title: Microsoft ASP.NET Forms Authentication Bypass
product: Microsoft .NET Framework
vulnerable version: Microsoft .NET Framework Version:4.0.30319;
ASP.NET Version:4.0.30319.237 and below
fixed version: MS11-100
CVE: CVE-2011-3416
impact: critical
homepage: http://www.microsoft.com/net
found: 2011-10-02
by: K. Gudinavicius / SEC Consult Vulnerability Lab
m. / SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
".NET is an integral part of many applications running on Windows and
provides common functionality for those applications to run. This
download is for people who need .NET to run an application on their
computer. For developers, the .NET Framework provides a comprehensive
and consistent programming model for building applications that have
visually stunning user experiences and seamless and secure
communication."
Source: http://www.microsoft.com/net
Vulnerability overview/description:
The null byte termination vulnerability exists in the
CopyStringToUnAlingnedBuffer() function of the webengine4.dll library
used by the .NET framework. The unicode string length is determined
using the lstrlenW function. The lstrlenW function returns the length
of the string, in characters not including the terminating null
character. If the unicode string containing a null byte is passed, its
length is incorrectly calculated, so only characters before the null
byte are copied into the buffer.
This vulnerability can be leveraged into an authentication bypass
vulnerability. Microsoft ASP.NET membership system depends on the
FormsAuthentication.SetAuthCookie(username, false) method for certain
functionality. By exploiting this vulnerability an attacker is able to
log on as a different existing user with all the privileges of the
targeted user (e.g. admin).
Proof of concept:
Detailed exploit information and source code references have been
removed from this advisory.
An attacker is able to bypass authentication in certain functionality
using null bytes and log on as another user, e.g. admin.
Vulnerable / tested versions:
The vulnerability has been verified to exist in Microsoft .NET Framework
Version:4.0.30319; ASP.NET Version:4.0.30319.237, which was the most
recent version at the time of discovery.
More information regarding affected versions is available within the
advisory of Microsoft:
http://technet.microsoft.com/en-us/security/bulletin/ms11-100
Vendor contact timeline:
2011-10-07: Contacted vendor through secure@microsoft.com
2011-10-07: Vendor response, MSRC 11838
2011-10-14: Contacted MSRC asking for status
2011-10-15: Answer from case manager: the vulnerability will be
addressed through a security bulletin, a timeframe is
unknown.
2011-11-23: Contacted MSRC asking for status
2011-11-23: Answer from case manager: a release date of update is
unknown, best guess would be a month before or after the
March (2012) update cycle
2011-12-29: Microsoft publishes out-of-band security patch MS11-100
which also addresses this vulnerability
2011-12-30: SEC Consult releases redacted version of advisory due to
criticality of this issue
SEC Consult will release a more detailed advisory at a later date.
Solution:
Immediately apply the MS11-100 patch:
http://technet.microsoft.com/en-us/security/bulletin/ms11-100
Workaround:
In .NET 4.0 the vulnerability can be mitigated by setting the
ticketCompatibilityMode attribute in the application or global
web.config file like this:
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com
EOF K. Gudinavicius, J. Greil / @2011
{"id": "SECURITYVULNS:DOC:27499", "bulletinFamily": "software", "title": "SEC Consult SA-20111230-0 :: Critical authentication bypass in Microsoft ASP.NET Forms - CVE-2011-3416", "description": "SEC Consult Vulnerability Lab Security Advisory < 20111230-0 >\r\n=======================================================================\r\n title: Microsoft ASP.NET Forms Authentication Bypass\r\n product: Microsoft .NET Framework\r\n vulnerable version: Microsoft .NET Framework Version:4.0.30319; \r\n ASP.NET Version:4.0.30319.237 and below\r\n fixed version: MS11-100\r\n CVE: CVE-2011-3416\r\n impact: critical\r\n homepage: http://www.microsoft.com/net\r\n found: 2011-10-02\r\n by: K. Gudinavicius / SEC Consult Vulnerability Lab \r\n m. / SEC Consult Vulnerability Lab\r\n https://www.sec-consult.com \r\n=======================================================================\r\n\r\nVendor description:\r\n-------------------\r\n".NET is an integral part of many applications running on Windows and\r\nprovides common functionality for those applications to run. This\r\ndownload is for people who need .NET to run an application on their\r\ncomputer. For developers, the .NET Framework provides a comprehensive\r\nand consistent programming model for building applications that have\r\nvisually stunning user experiences and seamless and secure\r\ncommunication."\r\n\r\nSource: http://www.microsoft.com/net\r\n\r\n\r\n\r\nVulnerability overview/description:\r\n-----------------------------------\r\nThe null byte termination vulnerability exists in the\r\nCopyStringToUnAlingnedBuffer() function of the webengine4.dll library\r\nused by the .NET framework. The unicode string length is determined\r\nusing the lstrlenW function. The lstrlenW function returns the length\r\nof the string, in characters not including the terminating null\r\ncharacter. If the unicode string containing a null byte is passed, its\r\nlength is incorrectly calculated, so only characters before the null\r\nbyte are copied into the buffer.\r\n\r\nThis vulnerability can be leveraged into an authentication bypass\r\nvulnerability. Microsoft ASP.NET membership system depends on the\r\nFormsAuthentication.SetAuthCookie(username, false) method for certain\r\nfunctionality. By exploiting this vulnerability an attacker is able to\r\nlog on as a different existing user with all the privileges of the\r\ntargeted user (e.g. admin).\r\n\r\n\r\n\r\nProof of concept:\r\n-----------------\r\n\r\nDetailed exploit information and source code references have been\r\nremoved from this advisory.\r\n\r\nAn attacker is able to bypass authentication in certain functionality\r\nusing null bytes and log on as another user, e.g. admin.\r\n\r\n\r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe vulnerability has been verified to exist in Microsoft .NET Framework\r\nVersion:4.0.30319; ASP.NET Version:4.0.30319.237, which was the most\r\nrecent version at the time of discovery.\r\n\r\nMore information regarding affected versions is available within the\r\nadvisory of Microsoft:\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms11-100\r\n\r\n\r\nVendor contact timeline:\r\n------------------------\r\n2011-10-07: Contacted vendor through secure@microsoft.com\r\n2011-10-07: Vendor response, MSRC 11838\r\n2011-10-14: Contacted MSRC asking for status\r\n2011-10-15: Answer from case manager: the vulnerability will be\r\n addressed through a security bulletin, a timeframe is\r\n unknown.\r\n2011-11-23: Contacted MSRC asking for status\r\n2011-11-23: Answer from case manager: a release date of update is\r\n unknown, best guess would be a month before or after the\r\n March (2012) update cycle\r\n2011-12-29: Microsoft publishes out-of-band security patch MS11-100\r\n which also addresses this vulnerability\r\n2011-12-30: SEC Consult releases redacted version of advisory due to\r\n criticality of this issue\r\n\r\nSEC Consult will release a more detailed advisory at a later date.\r\n\r\n\r\n\r\nSolution:\r\n---------\r\nImmediately apply the MS11-100 patch:\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms11-100\r\n\r\n\r\nWorkaround:\r\n-----------\r\nIn .NET 4.0 the vulnerability can be mitigated by setting the\r\nticketCompatibilityMode attribute in the application or global\r\nweb.config file like this:\r\n\r\n<system.web>\r\n <authentication mode="Forms">\r\n <forms ticketCompatibilityMode="Framework40" />\r\n </authentication>\r\n</system.web>\r\n\r\n\r\n\r\nAdvisory URL:\r\n-------------\r\nhttps://www.sec-consult.com/en/advisories.html\r\n\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nSEC Consult Unternehmensberatung GmbH\r\n\r\nOffice Vienna\r\nMooslackengasse 17\r\nA-1190 Vienna\r\nAustria\r\n\r\nTel.: +43 / 1 / 890 30 43 - 0\r\nFax.: +43 / 1 / 890 30 43 - 25\r\nMail: research at sec-consult dot com\r\nhttps://www.sec-consult.com\r\n\r\nEOF K. Gudinavicius, J. Greil / @2011\r\n", "published": "2012-01-02T00:00:00", "modified": "2012-01-02T00:00:00", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27499", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2011-3416"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:43", "edition": 1, "viewCount": 350, "enchantments": {"score": {"value": 6.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2012-012"]}, {"type": "cve", "idList": ["CVE-2011-3416", "CVE-2012-1031"]}, {"type": "mskb", "idList": ["KB2638420"]}, {"type": "nessus", "idList": ["SMB_NT_MS11-100.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310902806", "OPENVAS:902806"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:111277"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12121"]}, {"type": "seebug", "idList": ["SSV:26123"]}]}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2011-3416"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310902806"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:111277"]}]}, "exploitation": null, "vulnersScore": 6.2}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}
{"packetstorm": [{"lastseen": "2016-12-05T22:20:56", "description": "", "cvss3": {}, "published": "2012-03-29T00:00:00", "type": "packetstorm", "title": "Microsoft ASP.NET Forms Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2011-3416"], "modified": "2012-03-29T00:00:00", "id": "PACKETSTORM:111277", "href": "https://packetstormsecurity.com/files/111277/Microsoft-ASP.NET-Forms-Authentication-Bypass.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20120328-1 > \n======================================================================= \ntitle: Microsoft ASP.NET Forms Authentication Bypass \nproduct: Microsoft .NET Framework \nvulnerable version: Microsoft .NET Framework Version:4.0.30319; \nASP.NET Version:4.0.30319.237 and below \nfixed version: MS11-100 \nCVE: CVE-2011-3416 \nimpact: critical \nhomepage: http://www.microsoft.com/net \nfound: 2011-10-02 \nby: K. Gudinavicius / SEC Consult Vulnerability Lab \nm. / SEC Consult Vulnerability Lab \nhttps://www.sec-consult.com \n======================================================================= \n \nVendor description: \n------------------- \n\".NET is an integral part of many applications running on Windows and \nprovides common functionality for those applications to run. This \ndownload is for people who need .NET to run an application on their \ncomputer. For developers, the .NET Framework provides a comprehensive \nand consistent programming model for building applications that have \nvisually stunning user experiences and seamless and secure \ncommunication.\" \n \nSource: http://www.microsoft.com/net \n \n \n \nVulnerability overview/description: \n----------------------------------- \nThis advisory is an update to SEC Consult SA-20111230-0 with a detailed \nPoC section. \n \nFurthermore, SEC Consult created a PoC video which can be found here: \n \nhttps://www.sec-consult.com/files/20120328-1_asp.net_authentication_bypass_MS11_100.mp4 \n \n \n \nThe null byte termination vulnerability exists in the \nCopyStringToUnAlingnedBuffer() function of the webengine4.dll library \nused by the .NET framework. The unicode string length is determined \nusing the lstrlenW function. The lstrlenW function returns the length \nof the string, in characters not including the terminating null \ncharacter. If the unicode string containing a null byte is passed, its \nlength is incorrectly calculated, so only characters before the null \nbyte are copied into the buffer. \n \nThis vulnerability can be leveraged into an authentication bypass \nvulnerability. Microsoft ASP.NET membership system depends on the \nFormsAuthentication.SetAuthCookie(username, false) method for certain \nfunctionality. By exploiting this vulnerability an attacker is able to \nlog on as a different existing user with all the privileges of the \ntargeted user (e.g. admin). \n \n \n \nProof of concept: \n----------------- \n \nIf developers are programming the \"Microsoft way\" then they will use the \nstandard built-in controls for the membership management, for example, \n\"CreateUserWizard\" and \"Login\". The interesting one is \n\"CreateUserWizard\", which calls the CreateUser() function of the \nSystem.Web.Security.MembershipProvider class (Assembly: System.Web (in \nSystem.Web.dll)) with the parameters that the user has submitted to the \nform. \n \nThe only validation (besides ASP.NET request validation) of the username \nparameter is done by the ValidateParameter() function, which basically \nchecks the username length and if the username contains commas. \n \nSource code excerpt: \n \npublic override MembershipUser CreateUser(string username, string \npassword, string email, string passwordQuestion, string \npasswordAnswer, bool isApproved, object providerUserKey, out \nMembershipCreateStatus status) { <...> if \n(!SecUtility.ValidateParameter(ref username, true, true, true, \n0x100)) { status = MembershipCreateStatus.InvalidUserName; \nreturn null; \n} \n<...> \n \nSource code excerpt: \n \ninternal static bool ValidateParameter(ref string param, bool \ncheckForNull, bool checkIfEmpty, bool checkForCommas, int maxSize) { \nif (param == null) \n{ \nreturn !checkForNull; \n} \nparam = param.Trim(); \nreturn (((!checkIfEmpty || (param.Length >= 1)) && ((maxSize <= \n0) || (param.Length <= maxSize))) && (!checkForCommas \n|| !param.Contains(\",\"))); } \n \n \nThe new user info is stored in the database and if everything went \nsuccessfully (there is no duplicate username) function CreateUser() \nreturns a MembershipUser object which contains basic user information. \n \nSource code excerpt: \n \nproviderUserKey = new \nGuid(command.Parameters[\"@UserId\"].Value.ToString()); time = \ntime.ToLocalTime(); user = new MembershipUser(this.Name, \nusername, providerUserKey, email, passwordQuestion, null, \nisApproved, false, time, time, time, time, new DateTime(0x6da, \n1, 1)); Later on, the FormsAuthentication class (Assembly: \nSystem.Web (in System.Web.dll)) is used, its methods \nSetAuthCookie and GetAuthCookie get called with the username \ntaken from the MembershipUser object. The purpose of these \nfunctions is to create a FormsAuthentication ticket and set the \ncookie which will be used by the ASP.NET form authentication \nmechanism. The cookie is signed and encrypted using the machine \nkey. \n \nThe encryption function Encrypt() of the FormsAuthentication class \ncalls the MakeTicketIntoBinaryBlob() function, which converts \nFormsAuthentication ticket to the binary data. \n \nRelated stack trace: \n \n> System.Web.dll!System.Web.Security.FormsAuthentication.MakeTicketIntoBinaryBlob(System.Web.Security.FormsAuthenticationTicket \n> ticket = {System.Web.Security.FormsAuthenticationTicket}) Line \n> 534 C# \nSystem.Web.dll!System.Web.Security.FormsAuthentication.Encrypt(System.Web.Security.FormsAuthenticationTicket \nticket = {System.Web.Security.FormsAuthenticationTicket}, bool \nhexEncodedTicket = true) Line 253 + 0x9 bytes C# \nSystem.Web.dll!System.Web.Security.FormsAuthentication.GetAuthCookie(string \nuserName = \"admin\\0AAAAA\", bool createPersistentCookie = false, string \nstrCookiePath = \"/\", bool hexEncodedTicket = true) Line 309 + 0xd \nbytes C# \nSystem.Web.dll!System.Web.Security.FormsAuthentication.SetAuthCookie(string \nuserName = \"admin\\0AAAAA\", bool createPersistentCookie = false, string \nstrCookiePath = \"/\") Line 810 + 0x62 bytes C# \nSystem.Web.dll!System.Web.Security.FormsAuthentication.SetAuthCookie(string \nuserName = \"admin\\0AAAAA\", bool createPersistentCookie = false) Line \n799 C# \n \n \nIf the parameter's \"TicketCompatibilityMode\" value is set to \n\"Framework20\" (which is set by default: \nhttp://msdn.microsoft.com/en-us/library/system.web.configuration.ticketcompatibilitymode.aspx) \nthe native method CookieAuthConstructTicket() from the external library \nwebengine4.dll is called. The username is passed as the ticket.Name \nparameter, the result is returned in the dst buffer. \n \nSource code excerpt: \n \nprivate static byte[] \nMakeTicketIntoBinaryBlob(FormsAuthenticationTicket ticket) { \n<...> \nif (TicketCompatibilityMode == \nSystem.Web.Configuration.TicketCompatibilityMode.Framework20) { \nnum = \nSystem.Web.UnsafeNativeMethods.CookieAuthConstructTicket(dst, \ndst.Length, ticket.Name, ticket.UserData, ticket.CookiePath, \npBytes, pDates); } <...> \n \nSource code excerpt: \n \n[DllImport(\"webengine4.dll\", CharSet=CharSet.Unicode)] \ninternal static extern int CookieAuthConstructTicket(byte[] pData, \nint iDataLen, string szName, string szData, string szPath, byte[] \npBytes, long[] pDates); \n \nThe disassembly of the CookieAuthConstructTicket() function \n(webengine4.dll) shows that the CopyStringToUnAlignedBuffer() function \nis used to copy unicode string (Src) into the array (a1). \n \nPseudocode: \n \nint __stdcall CookieAuthConstructTicket(int a1, int a2, LPCWSTR Src, \nconst WCHAR *a4, const WCHAR *a5, int a6, int a7) { \nint v7; // eax@8 \nint result; // eax@9 \nint v9; // ecx@10 \nint v10; // eax@11 \nint v11; // ecx@12 \nint v12; // edi@13 \nint v13; // eax@13 \nint v14; // edi@14 \nint v15; // eax@14 \n \nif ( a1 && a2 >= 18 && Src && a4 && a5 && a6 && a7 ) \n{ \n*(_BYTE *)(a1 + 8) = *(_BYTE *)a6; \nv7 = CopyStringToUnAlingnedBuffer(Src, (void *)(a1 + 9), a2 - 9); \nif ( v7 < 2 \n|| (v9 = v7 + 17, v7 + 17 > a2) \n|| (*(_DWORD *)(v7 + a1 + 9) = *(_DWORD *)a7, \n*(_DWORD *)(v7 + a1 + 13) = *(_DWORD *)(a7 + 4), \nv10 = v7 + 18, \nv9 + 1 > a2) \n|| (*(_BYTE *)(v9 + a1) = *(_BYTE *)(a6 + 1), v11 = v9 + 9, v10 + \n8 > a2) || (*(_DWORD *)(v10 + a1) = *(_DWORD *)(a7 + 8), \n*(_DWORD *)(v10 + a1 + 4) = *(_DWORD *)(a7 + 12), \nv12 = v10 + 8, \nv13 = CopyStringToUnAlingnedBuffer(a4, (void *)(a1 + v11), a2 \n- v11), v13 < 2) \n|| (v14 = v13 + v12, v15 = CopyStringToUnAlingnedBuffer(a5, (void \n*)(a1 + v14), a2 - v14), v15 < 2) ) result = -2147418113; \nelse \nresult = v15 + v14; \n} \nelse \n{ \nresult = -2147024809; \n} \nreturn result; \n} \n \n \nThe analysis of the CopyStringToUnAlignedBuffer() function reveals that \nthe unicode string length is determined using the lstrlenW function. \nThe function returns the length of the string, in characters not \nincluding the terminating null character. This is the reason why the \nauthentication bypass occurs. If the unicode string (in our case \nusername) containing a null byte is passed, its length is incorrectly \ncalculated, so only characters before the null byte are copied into the \nbuffer. For example, the string \"admin\\0AAAAAAA\" becomes \"admin\". \n \nPseudocode: \n \nsigned int __stdcall CopyStringToUnAlingnedBuffer(LPCWSTR Src, void \n*Dst, signed int a3) { \nint v3; // eax@4 \nint v4; // esi@4 \nsigned int result; // eax@5 \n \nif ( Src && Dst && a3 >= 2 ) \n{ \nv3 = lstrlenW(Src); \nv4 = 2 * v3 + 2; \nif ( v4 <= a3 ) \n{ \nmemcpy(Dst, Src, 2 * v3 + 2); \nresult = v4; \n} \nelse \n{ \nresult = -1; \n} \n} \nelse \n{ \nresult = 0; \n} \nreturn result; \n} \n \nThe data returned by the CookieAuthConstructTicket() function is then \nsigned and encrypted and set in the FormsAuthentication cookie, which \nis issued to the client. \n \n \n \n \nVulnerable / tested versions: \n----------------------------- \nThe vulnerability has been verified to exist in Microsoft .NET Framework \nVersion:4.0.30319; ASP.NET Version:4.0.30319.237, which was the most \nrecent version at the time of discovery. \n \nMore information regarding affected versions is available within the \nadvisory of Microsoft: \nhttp://technet.microsoft.com/en-us/security/bulletin/ms11-100 \n \n \nVendor contact timeline: \n------------------------ \n2011-10-07: Contacted vendor through secure@microsoft.com \n2011-10-07: Vendor response, MSRC 11838 \n2011-10-14: Contacted MSRC asking for status \n2011-10-15: Answer from case manager: the vulnerability will be \naddressed through a security bulletin, a timeframe is \nunknown. \n2011-11-23: Contacted MSRC asking for status \n2011-11-23: Answer from case manager: a release date of update is \nunknown, best guess would be a month before or after the \nMarch (2012) update cycle \n2011-12-29: Microsoft publishes out-of-band security patch MS11-100 \nwhich also addresses this vulnerability \n2011-12-30: SEC Consult releases redacted version of advisory due to \ncriticality of this issue \n2012-03-28: SEC Consult releases detailed advisory incl. PoC video in \ncoordination with Microsoft \n \n \n \nSolution: \n--------- \nImmediately apply the MS11-100 patch: \nhttp://technet.microsoft.com/en-us/security/bulletin/ms11-100 \n \n \nWorkaround: \n----------- \nIn .NET 4.0 the vulnerability can be mitigated by setting the \nticketCompatibilityMode attribute in the application or global \nweb.config file like this: \n \n<system.web> \n<authentication mode=\"Forms\"> \n<forms ticketCompatibilityMode=\"Framework40\" /> \n</authentication> \n</system.web> \n \n \n \nAdvisory URL: \n------------- \nhttps://www.sec-consult.com/en/advisories.html \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nSEC Consult Unternehmensberatung GmbH \n \nOffice Vienna \nMooslackengasse 17 \nA-1190 Vienna \nAustria \n \nTel.: +43 / 1 / 890 30 43 - 0 \nFax.: +43 / 1 / 890 30 43 - 25 \nMail: research at sec-consult dot com \nhttps://www.sec-consult.com \n \nEOF K. Gudinavicius, J. Greil / @2012 \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/111277/SA-20120328-1.txt", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T18:01:11", "description": "BUGTRAQ ID: 51201\r\nCVE ID: CVE-2011-3416\r\n\r\nASP.NET\u662f\u4e00\u5957\u7531Microsoft\u5206\u53d1\u7684\u5e2e\u52a9\u5f00\u53d1\u8005\u6784\u5efa\u57fa\u4e8eWEB\u5e94\u7528\u7684\u7cfb\u7edf\u3002\r\n\r\nMicrosoft .NET Framework\u5728\u7528\u6237\u9a8c\u8bc1\u7684\u5b9e\u73b0\u4e0a\u5b58\u5728\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u975e\u6cd5\u8bbf\u95ee\u53e6\u4e00\u4e2a\u7528\u6237\u8d26\u6237\uff0c\u4ee5\u5176\u6743\u9650\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\u8981\u5229\u7528\u6b64\u6f0f\u6d1e\uff0c\u975e\u6cd5\u653b\u51fb\u8005\u9700\u8981\u5728ASP.NET\u5e94\u7528\u4e0a\u6ce8\u518c\u4e00\u4e2a\u5e10\u6237\u5e76\u4e86\u89e3\u76ee\u6807\u7528\u6237\u7684\u73b0\u6709\u5e10\u6237\u540d\uff0c\u7136\u540e\u4f7f\u7528\u4e4b\u524d\u6ce8\u518c\u7684\u8d26\u76ee\u540d\u8bbf\u95ee\u8be5\u5e10\u6237\u6765\u6784\u9020\u7279\u5236\u7684Web\u8bf7\u6c42\u3002\r\n0\r\nMicrosoft .NET Framework 4.x\r\nMicrosoft .NET Framework 3.x\r\nMicrosoft .NET Framework 2.x\r\nMicrosoft .NET Framework 1.x\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08ms11-100\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\nms11-100\uff1aVulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)\r\n\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/ms11-100.mspx", "cvss3": {}, "published": "2011-12-30T00:00:00", "title": "Microsoft .NET Framework \u7528\u6237\u9a8c\u8bc1\u6743\u9650\u63d0\u5347\u6f0f\u6d1e(CVE-2011-3416)", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2011-3416"], "modified": "2011-12-30T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-26123", "id": "SSV:26123", "sourceData": "", "sourceHref": "", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2022-03-23T12:26:54", "description": "The Forms Authentication feature in the ASP.NET subsystem in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 allows remote authenticated users to obtain access to arbitrary user accounts via a crafted username, aka \"ASP.Net Forms Authentication Bypass Vulnerability.\"", "cvss3": {}, "published": "2011-12-30T01:55:00", "type": "cve", "title": "CVE-2011-3416", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3416"], "modified": "2020-09-28T12:58:00", "cpe": ["cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2003:*", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_xp:sp3", "cpe:/o:microsoft:windows_xp:*"], "id": "CVE-2011-3416", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3416", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:*:r2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:sp3:unknown:english:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp2:professional_x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:x86:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:*:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x86:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:53:39", "description": "Unspecified vulnerability in EPiServer CMS 5 and 6 through 6R2, in certain configurations using Forms Authentication, allows remote authenticated users to obtain WebAdmins access by leveraging Edit Mode privileges, a different vulnerability than CVE-2011-3416 and CVE-2011-3417.", "cvss3": {}, "published": "2012-02-08T04:11:00", "type": "cve", "title": "CVE-2012-1031", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3416", "CVE-2011-3417", "CVE-2012-1031"], "modified": "2012-02-14T04:11:00", "cpe": ["cpe:/a:episerver:episerver_cms:6.1.379.0", "cpe:/a:episerver:episerver_cms:5.2.375.236", "cpe:/a:episerver:episerver_cms:5.2.375.133", "cpe:/a:episerver:episerver_cms:5.2.375.7", "cpe:/a:episerver:episerver_cms:5.1.422.122", "cpe:/a:episerver:episerver_cms:5.1.422.256", "cpe:/a:episerver:episerver_cms:5.1.422.4", "cpe:/a:episerver:episerver_cms:5.1.422.267", "cpe:/a:episerver:episerver_cms:6.0.530.0"], "id": "CVE-2012-1031", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1031", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:episerver:episerver_cms:5.2.375.133:*:*:*:*:*:*:*", "cpe:2.3:a:episerver:episerver_cms:5.1.422.122:*:*:*:*:*:*:*", "cpe:2.3:a:episerver:episerver_cms:5.1.422.4:*:*:*:*:*:*:*", "cpe:2.3:a:episerver:episerver_cms:5.1.422.256:*:*:*:*:*:*:*", "cpe:2.3:a:episerver:episerver_cms:5.1.422.267:*:*:*:*:*:*:*", "cpe:2.3:a:episerver:episerver_cms:5.2.375.7:*:*:*:*:*:*:*", "cpe:2.3:a:episerver:episerver_cms:6.1.379.0:*:*:*:*:*:*:*", "cpe:2.3:a:episerver:episerver_cms:6.0.530.0:*:*:*:*:*:*:*", "cpe:2.3:a:episerver:episerver_cms:5.2.375.236:*:*:*:*:*:*:*"]}], "checkpoint_advisories": [{"lastseen": "2022-05-26T09:34:18", "description": "An elevation of privilege vulnerability has been reported in Microsoft ASP.NET.", "cvss3": {}, "published": "2012-01-03T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft ASP.NET Authentication Bypass Elevation of Privilege (MS11-100; CVE-2011-3416)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2011-3416"], "modified": "2022-05-26T00:00:00", "id": "CPAI-2012-012", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "mskb": [{"lastseen": "2021-01-01T22:45:01", "description": "<html><body><p>This article contains details for the ASP.NET update for the .NET Framework.</p><h2>Introduction</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS11-100. To view the complete security bulletin, visit one of the following Microsoft websites:<br/><ul class=\"sbody-free_list\"><li>Home users:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/security/pc-security/bulletins/201112.aspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/security/pc-security/bulletins/201112.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now:<br/><div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate\" id=\"kb-link-2\" target=\"_self\">http://update.microsoft.com/microsoftupdate</a></div></li><li>IT professionals:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/security/bulletin/ms11-100\" id=\"kb-link-3\" target=\"_self\">http://technet.microsoft.com/security/bulletin/MS11-100</a></div></li></ul><span><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3> <br/>Help installing updates: <br/><a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-4\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-5\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-6\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-7\" target=\"_self\">International Support</a><br/><br/></span><br/></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h4 class=\"sbody-h4\">Known issues and additional information about this security update</h4>The security updates that are offered in security bulletin MS11-100 change the way that ASP.NET creates forms authentication tickets. The new behavior is incompatible with the previous behavior. Tickets that are generated by using the new behavior cannot be read by servers that use the old behavior, and vice versa. Therefore, because of the ticket behavior change, administrators whose applications use forms authentication must take specific steps when they deploy the security updates offered in bulletin MS11-100 to make sure that all servers switch to the new behavior concurrently. <br/><br/>For more information, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2659968\" id=\"kb-link-8\">2659968 </a> Deployment guidance for security update 2638420, as described in MS11-100<br/></div>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed below each article link.<br/><br/> <ul class=\"sbody-free_list\"><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2656351\" id=\"kb-link-9\">2656351 </a> MS11-100: Description of the security update for the .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: December 29, 2011<br/><br/></div></li><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2656356\" id=\"kb-link-10\">2656356 </a>\u00a0MS11-100: Description of the security update for the .NET Framework 3.5.1 on Windows 7 SP1 and\u00a0Windows Server 2008 R2 SP1: December 29, 2011 </div></li><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2657424\" id=\"kb-link-11\">2657424 </a>\u00a0MS11-100: Description of the security update for the .NET Framework 3.5 SP1 on Windows Server 2003, Windows Server 2008, Windows Vista, and Windows XP: December 29, 2011 \u00a0</div></li><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2656352\" id=\"kb-link-12\">2656352 </a>\u00a0MS11-100: Description of the security update for the .NET Framework 2.0 SP2 on Windows XP and\u00a0Windows Server 2003: December 29, 2011 </div></li><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2656362\" id=\"kb-link-13\">2656362 </a>\u00a0MS11-100: Description of the security update for the .NET Framework 2.0 SP2 on Windows Vista SP2 and\u00a0Windows Server 2008 SP2: December 29, 2011 </div></li><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2656355\" id=\"kb-link-14\">2656355 </a>\u00a0MS11-100: Description of the security update for the .NET Framework\u00a03.5.1 on Windows 7 and\u00a0Windows Server 2008 R2: December 29, 2011 </div></li><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2656358\" id=\"kb-link-15\">2656358 </a> MS11-100: Description of the security update for the .NET Framework 1.1 SP1 on 32-bit editions of Windows Server 2003 SP2: December 29, 2011<br/><br/></div></li><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2656353\" id=\"kb-link-16\">2656353 </a>\u00a0MS11-100: Description of the security update for the .NET Framework 1.1 SP1 on Windows XP, Windows Vista and Windows Server 2008, and on x64 and Itanium-based versions of Windows Server 2003: December 29, 2011\u00a0</div></li></ul></div></body></html>", "edition": 2, "cvss3": {}, "published": "2011-12-29T00:00:00", "type": "mskb", "title": "MS11-100: Vulnerability in the .NET Framework could allow elevation of privilege: December 29, 2011", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3414", "CVE-2011-3417", "CVE-2011-3416"], "modified": "2012-07-18T17:12:59", "id": "KB2638420", "href": "https://support.microsoft.com/en-us/help/2638420/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-02T21:13:28", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS11-100.", "cvss3": {}, "published": "2011-12-30T00:00:00", "type": "openvas", "title": "Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-3414", "CVE-2011-3417", "CVE-2011-3416", "CVE-2011-3415"], "modified": "2017-02-20T00:00:00", "id": "OPENVAS:902806", "href": "http://plugins.openvas.org/nasl.php?oid=902806", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms11-100.nasl 5362 2017-02-20 12:46:39Z cfi $\n#\n# Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow attacker to cause a denial of service,\n conduct spoofing attacks or bypass certain security restrictions.\n Impact Level: System/Application\";\ntag_affected = \"Microsoft .NET Framework 4\n Microsoft .NET Framework 3.5.1\n Microsoft .NET Framework 3.5 Service Pack 1\n Microsoft .NET Framework 2.0 Service Pack 2\n Microsoft .NET Framework 1.1 Service Pack 1\";\ntag_insight = \"- An error within ASP.NET when hashing form posts and updating a hash table.\n This can be exploited to cause a hash collision resulting in high CPU\n consumption via a specially crafted form sent in a HTTP POST request.\n - Open redirect vulnerability in the Forms Authentication feature in the\n ASP.NET subsystem allows remote attackers to redirect users to arbitrary\n web sites and conduct phishing attacks via a crafted return URL.\n - The Forms Authentication feature in the ASP.NET subsystem allows remote\n authenticated users to obtain access to arbitrary user accounts via a\n crafted username.\n - The Forms Authentication feature in the ASP.NET subsystem when sliding\n expiry is enabled, does not properly handle cached content, which allows\n remote attackers to obtain access to arbitrary user accounts via a crafted\n URL.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://technet.microsoft.com/en-us/security/bulletin/ms11-100\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS11-100.\";\n\nif(description)\n{\n script_id(902806);\n script_version(\"$Revision: 5362 $\");\n script_bugtraq_id(51186);\n script_cve_id(\"CVE-2011-3414\", \"CVE-2011-3415\", \"CVE-2011-3416\", \"CVE-2011-3417\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 13:46:39 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-12-30 10:10:10 +0530 (Fri, 30 Dec 2011)\");\n script_name(\"Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/47323\");\n script_xref(name : \"URL\" , value : \"http://www.kb.cert.org/vuls/id/903934\");\n script_xref(name : \"URL\" , value : \"http://www.ocert.org/advisories/ocert-2011-003.html\");\n script_xref(name : \"URL\" , value : \"http://www.nruns.com/_downloads/advisory28122011.pdf\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms11-100\");\n script_xref(name : \"URL\" , value : \"http://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Check for OS and Service Pack\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){\n exit(0);\n}\n\n## Confirm .NET\nkey = \"SOFTWARE\\Microsoft\\ASP.NET\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\n## Try to Get Version\nforeach item (registry_enum_keys(key:key))\n{\n path = registry_get_sz(key:key + item, item:\"Path\");\n if(\"\\Microsoft.NET\\Framework\" >< path)\n {\n if(\"v4.0\" >< path){\n dllv4 = fetch_file_version(sysPath:path, file_name:\"System.Web.Extensions.dll\");\n }\n\n if(\"v2.0\" >< path){\n dllv2 = fetch_file_version(sysPath:path, file_name:\"System.Web.dll\");\n }\n\n if(\"v1.1\" >< path){\n dllv1 = fetch_file_version(sysPath:path, file_name:\"System.Web.dll\");\n }\n }\n}\n\n## .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7\nif((hotfix_missing(name:\"2656351\") == 1) && dllv4)\n{\n if(version_in_range(version:dllv4, test_version:\"4.0.30319.000\", test_version2:\"4.0.30319.271\")||\n version_in_range(version:dllv4, test_version:\"4.0.30319.500\", test_version2:\"4.0.30319.546\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n## .NET Framework 2 on Windows XP and Windows Server 2003\nif((hotfix_missing(name:\"2656352\") == 1) && (hotfix_check_sp(xp:4, win2003:3) > 0) && dllv2)\n{\n if(version_in_range(version:dllv2, test_version:\"2.0.50727.0000\", test_version2:\"2.0.50727.3633\")||\n version_in_range(version:dllv2, test_version:\"2.0.50727.5000\", test_version2:\"2.0.50727.5709\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n## .NET Framework 2 on Windows Vista and Windows Server 2008\nif((hotfix_missing(name:\"2656362\") == 1) && (hotfix_check_sp(winVista:3, win2008:3) > 0) && dllv2)\n{\n if(version_in_range(version:dllv2, test_version:\"2.0.50727.0000\", test_version2:\"2.0.50727.4222\")||\n version_in_range(version:dllv2, test_version:\"2.0.50727.5000\", test_version2:\"2.0.50727.5709\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n## .NET Framework 1.1 SP1 on Windows Server 2003 SP2, Windows XP, Windows Vista, and Windows Server 2008\nif(dllv1 && (((hotfix_missing(name:\"2656358\") == 1) && (hotfix_check_sp(win2003:3) > 0)) ||\n ((hotfix_missing(name:\"2656353\") == 1) && (hotfix_check_sp(xp:4, winVista:3, win2008:3) > 0))))\n{\n if(version_in_range(version:dllv1, test_version:\"1.1.4322.0\", test_version2:\"1.1.4322.2493\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n## Get .NET Framework 3.5 Path\nkey = \"SOFTWARE\\Microsoft\\.NETFramework\\AssemblyFolders\\v3.5\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\npath = registry_get_sz(key:key, item:\"All Assemblies In\");\nif(! path) {\n exit(0);\n}\n\n## Get Version\ndllv3 = fetch_file_version(sysPath:path, file_name:\"System.Web.Extensions.dll\");\nif(! dllv3) {\n exit(0);\n}\n\n## .NET Framework 3.5 SP1 on Windows Server 2003, Windows Server 2008, Windows Vista, and Windows XP\nif((hotfix_missing(name:\"2657424\") == 1) && (hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3) > 0))\n{\n if(version_in_range(version:dllv3, test_version:\"3.5.30729.3000\", test_version2:\"3.5.30729.3677\")||\n version_in_range(version:dllv3, test_version:\"3.5.30729.5000\", test_version2:\"3.5.30729.5768\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n## .NET Framework 3.5.1 on Windows 7\nif((hotfix_missing(name:\"2656355\") == 1) && (hotfix_missing(name:\"2656356\") == 1) && (hotfix_check_sp(win7:2) > 0))\n{\n if(version_in_range(version:dllv3, test_version:\"3.5.30729.4000\", test_version2:\"3.5.30729.4957\")||\n version_in_range(version:dllv3, test_version:\"3.5.30729.5700\", test_version2:\"3.5.30729.5769\")||\n version_in_range(version:dllv3, test_version:\"3.5.30729.5400\", test_version2:\"3.5.30729.5445\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-01-08T14:05:11", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS11-100.", "cvss3": {}, "published": "2011-12-30T00:00:00", "type": "openvas", "title": "Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-3414", "CVE-2011-3417", "CVE-2011-3416", "CVE-2011-3415"], "modified": "2020-01-07T00:00:00", "id": "OPENVAS:1361412562310902806", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902806", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902806\");\n script_version(\"2020-01-07T09:06:32+0000\");\n script_bugtraq_id(51186);\n script_cve_id(\"CVE-2011-3414\", \"CVE-2011-3415\", \"CVE-2011-3416\", \"CVE-2011-3417\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-12-30 10:10:10 +0530 (Fri, 30 Dec 2011)\");\n script_name(\"Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)\");\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/903934\");\n script_xref(name:\"URL\", value:\"http://www.ocert.org/advisories/ocert-2011-003.html\");\n script_xref(name:\"URL\", value:\"http://www.nruns.com/_downloads/advisory28122011.pdf\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-100\");\n script_xref(name:\"URL\", value:\"http://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/registry_enumerated\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow attacker to cause a denial of service,\n conduct spoofing attacks or bypass certain security restrictions.\");\n script_tag(name:\"affected\", value:\"- Microsoft .NET Framework 4\n\n - Microsoft .NET Framework 3.5.1\n\n - Microsoft .NET Framework 3.5 Service Pack 1\n\n - Microsoft .NET Framework 2.0 Service Pack 2\n\n - Microsoft .NET Framework 1.1 Service Pack 1\");\n script_tag(name:\"insight\", value:\"- An error within ASP.NET when hashing form posts and updating a hash table.\n This can be exploited to cause a hash collision resulting in high CPU\n consumption via a specially crafted form sent in a HTTP POST request.\n\n - Open redirect vulnerability in the Forms Authentication feature in the\n ASP.NET subsystem allows remote attackers to redirect users to arbitrary\n web sites and conduct phishing attacks via a crafted return URL.\n\n - The Forms Authentication feature in the ASP.NET subsystem allows remote\n authenticated users to obtain access to arbitrary user accounts via a\n crafted username.\n\n - The Forms Authentication feature in the ASP.NET subsystem when sliding\n expiry is enabled, does not properly handle cached content, which allows\n remote attackers to obtain access to arbitrary user accounts via a crafted\n URL.\");\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS11-100.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\ASP.NET\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nforeach item (registry_enum_keys(key:key))\n{\n path = registry_get_sz(key:key + item, item:\"Path\");\n if(\"\\Microsoft.NET\\Framework\" >< path)\n {\n if(\"v4.0\" >< path){\n dllv4 = fetch_file_version(sysPath:path, file_name:\"System.Web.Extensions.dll\");\n }\n\n if(\"v2.0\" >< path){\n dllv2 = fetch_file_version(sysPath:path, file_name:\"System.Web.dll\");\n }\n\n if(\"v1.1\" >< path){\n dllv1 = fetch_file_version(sysPath:path, file_name:\"System.Web.dll\");\n }\n }\n}\n\n## .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7\nif((hotfix_missing(name:\"2656351\") == 1) && dllv4)\n{\n if(version_in_range(version:dllv4, test_version:\"4.0.30319.000\", test_version2:\"4.0.30319.271\")||\n version_in_range(version:dllv4, test_version:\"4.0.30319.500\", test_version2:\"4.0.30319.546\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\n## .NET Framework 2 on Windows XP and Windows Server 2003\nif((hotfix_missing(name:\"2656352\") == 1) && (hotfix_check_sp(xp:4, win2003:3) > 0) && dllv2)\n{\n if(version_in_range(version:dllv2, test_version:\"2.0.50727.0000\", test_version2:\"2.0.50727.3633\")||\n version_in_range(version:dllv2, test_version:\"2.0.50727.5000\", test_version2:\"2.0.50727.5709\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\n## .NET Framework 2 on Windows Vista and Windows Server 2008\nif((hotfix_missing(name:\"2656362\") == 1) && (hotfix_check_sp(winVista:3, win2008:3) > 0) && dllv2)\n{\n if(version_in_range(version:dllv2, test_version:\"2.0.50727.0000\", test_version2:\"2.0.50727.4222\")||\n version_in_range(version:dllv2, test_version:\"2.0.50727.5000\", test_version2:\"2.0.50727.5709\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\n## .NET Framework 1.1 SP1 on Windows Server 2003 SP2, Windows XP, Windows Vista, and Windows Server 2008\nif(dllv1 && (((hotfix_missing(name:\"2656358\") == 1) && (hotfix_check_sp(win2003:3) > 0)) ||\n ((hotfix_missing(name:\"2656353\") == 1) && (hotfix_check_sp(xp:4, winVista:3, win2008:3) > 0))))\n{\n if(version_in_range(version:dllv1, test_version:\"1.1.4322.0\", test_version2:\"1.1.4322.2493\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\nkey = \"SOFTWARE\\Microsoft\\.NETFramework\\AssemblyFolders\\v3.5\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\npath = registry_get_sz(key:key, item:\"All Assemblies In\");\nif(! path) {\n exit(0);\n}\n\ndllv3 = fetch_file_version(sysPath:path, file_name:\"System.Web.Extensions.dll\");\nif(! dllv3) {\n exit(0);\n}\n\n## .NET Framework 3.5 SP1 on Windows Server 2003, Windows Server 2008, Windows Vista, and Windows XP\nif((hotfix_missing(name:\"2657424\") == 1) && (hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3) > 0))\n{\n if(version_in_range(version:dllv3, test_version:\"3.5.30729.3000\", test_version2:\"3.5.30729.3677\")||\n version_in_range(version:dllv3, test_version:\"3.5.30729.5000\", test_version2:\"3.5.30729.5768\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\n## .NET Framework 3.5.1 on Windows 7\nif((hotfix_missing(name:\"2656355\") == 1) && (hotfix_missing(name:\"2656356\") == 1) && (hotfix_check_sp(win7:2) > 0))\n{\n if(version_in_range(version:dllv3, test_version:\"3.5.30729.4000\", test_version2:\"3.5.30729.4957\")||\n version_in_range(version:dllv3, test_version:\"3.5.30729.5700\", test_version2:\"3.5.30729.5769\")||\n version_in_range(version:dllv3, test_version:\"3.5.30729.5400\", test_version2:\"3.5.30729.5445\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2021-06-08T19:16:44", "description": "DoS, multiple vulnerabilities in forms authentication.", "edition": 2, "cvss3": {}, "published": "2012-03-26T00:00:00", "title": "Microsoft .Net multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2011-3414", "CVE-2011-3417", "CVE-2011-3416", "CVE-2011-3415"], "modified": "2012-03-26T00:00:00", "id": "SECURITYVULNS:VULN:12121", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12121", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-09-26T02:59:53", "description": "The remote Windows host is running a version of the Microsoft ASP.NET Framework that has multiple vulnerabilities. These include:\n\n - A flaw exists in the way ASP.NET generates hash tables for user-supplied values. By sending a small number of specially crafted posts to an ASP.NET server, an attacker can take advantage of this flaw to cause a denial of service condition. (CVE-2011-3414)\n\n - The Framework does not properly validate return URLs during the forms authentication process, which could allow an attacker to redirect a victim to a malicious website. (CVE-2011-3415)\n\n - ASP.NET forms authentication contains a vulnerability that could allow an attacker that already has a registered user on an application to gain the privileges of another known user. (CVE-2011-3416)\n\n - An elevation of privilege vulnerability exists in the way that ASP.NET Framework handles cached content when Forms Authentication is used with sliding expiry. An attacker can take advantage of this vulnerability to execute code in the context of a target user by tricking the user into visiting a specially crafted link. (CVE-2011-3417)", "cvss3": {"score": null, "vector": null}, "published": "2011-12-29T00:00:00", "type": "nessus", "title": "MS11-100: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-3414", "CVE-2011-3415", "CVE-2011-3416", "CVE-2011-3417"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:.net_framework"], "id": "SMB_NT_MS11-100.NASL", "href": "https://www.tenable.com/plugins/nessus/57414", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(57414);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\n \"CVE-2011-3414\",\n \"CVE-2011-3415\",\n \"CVE-2011-3416\",\n \"CVE-2011-3417\"\n );\n script_bugtraq_id(51186, 51201, 51202, 51203);\n script_xref(name:\"CERT\", value:\"903934\");\n script_xref(name:\"MSFT\", value:\"MS11-100\");\n script_xref(name:\"MSKB\", value:\"2656351\");\n script_xref(name:\"MSKB\", value:\"2656356\");\n script_xref(name:\"MSKB\", value:\"2657424\");\n script_xref(name:\"MSKB\", value:\"2656352\");\n script_xref(name:\"MSKB\", value:\"2656362\");\n script_xref(name:\"MSKB\", value:\"2656355\");\n script_xref(name:\"MSKB\", value:\"2656358\");\n script_xref(name:\"MSKB\", value:\"2656353\");\n\n script_name(english:\"MS11-100: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)\");\n script_summary(english:\"Checks version of System.Web.dll / System.web.Extensions.dll\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The version of ASP.NET Framework installed on the remote host is\naffected by multiple vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote Windows host is running a version of the Microsoft ASP.NET\nFramework that has multiple vulnerabilities. These include:\n\n - A flaw exists in the way ASP.NET generates hash tables\n for user-supplied values. By sending a small number of\n specially crafted posts to an ASP.NET server, an\n attacker can take advantage of this flaw to cause a\n denial of service condition. (CVE-2011-3414)\n\n - The Framework does not properly validate return URLs\n during the forms authentication process, which could\n allow an attacker to redirect a victim to a malicious\n website. (CVE-2011-3415)\n\n - ASP.NET forms authentication contains a vulnerability\n that could allow an attacker that already has a\n registered user on an application to gain the\n privileges of another known user. (CVE-2011-3416)\n\n - An elevation of privilege vulnerability exists in the\n way that ASP.NET Framework handles cached content when\n Forms Authentication is used with sliding expiry. An\n attacker can take advantage of this vulnerability to\n execute code in the context of a target user by\n tricking the user into visiting a specially crafted\n link. (CVE-2011-3417)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nruns.com/_downloads/advisory28122011.pdf\");\n # https://www.sec-consult.com/files/20120328-1_asp.net_authentication_bypass_v1.0.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f313f636\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-100\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for the .NET Framework on\nWindows XP, 2003, Vista, 2008, 7, and 2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/12/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/12/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:.net_framework\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS11-100';\nkbs = make_list('2656351', '2656356', '2657424', '2656352', '2656362', '2656355', '2656358', '2656353');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (\"Windows Embedded\" >< productname) exit(0, \"The host is running \"+productname+\" and hence is not affected.\");\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nvuln = 0;\nass_dir = hotfix_get_programfilesdir() + \"\\Reference Assemblies\\Microsoft\\Framework\";\n\n# .NET Framework 1.1 on XP, Windows Server 2003 64-bit, Vista, and Server 2008\nmissing = 0;\nmissing += hotfix_is_vulnerable(os:\"5.1\", arch:\"x86\", sp:3, file:\"System.Web.dll\", version:\"1.1.4322.2494\", dir:\"\\Microsoft.NET\\Framework\\v1.1.4322\");\nmissing += hotfix_is_vulnerable(os:\"5.2\", arch:\"x64\", sp:2, file:\"System.Web.dll\", version:\"1.1.4322.2494\", dir:\"\\Microsoft.NET\\Framework\\v1.1.4322\");\nif (hotfix_check_server_core() != 1)\n{\n missing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"System.Web.dll\", version:\"1.1.4322.2494\", dir:\"\\Microsoft.NET\\Framework\\v1.1.4322\");\n}\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2656353');\nvuln += missing;\n\n# .NET Framework 1.1 on Windows Server 2003 SP2\nmissing = 0;\nmissing += hotfix_is_vulnerable(os:\"5.2\", arch:\"x86\", sp:2, file:\"system.web.dll\", version:\"1.1.4322.2494\", dir:\"\\Microsoft.NET\\Framework\\v1.1.4322\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2656358');\nvuln += missing;\n\n# .NET Framework 2.0 SP2 on Windows XP / Server 2003\nmissing = 0;\nmissing += hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"System.Web.dll\", version:\"2.0.50727.5710\", min_version:\"2.0.50727.5000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\nmissing += hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"System.Web.dll\", version:\"2.0.50727.3634\", min_version:\"2.0.50727.3000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\nmissing += hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"System.Web.dll\", version:\"2.0.50727.5710\", min_version:\"2.0.50727.5000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\nmissing += hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"System.Web.dll\", version:\"2.0.50727.3634\", min_version:\"2.0.50727.3000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2656352\");\nvuln += missing;\n\n# .NET Framework 2.0 SP2 on Windows Vista SP2 / Server 2008 SP2\nmissing = 0;\nif (hotfix_check_server_core() != 1)\n{\n missing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"system.web.dll\", version:\"2.0.50727.5710\", min_version:\"2.0.50727.5000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n missing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"system.web.dll\", version:\"2.0.50727.4223\", min_version:\"2.0.50727.4000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n}\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2656362\");\nvuln += missing;\n\n# .NET 3.5 SP1 on XP, 2k3, Vista, 2k8\nmissing = 0;\nmissing += hotfix_is_vulnerable(os:\"5.1\", file:\"System.Web.Extensions.dll\", version:\"3.5.30729.3678\", min_version:\"3.5.30729.0\", path:ass_dir + \"\\v3.5\");\nmissing += hotfix_is_vulnerable(os:\"5.1\", file:\"System.Web.Extensions.dll\", version:\"3.5.30729.5769\", min_version:\"3.5.30729.5000\", path:ass_dir + \"\\v3.5\");\nmissing += hotfix_is_vulnerable(os:\"5.2\", file:\"System.Web.Extensions.dll\", version:\"3.5.30729.3678\", min_version:\"3.5.30729.0\", path:ass_dir + \"\\v3.5\");\nmissing += hotfix_is_vulnerable(os:\"5.2\", file:\"System.Web.Extensions.dll\", version:\"3.5.30729.5769\", min_version:\"3.5.30729.5000\", path:ass_dir + \"\\v3.5\");\nif (hotfix_check_server_core() != 1)\n{\n missing += hotfix_is_vulnerable(os:\"6.0\", file:\"System.Web.Extensions.dll\", version:\"3.5.30729.3678\", min_version:\"3.5.30729.0\", path:ass_dir + \"\\v3.5\");\n missing += hotfix_is_vulnerable(os:\"6.0\", file:\"System.Web.Extensions.dll\", version:\"3.5.30729.5769\", min_version:\"3.5.30729.5000\", path:ass_dir + \"\\v3.5\");\n}\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2657424');\nvuln += missing;\n\n# .NET Framework 3.5.1 on Windows 7 / Server 2008 R2\nmissing = 0;\nmissing += hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"system.web.dll\", version:\"2.0.50727.5710\", min_version:\"2.0.50727.5000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\nmissing += hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"system.web.dll\", version:\"2.0.50727.4971\", min_version:\"2.0.50727.4000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2656355\");\nvuln += missing;\n\n# .NET Framework 3.5.1 on Windows 7 SP1 / Server 2008 R2 SP1\nmissing = 0;\nmissing += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"system.web.dll\", version:\"2.0.50727.5456\", min_version:\"2.0.50727.5400\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\nmissing += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"system.web.dll\", version:\"2.0.50727.5710\", min_version:\"2.0.50727.5700\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2656356\");\nvuln += missing;\n\n# .NET Framework 4 on all supported versions of Windows\nmissing = 0;\nmissing += hotfix_is_vulnerable(os:\"5.1\", file:\"System.Web.dll\", version:\"4.0.30319.272\", min_version:\"4.0.30319.0\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\nmissing += hotfix_is_vulnerable(os:\"5.1\", file:\"System.Web.dll\", version:\"4.0.30319.547\", min_version:\"4.0.30319.500\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\nmissing += hotfix_is_vulnerable(os:\"5.2\", file:\"System.Web.dll\", version:\"4.0.30319.272\", min_version:\"4.0.30319.0\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\nmissing += hotfix_is_vulnerable(os:\"5.2\", file:\"System.Web.dll\", version:\"4.0.30319.547\", min_version:\"4.0.30319.500\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\nif (hotfix_check_server_core() != 1)\n{\n missing += hotfix_is_vulnerable(os:\"6.0\", file:\"System.Web.dll\", version:\"4.0.30319.272\", min_version:\"4.0.30319.0\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n missing += hotfix_is_vulnerable(os:\"6.0\", file:\"System.Web.dll\", version:\"4.0.30319.547\", min_version:\"4.0.30319.500\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n}\nmissing += hotfix_is_vulnerable(os:\"6.1\", file:\"System.Web.dll\", version:\"4.0.30319.272\", min_version:\"4.0.30319.0\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\nmissing += hotfix_is_vulnerable(os:\"6.1\", file:\"System.Web.dll\", version:\"4.0.30319.547\", min_version:\"4.0.30319.500\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2656351\");\nvuln += missing;\n\nif(vuln > 0)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
