfix_is_vulnerable(os:\"5.2\", arch:\"x64\", sp:2, file:\"System.Web.dll\", version:\"1.1.4322.2494\", dir:\"\\Microsoft.NET\\Framework\\v1.1.4322\");\nif (hotfix_check_server_core() != 1)\n{\n missing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"System.Web.dll\", version:\"1.1.4322.2494\", dir:\"\\Microsoft.NET\\Framework\\v1.1.4322\");\n}\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2656353');\nvuln += missing;\n\n# .NET Framework 1.1 on Windows Server 2003 SP2\nmissing = 0;\nmissing += hotfix_is_vulnerable(os:\"5.2\", arch:\"x86\", sp:2, file:\"system.web.dll\", version:\"1.1.4322.2494\", dir:\"\\Microsoft.NET\\Framework\\v1.1.4322\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2656358');\nvuln += missing;\n\n# .NET Framework 2.0 SP2 on Windows XP / Server 2003\nmissing = 0;\nmissing += hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"System.Web.dll\", version:\"2.0.50727.5710\", min_version:\"2.0.50727.5000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\nmissing += hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"System.Web.dll\", version:\"2.0.50727.3634\", min_version:\"2.0.50727.3000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\nmissing += hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"System.Web.dll\", version:\"2.0.50727.5710\", min_version:\"2.0.50727.5000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\nmissing += hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"System.Web.dll\", version:\"2.0.50727.3634\", min_version:\"2.0.50727.3000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2656352\");\nvuln += missing;\n\n# .NET Framework 2.0 SP2 on Windows Vista SP2 / Server 2008 SP2\nmissing = 0;\nif (hotfix_check_server_core() != 1)\n{\n missing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"system.web.dll\", version:\"2.0.50727.5710\", min_version:\"2.0.50727.5000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n missing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"system.web.dll\", version:\"2.0.50727.4223\", min_version:\"2.0.50727.4000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n}\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2656362\");\nvuln += missing;\n\n# .NET 3.5 SP1 on XP, 2k3, Vista, 2k8\nmissing = 0;\nmissing += hotfix_is_vulnerable(os:\"5.1\", file:\"System.Web.Extensions.dll\", version:\"3.5.30729.3678\", min_version:\"3.5.30729.0\", path:ass_dir + \"\\v3.5\");\nmissing += hotfix_is_vulnerable(os:\"5.1\", file:\"System.Web.Extensions.dll\", version:\"3.5.30729.5769\", min_version:\"3.5.30729.5000\", path:ass_dir + \"\\v3.5\");\nmissing += hotfix_is_vulnerable(os:\"5.2\", file:\"System.Web.Extensions.dll\", version:\"3.5.30729.3678\", min_version:\"3.5.30729.0\", path:ass_dir + \"\\v3.5\");\nmissing += hotfix_is_vulnerable(os:\"5.2\", file:\"System.Web.Extensions.dll\", version:\"3.5.30729.5769\", min_version:\"3.5.30729.5000\", path:ass_dir + \"\\v3.5\");\nif (hotfix_check_server_core() != 1)\n{\n missing += hotfix_is_vulnerable(os:\"6.0\", file:\"System.Web.Extensions.dll\", version:\"3.5.30729.3678\", min_version:\"3.5.30729.0\", path:ass_dir + \"\\v3.5\");\n missing += hotfix_is_vulnerable(os:\"6.0\", file:\"System.Web.Extensions.dll\", version:\"3.5.30729.5769\", min_version:\"3.5.30729.5000\", path:ass_dir + \"\\v3.5\");\n}\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2657424');\nvuln += missing;\n\n# .NET Framework 3.5.1 on Windows 7 / Server 2008 R2\nmissing = 0;\nmissing += hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"system.web.dll\", version:\"2.0.50727.5710\", min_version:\"2.0.50727.5000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\nmissing += hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"system.web.dll\", version:\"2.0.50727.4971\", min_version:\"2.0.50727.4000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2656355\");\nvuln += missing;\n\n# .NET Framework 3.5.1 on Windows 7 SP1 / Server 2008 R2 SP1\nmissing = 0;\nmissing += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"system.web.dll\", version:\"2.0.50727.5456\", min_version:\"2.0.50727.5400\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\nmissing += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"system.web.dll\", version:\"2.0.50727.5710\", min_version:\"2.0.50727.5700\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2656356\");\nvuln += missing;\n\n# .NET Framework 4 on all supported versions of Windows\nmissing = 0;\nmissing += hotfix_is_vulnerable(os:\"5.1\", file:\"System.Web.dll\", version:\"4.0.30319.272\", min_version:\"4.0.30319.0\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\nmissing += hotfix_is_vulnerable(os:\"5.1\", file:\"System.Web.dll\", version:\"4.0.30319.547\", min_version:\"4.0.30319.500\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\nmissing += hotfix_is_vulnerable(os:\"5.2\", file:\"System.Web.dll\", version:\"4.0.30319.272\", min_version:\"4.0.30319.0\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\nmissing += hotfix_is_vulnerable(os:\"5.2\", file:\"System.Web.dll\", version:\"4.0.30319.547\", min_version:\"4.0.30319.500\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\nif (hotfix_check_server_core() != 1)\n{\n missing += hotfix_is_vulnerable(os:\"6.0\", file:\"System.Web.dll\", version:\"4.0.30319.272\", min_version:\"4.0.30319.0\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n missing += hotfix_is_vulnerable(os:\"6.0\", file:\"System.Web.dll\", version:\"4.0.30319.547\", min_version:\"4.0.30319.500\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n}\nmissing += hotfix_is_vulnerable(os:\"6.1\", file:\"System.Web.dll\", version:\"4.0.30319.272\", min_version:\"4.0.30319.0\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\nmissing += hotfix_is_vulnerable(os:\"6.1\", file:\"System.Web.dll\", version:\"4.0.30319.547\", min_version:\"4.0.30319.500\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2656351\");\nvuln += missing;\n\nif(vuln > 0)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T03:34:32", "description": "According to its self-reported version number, the remote Junos\ndevice has a denial of service vulnerability in the J-Web component.\nIt is possible to send requests to the web server that result in hash\ncollisions, resulting in CPU consumption.", "edition": 23, "published": "2012-07-17T00:00:00", "title": "Juniper Junos J-Web Hash Collision DoS (PSN-2012-07-650)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-3414"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:juniper:junos"], "id": "JUNIPER_PSN-2012-07-650.NASL", "href": "https://www.tenable.com/plugins/nessus/59994", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59994);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/08/08 12:52:14\");\n\n #script_cve_id(\"CVE-2011-3414\"); # juniper lists this CVE in their advisory, but this CVE is specific to ASP.NET\n #script_bugtraq_id(51186); # ASP.NET\n script_xref(name:\"CERT\", value:\"903934\");\n\n script_name(english:\"Juniper Junos J-Web Hash Collision DoS (PSN-2012-07-650)\");\n script_summary(english:\"checks version and model\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote device has a denial of service vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"According to its self-reported version number, the remote Junos\ndevice has a denial of service vulnerability in the J-Web component.\nIt is possible to send requests to the web server that result in hash\ncollisions, resulting in CPU consumption.\"\n );\n # http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2012-07-650&viewMode=view\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6caa34c1\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Apply the relevant Junos upgrade referenced in Juniper advisory\nPSN-2012-07-650.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/07/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/07/17\");\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:juniper:junos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Junos Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"junos_version.nasl\");\n script_require_keys(\"Host/Juniper/model\", \"Host/Juniper/JUNOS/Version\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"junos.inc\");\n\nfixes['10.0'] = '10.0S25';\nfixes['10.4'] = '10.4R10';\nfixes['11.2'] = '11.2R7';\nfixes['11.3'] = '11.3R6';\nfixes['11.4'] = '11.4R3';\nfixes['12.1'] = '12.1R2';\n\nmodel = get_kb_item_or_exit('Host/Juniper/model');\nver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');\nfix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);\n\nif (report_verbosity > 0)\n{\n report = get_report(ver:ver, fix:fix, model:model);\n security_hole(port:0, extra:report);\n}\nelse security_hole(0);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "cve": [{"lastseen": "2021-02-02T05:51:06", "description": "The Forms Authentication feature in the ASP.NET subsystem in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0, when sliding expiry is enabled, does not properly handle cached content, which allows remote attackers to obtain access to arbitrary user accounts via a crafted URL, aka \"ASP.NET Forms Authentication Ticket Caching Vulnerability.\"", "edition": 5, "cvss3": {}, "published": "2011-12-30T01:55:00", "title": "CVE-2011-3417", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3417"], "modified": "2020-09-28T12:58:00", "cpe": ["cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_server_2003:*", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_xp:sp3", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_xp:*", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2011-3417", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3417", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:sp3:unknown:english:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:*:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:r2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x86:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:x86:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp2:professional_x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:x64:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:51:06", "description": "The Forms Authentication feature in the ASP.NET subsystem in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 allows remote authenticated users to obtain access to arbitrary user accounts via a crafted username, aka \"ASP.Net Forms Authentication Bypass Vulnerability.\"", "edition": 5, "cvss3": {}, "published": "2011-12-30T01:55:00", "title": "CVE-2011-3416", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3416"], "modified": "2020-09-28T12:58:00", "cpe": ["cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_server_2003:*", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_xp:sp3", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_xp:*", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2011-3416", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3416", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:sp3:unknown:english:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:*:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:r2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x86:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:x86:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp2:professional_x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:x64:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:51:06", "description": "Open redirect vulnerability in the Forms Authentication feature in the ASP.NET subsystem in Microsoft .NET Framework 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted return URL, aka \"Insecure Redirect in .NET Form Authentication Vulnerability.\"", "edition": 5, "cvss3": {}, "published": "2011-12-30T01:55:00", "title": "CVE-2011-3415", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3415"], "modified": "2020-09-28T12:58:00", "cpe": ["cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_server_2003:*", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_xp:sp3", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_xp:*", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2011-3415", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3415", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:sp3:unknown:english:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:*:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:r2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x86:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:x86:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp2:professional_x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:x64:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:51:06", "description": "The CaseInsensitiveHashProvider.getHashCode function in the HashTable implementation in the ASP.NET subsystem in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka \"Collisions in HashTable May Cause DoS Vulnerability.\"", "edition": 5, "cvss3": {}, "published": "2011-12-30T01:55:00", "title": "CVE-2011-3414", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3414"], "modified": "2020-09-28T12:58:00", "cpe": ["cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_server_2003:*", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_xp:sp3", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_xp:*", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2011-3414", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3414", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:sp3:unknown:english:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:*:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:r2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x86:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:x86:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp2:professional_x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:x64:*:*:*:*:*"]}], "mskb": [{"lastseen": "2021-01-01T22:45:01", "bulletinFamily": "microsoft", "cvelist": ["CVE-2011-3414", "CVE-2011-3417", "CVE-2011-3416"], "description": "<html><body><p>This article contains details for the ASP.NET update for the .NET Framework.</p><h2>Introduction</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS11-100. To view the complete security bulletin, visit one of the following Microsoft websites:<br/><ul class=\"sbody-free_list\"><li>Home users:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/security/pc-security/bulletins/201112.aspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/security/pc-security/bulletins/201112.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now:<br/><div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate\" id=\"kb-link-2\" target=\"_self\">http://update.microsoft.com/microsoftupdate</a></div></li><li>IT professionals:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/security/bulletin/ms11-100\" id=\"kb-link-3\" target=\"_self\">http://technet.microsoft.com/security/bulletin/MS11-100</a></div></li></ul><span><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3> <br/>Help installing updates: <br/><a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-4\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-5\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-6\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-7\" target=\"_self\">International Support</a><br/><br/></span><br/></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h4 class=\"sbody-h4\">Known issues and additional information about this security update</h4>The security updates that are offered in security bulletin MS11-100 change the way that ASP.NET creates forms authentication tickets. The new behavior is incompatible with the previous behavior. Tickets that are generated by using the new behavior cannot be read by servers that use the old behavior, and vice versa. Therefore, because of the ticket behavior change, administrators whose applications use forms authentication must take specific steps when they deploy the security updates offered in bulletin MS11-100 to make sure that all servers switch to the new behavior concurrently. <br/><br/>For more information, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2659968\" id=\"kb-link-8\">2659968 </a> Deployment guidance for security update 2638420, as described in MS11-100<br/></div>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed below each article link.<br/><br/> <ul class=\"sbody-free_list\"><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2656351\" id=\"kb-link-9\">2656351 </a> MS11-100: Description of the security update for the .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: December 29, 2011<br/><br/></div></li><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2656356\" id=\"kb-link-10\">2656356 </a>\u00a0MS11-100: Description of the security update for the .NET Framework 3.5.1 on Windows 7 SP1 and\u00a0Windows Server 2008 R2 SP1: December 29, 2011 </div></li><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2657424\" id=\"kb-link-11\">2657424 </a>\u00a0MS11-100: Description of the security update for the .NET Framework 3.5 SP1 on Windows Server 2003, Windows Server 2008, Windows Vista, and Windows XP: December 29, 2011 \u00a0</div></li><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2656352\" id=\"kb-link-12\">2656352 </a>\u00a0MS11-100: Description of the security update for the .NET Framework 2.0 SP2 on Windows XP and\u00a0Windows Server 2003: December 29, 2011 </div></li><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2656362\" id=\"kb-link-13\">2656362 </a>\u00a0MS11-100: Description of the security update for the .NET Framework 2.0 SP2 on Windows Vista SP2 and\u00a0Windows Server 2008 SP2: December 29, 2011 </div></li><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2656355\" id=\"kb-link-14\">2656355 </a>\u00a0MS11-100: Description of the security update for the .NET Framework\u00a03.5.1 on Windows 7 and\u00a0Windows Server 2008 R2: December 29, 2011 </div></li><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2656358\" id=\"kb-link-15\">2656358 </a> MS11-100: Description of the security update for the .NET Framework 1.1 SP1 on 32-bit editions of Windows Server 2003 SP2: December 29, 2011<br/><br/></div></li><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2656353\" id=\"kb-link-16\">2656353 </a>\u00a0MS11-100: Description of the security update for the .NET Framework 1.1 SP1 on Windows XP, Windows Vista and Windows Server 2008, and on x64 and Itanium-based versions of Windows Server 2003: December 29, 2011\u00a0</div></li></ul></div></body></html>", "edition": 2, "modified": "2012-07-18T17:12:59", "id": "KB2638420", "href": "https://support.microsoft.com/en-us/help/2638420/", "published": "2011-12-29T00:00:00", "title": "MS11-100: Vulnerability in the .NET Framework could allow elevation of privilege: December 29, 2011", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T18:01:11", "description": "BUGTRAQ ID: 51201\r\nCVE ID: CVE-2011-3416\r\n\r\nASP.NET\u662f\u4e00\u5957\u7531Microsoft\u5206\u53d1\u7684\u5e2e\u52a9\u5f00\u53d1\u8005\u6784\u5efa\u57fa\u4e8eWEB\u5e94\u7528\u7684\u7cfb\u7edf\u3002\r\n\r\nMicrosoft .NET Framework\u5728\u7528\u6237\u9a8c\u8bc1\u7684\u5b9e\u73b0\u4e0a\u5b58\u5728\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u975e\u6cd5\u8bbf\u95ee\u53e6\u4e00\u4e2a\u7528\u6237\u8d26\u6237\uff0c\u4ee5\u5176\u6743\u9650\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\u8981\u5229\u7528\u6b64\u6f0f\u6d1e\uff0c\u975e\u6cd5\u653b\u51fb\u8005\u9700\u8981\u5728ASP.NET\u5e94\u7528\u4e0a\u6ce8\u518c\u4e00\u4e2a\u5e10\u6237\u5e76\u4e86\u89e3\u76ee\u6807\u7528\u6237\u7684\u73b0\u6709\u5e10\u6237\u540d\uff0c\u7136\u540e\u4f7f\u7528\u4e4b\u524d\u6ce8\u518c\u7684\u8d26\u76ee\u540d\u8bbf\u95ee\u8be5\u5e10\u6237\u6765\u6784\u9020\u7279\u5236\u7684Web\u8bf7\u6c42\u3002\r\n0\r\nMicrosoft .NET Framework 4.x\r\nMicrosoft .NET Framework 3.x\r\nMicrosoft .NET Framework 2.x\r\nMicrosoft .NET Framework 1.x\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08ms11-100\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\nms11-100\uff1aVulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)\r\n\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/ms11-100.mspx", "published": "2011-12-30T00:00:00", "title": "Microsoft .NET Framework \u7528\u6237\u9a8c\u8bc1\u6743\u9650\u63d0\u5347\u6f0f\u6d1e(CVE-2011-3416)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3416"], "modified": "2011-12-30T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-26123", "id": "SSV:26123", "sourceData": "", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T17:56:10", "description": "BUGTRAQ ID: 51203\r\nCVE ID: CVE-2011-3417\r\n\r\nASP.NET\u662f\u4e00\u5957\u7531Microsoft\u5206\u53d1\u7684\u5e2e\u52a9\u5f00\u53d1\u8005\u6784\u5efa\u57fa\u4e8eWEB\u5e94\u7528\u7684\u7cfb\u7edf\u3002\r\n\r\nMicrosoft .NET Framework\u5728\u5904\u7406\u7f13\u5b58\u5185\u5bb9\u7684\u65b9\u5f0f\u4e0a\u5b58\u5728\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff0c\u901a\u8fc7\u53d1\u9001\u7279\u5236\u7684\u94fe\u63a5\u5e76\u8bf1\u4f7f\u7528\u6237\u6253\u5f00\u6b64\u7c7b\u94fe\u63a5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u6076\u610f\u4ee3\u7801\u3002\r\n0\r\nMicrosoft .NET Framework 4.x\r\nMicrosoft .NET Framework 3.x\r\nMicrosoft .NET Framework 2.x\r\nMicrosoft .NET Framework 1.x\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08ms11-100\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\nms11-100\uff1aVulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)\r\n\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/ms11-100.mspx", "published": "2011-12-30T00:00:00", "type": "seebug", "title": "Microsoft .NET Framework \u7f13\u5b58\u5904\u7406\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3417"], "modified": "2011-12-30T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-26128", "id": "SSV:26128", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T17:56:12", "description": "BUGTRAQ ID: 51202\r\nCVE ID: CVE-2011-3415\r\n\r\nASP.NET\u662f\u4e00\u5957\u7531Microsoft\u5206\u53d1\u7684\u5e2e\u52a9\u5f00\u53d1\u8005\u6784\u5efa\u57fa\u4e8eWEB\u5e94\u7528\u7684\u7cfb\u7edf\u3002\r\n\r\nMicrosoft .NET Framework\u5728\u8868\u5355\u9a8c\u8bc1\u8fc7\u7a0b\u4e2d\u9a8c\u8bc1\u8fd4\u56de\u7684URL\u65f6\u5b58\u5728\u6b3a\u9a97\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u5c06\u7528\u6237\u91cd\u5b9a\u5411\u5230\u6076\u610f\u7ad9\u70b9\uff0c\u7136\u540e\u6267\u884c\u9493\u9c7c\u653b\u51fb\uff0c\u83b7\u53d6\u7528\u6237\u654f\u611f\u4fe1\u606f\u3002\u6b64\u6f0f\u6d1e\u4e0d\u5141\u8bb8\u653b\u51fb\u8005\u76f4\u63a5\u6267\u884c\u4ee3\u7801\u6216\u63d0\u5347\u5176\u7528\u6237\u6743\u9650\u3002\n0\nMicrosoft .NET Framework 4.x\r\nMicrosoft .NET Framework 3.x\r\nMicrosoft .NET Framework 2.x\r\nMicrosoft .NET Framework 1.x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08ms11-100\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\nms11-100\uff1aVulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)\r\n\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/ms11-100.mspx", "published": "2011-12-30T00:00:00", "type": "seebug", "title": "Microsoft .NET Framework\u8868\u5355\u9a8c\u8bc1URL\u5b58\u5728\u6b3a\u9a97\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3415"], "modified": "2011-12-30T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-26129", "id": "SSV:26129", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T18:01:29", "description": "UGTRAQ ID: 51186\r\nCVE ID: CVE-2011-3414\r\n\r\nASP.NET\u662f\u4e00\u5957\u7531Microsoft\u5206\u53d1\u7684\u5e2e\u52a9\u5f00\u53d1\u8005\u6784\u5efa\u57fa\u4e8eWEB\u5e94\u7528\u7684\u7cfb\u7edf\u3002\r\n\r\nMicrosoft ASP.NET\u5728\u5904\u7406\u5176\u8868\u5355\u8bf7\u6c42\u503c\u65f6\u4f1a\u9020\u6210\u54c8\u5e0c\u51b2\u7a81\uff0c\u653b\u51fb\u8005\u901a\u8fc7\u53d1\u9001\u4e00\u4e9b\u7279\u5236\u7684ASP.NET\u8868\u5355\u8bf7\u6c42\u5230\u53d7\u5f71\u54cdASP.NET\u7ad9\u70b9\u5229\u7528\u6b64\u6f0f\u6d1e\u5bfc\u81f4\u4f7f\u7528ASP.NET\u7684\u7ad9\u70b9CPU\u5360\u7528\u7387\u5267\u589e\uff0c\u5931\u53bb\u54cd\u5e94\u6b63\u5e38\u60c5\u51b5\u7684\u80fd\u529b\u3002\n0\nMicrosoft .NET Framework 4.x\r\nMicrosoft .NET Framework 3.x\r\nMicrosoft .NET Framework 2.x\r\nMicrosoft .NET Framework 1.x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff082659883\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\n2659883\uff1aVulnerability in ASP.NET Could Allow Denial of Service\r\n\r\n\u94fe\u63a5\uff1ahttp://technet.microsoft.com/en-us/security/advisory/2659883", "published": "2011-12-29T00:00:00", "title": "Microsoft ASP.NET\u54c8\u5e0c\u51b2\u7a81\u8fdc\u7a0b\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3414"], "modified": "2011-12-29T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-26122", "id": "SSV:26122", "sourceData": "", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": ""}], "jvn": [{"lastseen": "2019-05-29T17:21:42", "bulletinFamily": "info", "cvelist": ["CVE-2011-3415"], "description": "\n ## Description\n\nASP.NET provided by Microsoft contains an open redirect vulnerability due to an issue in the login component. Therefore a web application that implements ASP.NET may be vulnerable. \n\n\n ## Impact\n\nThe user who accesses the web application that implements ASP.NET may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. \n\n\n ## Solution\n\n**Update the software** \nThis vulnerability was resolved in [MS11-100](<https://technet.microsoft.com/en-us/security/bulletin/ms11-100>). \nApply the update according to the information provided by Microsoft. \n\n\n ## Products Affected\n\n * ASP.NET\n", "edition": 4, "modified": "2013-11-15T00:00:00", "published": "2013-11-15T00:00:00", "id": "JVN:71256611", "href": "http://jvn.jp/en/jp/JVN71256611/index.html", "title": "JVN#71256611: ASP.NET vulnerable to open redirect", "type": "jvn", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:56", "description": "", "published": "2012-03-29T00:00:00", "type": "packetstorm", "title": "Microsoft ASP.NET Forms Authentication Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3416"], "modified": "2012-03-29T00:00:00", "id": "PACKETSTORM:111277", "href": "https://packetstormsecurity.com/files/111277/Microsoft-ASP.NET-Forms-Authentication-Bypass.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20120328-1 > \n======================================================================= \ntitle: Microsoft ASP.NET Forms Authentication Bypass \nproduct: Microsoft .NET Framework \nvulnerable version: Microsoft .NET Framework Version:4.0.30319; \nASP.NET Version:4.0.30319.237 and below \nfixed version: MS11-100 \nCVE: CVE-2011-3416 \nimpact: critical \nhomepage: http://www.microsoft.com/net \nfound: 2011-10-02 \nby: K. Gudinavicius / SEC Consult Vulnerability Lab \nm. / SEC Consult Vulnerability Lab \nhttps://www.sec-consult.com \n======================================================================= \n \nVendor description: \n------------------- \n\".NET is an integral part of many applications running on Windows and \nprovides common functionality for those applications to run. This \ndownload is for people who need .NET to run an application on their \ncomputer. For developers, the .NET Framework provides a comprehensive \nand consistent programming model for building applications that have \nvisually stunning user experiences and seamless and secure \ncommunication.\" \n \nSource: http://www.microsoft.com/net \n \n \n \nVulnerability overview/description: \n----------------------------------- \nThis advisory is an update to SEC Consult SA-20111230-0 with a detailed \nPoC section. \n \nFurthermore, SEC Consult created a PoC video which can be found here: \n \nhttps://www.sec-consult.com/files/20120328-1_asp.net_authentication_bypass_MS11_100.mp4 \n \n \n \nThe null byte termination vulnerability exists in the \nCopyStringToUnAlingnedBuffer() function of the webengine4.dll library \nused by the .NET framework. The unicode string length is determined \nusing the lstrlenW function. The lstrlenW function returns the length \nof the string, in characters not including the terminating null \ncharacter. If the unicode string containing a null byte is passed, its \nlength is incorrectly calculated, so only characters before the null \nbyte are copied into the buffer. \n \nThis vulnerability can be leveraged into an authentication bypass \nvulnerability. Microsoft ASP.NET membership system depends on the \nFormsAuthentication.SetAuthCookie(username, false) method for certain \nfunctionality. By exploiting this vulnerability an attacker is able to \nlog on as a different existing user with all the privileges of the \ntargeted user (e.g. admin). \n \n \n \nProof of concept: \n----------------- \n \nIf developers are programming the \"Microsoft way\" then they will use the \nstandard built-in controls for the membership management, for example, \n\"CreateUserWizard\" and \"Login\". The interesting one is \n\"CreateUserWizard\", which calls the CreateUser() function of the \nSystem.Web.Security.MembershipProvider class (Assembly: System.Web (in \nSystem.Web.dll)) with the parameters that the user has submitted to the \nform. \n \nThe only validation (besides ASP.NET request validation) of the username \nparameter is done by the ValidateParameter() function, which basically \nchecks the username length and if the username contains commas. \n \nSource code excerpt: \n \npublic override MembershipUser CreateUser(string username, string \npassword, string email, string passwordQuestion, string \npasswordAnswer, bool isApproved, object providerUserKey, out \nMembershipCreateStatus status) { <...> if \n(!SecUtility.ValidateParameter(ref username, true, true, true, \n0x100)) { status = MembershipCreateStatus.InvalidUserName; \nreturn null; \n} \n<...> \n \nSource code excerpt: \n \ninternal static bool ValidateParameter(ref string param, bool \ncheckForNull, bool checkIfEmpty, bool checkForCommas, int maxSize) { \nif (param == null) \n{ \nreturn !checkForNull; \n} \nparam = param.Trim(); \nreturn (((!checkIfEmpty || (param.Length >= 1)) && ((maxSize <= \n0) || (param.Length <= maxSize))) && (!checkForCommas \n|| !param.Contains(\",\"))); } \n \n \nThe new user info is stored in the database and if everything went \nsuccessfully (there is no duplicate username) function CreateUser() \nreturns a MembershipUser object which contains basic user information. \n \nSource code excerpt: \n \nproviderUserKey = new \nGuid(command.Parameters[\"@UserId\"].Value.ToString()); time = \ntime.ToLocalTime(); user = new MembershipUser(this.Name, \nusername, providerUserKey, email, passwordQuestion, null, \nisApproved, false, time, time, time, time, new DateTime(0x6da, \n1, 1)); Later on, the FormsAuthentication class (Assembly: \nSystem.Web (in System.Web.dll)) is used, its methods \nSetAuthCookie and GetAuthCookie get called with the username \ntaken from the MembershipUser object. The purpose of these \nfunctions is to create a FormsAuthentication ticket and set the \ncookie which will be used by the ASP.NET form authentication \nmechanism. The cookie is signed and encrypted using the machine \nkey. \n \nThe encryption function Encrypt() of the FormsAuthentication class \ncalls the MakeTicketIntoBinaryBlob() function, which converts \nFormsAuthentication ticket to the binary data. \n \nRelated stack trace: \n \n> System.Web.dll!System.Web.Security.FormsAuthentication.MakeTicketIntoBinaryBlob(System.Web.Security.FormsAuthenticationTicket \n> ticket = {System.Web.Security.FormsAuthenticationTicket}) Line \n> 534 C# \nSystem.Web.dll!System.Web.Security.FormsAuthentication.Encrypt(System.Web.Security.FormsAuthenticationTicket \nticket = {System.Web.Security.FormsAuthenticationTicket}, bool \nhexEncodedTicket = true) Line 253 + 0x9 bytes C# \nSystem.Web.dll!System.Web.Security.FormsAuthentication.GetAuthCookie(string \nuserName = \"admin\\0AAAAA\", bool createPersistentCookie = false, string \nstrCookiePath = \"/\", bool hexEncodedTicket = true) Line 309 + 0xd \nbytes C# \nSystem.Web.dll!System.Web.Security.FormsAuthentication.SetAuthCookie(string \nuserName = \"admin\\0AAAAA\", bool createPersistentCookie = false, string \nstrCookiePath = \"/\") Line 810 + 0x62 bytes C# \nSystem.Web.dll!System.Web.Security.FormsAuthentication.SetAuthCookie(string \nuserName = \"admin\\0AAAAA\", bool createPersistentCookie = false) Line \n799 C# \n \n \nIf the parameter's \"TicketCompatibilityMode\" value is set to \n\"Framework20\" (which is set by default: \nhttp://msdn.microsoft.com/en-us/library/system.web.configuration.ticketcompatibilitymode.aspx) \nthe native method CookieAuthConstructTicket() from the external library \nwebengine4.dll is called. The username is passed as the ticket.Name \nparameter, the result is returned in the dst buffer. \n \nSource code excerpt: \n \nprivate static byte[] \nMakeTicketIntoBinaryBlob(FormsAuthenticationTicket ticket) { \n<...> \nif (TicketCompatibilityMode == \nSystem.Web.Configuration.TicketCompatibilityMode.Framework20) { \nnum = \nSystem.Web.UnsafeNativeMethods.CookieAuthConstructTicket(dst, \ndst.Length, ticket.Name, ticket.UserData, ticket.CookiePath, \npBytes, pDates); } <...> \n \nSource code excerpt: \n \n[DllImport(\"webengine4.dll\", CharSet=CharSet.Unicode)] \ninternal static extern int CookieAuthConstructTicket(byte[] pData, \nint iDataLen, string szName, string szData, string szPath, byte[] \npBytes, long[] pDates); \n \nThe disassembly of the CookieAuthConstructTicket() function \n(webengine4.dll) shows that the CopyStringToUnAlignedBuffer() function \nis used to copy unicode string (Src) into the array (a1). \n \nPseudocode: \n \nint __stdcall CookieAuthConstructTicket(int a1, int a2, LPCWSTR Src, \nconst WCHAR *a4, const WCHAR *a5, int a6, int a7) { \nint v7; // eax@8 \nint result; // eax@9 \nint v9; // ecx@10 \nint v10; // eax@11 \nint v11; // ecx@12 \nint v12; // edi@13 \nint v13; // eax@13 \nint v14; // edi@14 \nint v15; // eax@14 \n \nif ( a1 && a2 >= 18 && Src && a4 && a5 && a6 && a7 ) \n{ \n*(_BYTE *)(a1 + 8) = *(_BYTE *)a6; \nv7 = CopyStringToUnAlingnedBuffer(Src, (void *)(a1 + 9), a2 - 9); \nif ( v7 < 2 \n|| (v9 = v7 + 17, v7 + 17 > a2) \n|| (*(_DWORD *)(v7 + a1 + 9) = *(_DWORD *)a7, \n*(_DWORD *)(v7 + a1 + 13) = *(_DWORD *)(a7 + 4), \nv10 = v7 + 18, \nv9 + 1 > a2) \n|| (*(_BYTE *)(v9 + a1) = *(_BYTE *)(a6 + 1), v11 = v9 + 9, v10 + \n8 > a2) || (*(_DWORD *)(v10 + a1) = *(_DWORD *)(a7 + 8), \n*(_DWORD *)(v10 + a1 + 4) = *(_DWORD *)(a7 + 12), \nv12 = v10 + 8, \nv13 = CopyStringToUnAlingnedBuffer(a4, (void *)(a1 + v11), a2 \n- v11), v13 < 2) \n|| (v14 = v13 + v12, v15 = CopyStringToUnAlingnedBuffer(a5, (void \n*)(a1 + v14), a2 - v14), v15 < 2) ) result = -2147418113; \nelse \nresult = v15 + v14; \n} \nelse \n{ \nresult = -2147024809; \n} \nreturn result; \n} \n \n \nThe analysis of the CopyStringToUnAlignedBuffer() function reveals that \nthe unicode string length is determined using the lstrlenW function. \nThe function returns the length of the string, in characters not \nincluding the terminating null character. This is the reason why the \nauthentication bypass occurs. If the unicode string (in our case \nusername) containing a null byte is passed, its length is incorrectly \ncalculated, so only characters before the null byte are copied into the \nbuffer. For example, the string \"admin\\0AAAAAAA\" becomes \"admin\". \n \nPseudocode: \n \nsigned int __stdcall CopyStringToUnAlingnedBuffer(LPCWSTR Src, void \n*Dst, signed int a3) { \nint v3; // eax@4 \nint v4; // esi@4 \nsigned int result; // eax@5 \n \nif ( Src && Dst && a3 >= 2 ) \n{ \nv3 = lstrlenW(Src); \nv4 = 2 * v3 + 2; \nif ( v4 <= a3 ) \n{ \nmemcpy(Dst, Src, 2 * v3 + 2); \nresult = v4; \n} \nelse \n{ \nresult = -1; \n} \n} \nelse \n{ \nresult = 0; \n} \nreturn result; \n} \n \nThe data returned by the CookieAuthConstructTicket() function is then \nsigned and encrypted and set in the FormsAuthentication cookie, which \nis issued to the client. \n \n \n \n \nVulnerable / tested versions: \n----------------------------- \nThe vulnerability has been verified to exist in Microsoft .NET Framework \nVersion:4.0.30319; ASP.NET Version:4.0.30319.237, which was the most \nrecent version at the time of discovery. \n \nMore information regarding affected versions is available within the \nadvisory of Microsoft: \nhttp://technet.microsoft.com/en-us/security/bulletin/ms11-100 \n \n \nVendor contact timeline: \n------------------------ \n2011-10-07: Contacted vendor through secure@microsoft.com \n2011-10-07: Vendor response, MSRC 11838 \n2011-10-14: Contacted MSRC asking for status \n2011-10-15: Answer from case manager: the vulnerability will be \naddressed through a security bulletin, a timeframe is \nunknown. \n2011-11-23: Contacted MSRC asking for status \n2011-11-23: Answer from case manager: a release date of update is \nunknown, best guess would be a month before or after the \nMarch (2012) update cycle \n2011-12-29: Microsoft publishes out-of-band security patch MS11-100 \nwhich also addresses this vulnerability \n2011-12-30: SEC Consult releases redacted version of advisory due to \ncriticality of this issue \n2012-03-28: SEC Consult releases detailed advisory incl. PoC video in \ncoordination with Microsoft \n \n \n \nSolution: \n--------- \nImmediately apply the MS11-100 patch: \nhttp://technet.microsoft.com/en-us/security/bulletin/ms11-100 \n \n \nWorkaround: \n----------- \nIn .NET 4.0 the vulnerability can be mitigated by setting the \nticketCompatibilityMode attribute in the application or global \nweb.config file like this: \n \n<system.web> \n<authentication mode=\"Forms\"> \n<forms ticketCompatibilityMode=\"Framework40\" /> \n</authentication> \n</system.web> \n \n \n \nAdvisory URL: \n------------- \nhttps://www.sec-consult.com/en/advisories.html \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nSEC Consult Unternehmensberatung GmbH \n \nOffice Vienna \nMooslackengasse 17 \nA-1190 Vienna \nAustria \n \nTel.: +43 / 1 / 890 30 43 - 0 \nFax.: +43 / 1 / 890 30 43 - 25 \nMail: research at sec-consult dot com \nhttps://www.sec-consult.com \n \nEOF K. Gudinavicius, J. Greil / @2012 \n \n`\n", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/111277/SA-20120328-1.txt"}], "cert": [{"lastseen": "2020-09-18T20:42:01", "bulletinFamily": "info", "cvelist": ["CVE-2011-3414", "CVE-2011-4815", "CVE-2011-4838", "CVE-2011-4885"], "description": "### Overview \n\nSome programming language implementations do not sufficiently randomize their hash functions or provide means to limit key collision attacks, which can be leveraged by an unauthenticated attacker to cause a denial-of-service (DoS) condition.\n\n### Description \n\nMany applications, including common web framework implementations, use hash tables to map key values to associated entries. If the hash table contains entries for different keys that map to the same hash value, a hash collision occurs and additional processing is required to determine which entry is appropriate for the key. If an attacker can generate many requests containing colliding key values, an application performing the hash table lookup may enter a denial of service condition.\n\nHash collision denial-of-service attacks were first [detailed](<http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf>) in 2003, but [recent research](<http://www.nruns.com/_downloads/advisory28122011.pdf>) details how these attacks apply to modern language hash table implementations. \n \n--- \n \n### Impact \n\nAn application can be forced into a denial-of-service condition. In the case of some web application servers, specially-crafted POST form data may result in a denial-of-service. \n \n--- \n \n### Solution \n\n**Apply an update** \nPlease review the Vendor Information section of this document for vendor-specific patch and workaround details. \n \n--- \n \n \n**Limit CPU time** \n \nLimiting the processing time for a single request can help minimize the impact of malicious requests. \n \n**Limit maximum POST size** \n \nLimiting the maximum POST request size can reduce the number of possible predictable collisions, thus reducing the impact of an attack. \n \n**Limit maximum request parameters** \n \nSome servers offer the option to limit the number of parameters per request, which can also minimize impact. \n \n--- \n \n### Vendor Information\n\n903934\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Apache Tomcat __ Affected\n\nUpdated: December 28, 2011 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nAccording to the n.runs AG advisory: \n\"Tomcat has released updates (7.0.23, 6.0.35) for this issue which limit the number of request parameters using a configuration parameter. The default value of 10.000 should provide sufficient protection.\"\n\n### Vendor References\n\n * <http://tomcat.apache.org/tomcat-7.0-doc/changelog.html>\n\n### Microsoft Corporation __ Affected\n\nNotified: November 01, 2011 Updated: December 29, 2011 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nMicrosoft has released an update to the .NET Framework with [Microsoft Security Bulletin MS11-100](<http://technet.microsoft.com/en-us/security/bulletin/ms11-100.mspx>), which addresses this issue.\n\n### Vendor References\n\n * <http://technet.microsoft.com/en-us/security/bulletin/ms11-100.mspx>\n * <http://technet.microsoft.com/en-us/security/advisory/2659883>\n * <http://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx>\n\n### Oracle Corporation __ Affected\n\nNotified: November 01, 2011 Updated: February 15, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Addendum\n\nNew information regarding this vulnerability in Java 8 was provided in Februrary 2016, which was sent to Oracle for review.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23903934 Feedback>).\n\n### Ruby __ Affected\n\nNotified: November 01, 2011 Updated: December 28, 2011 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nAccording to the n.runs AG advisory: \n\"CRuby and JRuby provide updates for this issue with a randomized hash function (CRuby 1.8.7-p357, JRuby 1.6.5.1, CVE-2011-4815).\"\n\n### Vendor References\n\n * <http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/391606>\n\n### The PHP Group __ Affected\n\nUpdated: December 28, 2011 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nAccording to the n.runs AG advisory: \n\"PHP 5 uses the DJBX33A (Dan Bernstein's times 33, addition) hash function and parses POST form data into the $_POST hash table. Because of the structure of the hash function, it is vulnerable to an equivalent substring attack.\"\n\nFrom the Workarounds section: \n\"The easiest way to reduce the impact of such an attack is to reduce the CPU time that a request is allowed to take. For PHP, this can be configured using the max_input_time parameter.\" \n \nPHP 5.4.0 RC4 has been released which adds a max_input_vars directive to help mitigate hash collision attacks. Please note that this is a release candidate, not a stable release.\n\n### Vendor References\n\n * <http://www.php.net/archive/2011.php#id2011-12-25-1>\n\n### Adobe Unknown\n\nNotified: November 01, 2011 Updated: November 01, 2011 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### IBM Corporation Unknown\n\nNotified: November 01, 2011 Updated: November 01, 2011 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 0 | AV:--/AC:--/Au:--/C:--/I:--/A:-- \nTemporal | 0 | E:ND/RL:ND/RC:ND \nEnvironmental | 0 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://www.ocert.org/advisories/ocert-2011-003.html>\n * <http://www.nruns.com/_downloads/advisory28122011.pdf>\n * <http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf>\n * <http://technet.microsoft.com/en-us/security/bulletin/ms11-100.mspx>\n\n### Acknowledgements\n\nThanks to Alexander Klink and Julian W\u00e4lde for reporting these vulnerabilities.\n\nThis document was written by Jared Allar and David Warren.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2011-4815](<http://web.nvd.nist.gov/vuln/detail/CVE-2011-4815>), [CVE-2011-3414](<http://web.nvd.nist.gov/vuln/detail/CVE-2011-3414>), [CVE-2011-4838](<http://web.nvd.nist.gov/vuln/detail/CVE-2011-4838>), [CVE-2011-4885](<http://web.nvd.nist.gov/vuln/detail/CVE-2011-4885>) \n---|--- \n**Severity Metric:** | 10.80 \n**Date Public:** | 2011-12-28 \n**Date First Published:** | 2011-12-28 \n**Date Last Updated: ** | 2016-02-15 20:05 UTC \n**Document Revision: ** | 41 \n", "modified": "2016-02-15T20:05:00", "published": "2011-12-28T00:00:00", "id": "VU:903934", "href": "https://www.kb.cert.org/vuls/id/903934", "type": "cert", "title": "Hash table implementations vulnerable to algorithmic complexity attacks", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}]}