lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 11 Nov 2015 02:38:25 GMT
From: apparitionsec@...il.com
To: bugtraq@...urityfocus.com
Subject: Microsoft .NET Framework XSS / Elevation of Privilege CVE-2015-6099

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-MICROSOFT-XSS-ELEVATION-OF-PRIVILEGE.txt



Vendor:
==================
www.microsoft.com



Product:
===========================
Microsoft .NET Framework


Vulnerability Type:
============================
XSS / Elevation of Privilege


CVE Reference:
==============
CVE-2015-6099



Vulnerability Details:
======================

Microsoft .NET Framework is prone to a cross-site scripting vulnerability because it fails
to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary
script code in the browser of an unsuspecting user in the context of the affected site. This may
allow the attacker to steal cookie-based authentication credentials and launch other attacks.

.NET Elevation of Privilege Vulnerability - CVE-2015-6099

An elevation of privilege vulnerability exists when ASP.NET improperly validates values in HTTP requests,
exposing users to a potential cross-site scripting (XSS) attack. An attacker who successfully exploited the
vulnerability could leverage a vulnerable website to inject client-side script into a user’s browser and
ultimately modify or spoof content, conduct phishing activities, disclose information, or perform any action on
the vulnerable website that the target user has permission to perform. To exploit this vulnerability, user interaction
is required. In a web-browsing scenario a user would have to navigate to a compromised website.

In an email attack scenario an attacker would have to convince a user who is logged on to a vulnerable server to
click a specially crafted link in an email. The update addresses the vulnerability by modifying how ASP.NET validates
the value of an HTTP request.

Microsoft received information about the vulnerability through coordinated vulnerability disclosure. At the time this security
bulletin was originally issued, Microsoft was unaware of any attack attempting to exploit this vulnerability.

Microsoft has not identified any mitigating factors for this vulnerability.
Microsoft has not identified any workarounds for this vulnerability.

The following workarounds may be helpful in your situation:

Remove requestPathInvalidCharacters key from web.config
In order to work around this issue, administrators can remove the <httpRuntime requestPathInvalidCharacters="" />
non-default setting from web.config, or at least include “:” in the requestPathInvalidCharacters setting.

How to undo the workaround: 
Restore the previously removed <httpRuntime requestPathInvalidCharacters="" /> line.


https://technet.microsoft.com/library/security/MS15-118
http://www.symantec.com/security_response/vulnerability.jsp?bid=77479&om_rssid=sr-advisories
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6099



Disclosure Timeline:
========================================
Vendor Notification: August 15, 2015
November 10, 2015  : Public Disclosure




Exploitation Technique:
=======================
Remote



Severity Level:
===============
High



Description:
================================================

Request Method(s):              [+]  GET / POST 


Vulnerable Product versions:            

Microsoft .NET Framework 4.0
Microsoft .NET Framework 4.5
Microsoft .NET Framework 4.5.1
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6
Microsoft Windows 10 for 32-bit Systems
Microsoft Windows 10 for x64-based Systems
Microsoft Windows 10 version 1511 for 32-bit Systems
Microsoft Windows 10 version 1511 for x64-based Systems
Microsoft Windows 7 for 32-bit Systems SP1
Microsoft Windows 7 for x64-based Systems SP1
Microsoft Windows 8 for x64-based Systems
Microsoft Windows 8.1 for 32-bit Systems
Microsoft Windows 8.1 for x64-based Systems
Microsoft Windows RT
Microsoft Windows RT 8.1
Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows Vista SP2
Microsoft Windows Vista x64 Edition SP2


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.

by hyp3rlinx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ