Date: Wed Mar 22 02:18:47 2006
From: mail at hackingspirits.com (Debasis Mohanty)
Subject: w3wp remote DoS

 
Sorry, if you are receiving multiple copies of it. Just resending as the one
that I sent last night has not yet appeared.

w3wp remote DoS due to improper reference of STA COM components in ASP.NET
===========================================================================

Vendor: Microsoft Corporation
MSRC (Microsoft Security Response Center) Case No: MSRC 6367sd Product Info:
IIS Worker Process (w3wp)

I. BACKGROUND
Early last year while I was trying out few canonicalization attacks on sites
running asp.net applications, I came across an un-expected remote DoS
against the worker process (i.e. w3wp). As the frequency of success was
*random*, I didn't took much interest in it. However during one more test in
my home lab, I was able to reproduce the same w3wp crash again (almost with
7 out of 10 success ratio) which is why I thought of debugging and
investigating more on this issue.

After working for more than one month with Microsoft (MSRC) on this issue,
it is finally concluded that the crash can occur un-expectedly and is due to
improper reference of COM or COM+ in the asp.net applications. Often
developers forget to use the AspCompat directive which is required while
referencing COM components in ASP.NET. Below are the links which provides
the insight on the appropriate usage of AspCompat :
http://msdn2.microsoft.com/en-us/library/zwk9h2kb.aspx
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/
dbgch04.asp


II.	PROOF-OF-CONCEPT
The exploit code and the PoC details can be downloaded from the following
link:
http://hackingspirits.com/vuln-rnd/vuln-rnd.html

Regards,
Debasis Mohanty

Powered by blists - more mailing lists