Re: ISS6 - ASP.NET

From: H D Moore (sflist@digitaloffense.net)
Date: Tue Sep 09 2003 - 12:22:50 EDT

• Next message: Alfred Huger: "Voting on issues for this list and SecurityFocus (Pen-Test)"
• Previous message: Cynic: "Encryption cracking helper tool?"
• In reply to: webappsec@technicalinfo.net: "ISS6 - ASP.NET"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Tuesday 09 September 2003 05:23 am, webappsec@technicalinfo.net wrote:
> Anyone been playing with ASP.NET and the error message it automagically
> creates?

I recently wrote a tool for enumerating .NET info from any given
application, it is written in perl and tested under Linux:

$ wget http://www.digitaloffense.net/dnascan.pl.gz
$ gunzip dnascan.pl.gz
$ ./dnascan.pl http://somehost/path/to/someapp.aspx

It can determine whether customErrors is enabled, whether tracing is
available, what the physical path of the application is, and the remote
version of the .NET Framework installed. It would be trivial to add a
method in that triggers the request validation error, although similar
functionality is already obtained through other techniques.

 $ ./dnascan.pl http://www.somerandomaspsite.com/
[*] Sending initial probe request...
[*] Sending path discovery request...
[*] Sending application trace request...
[*] Sending null remoter service request...

[ .NET Configuration Analysis ]

       Server -> Microsoft-IIS/5.0 via XCompress (1.1.6806.1)
  Application -> /
     FilePath -> D:\Domains\somerandomaspsite.com
   ADNVersion -> 1.0.3705.288

> Given the following helpful error message, what experience have other
> people had SUCCESSFULLY exploiting this type of vuln on IIS6, given the
> comprehensive automated response?

It depends on the configuration of the server and whether request
validation is enabled or not. Most production systems have customErrors
turned on, which prevents you from seeing any of the stack trace output.

---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------

• Next message: Alfred Huger: "Voting on issues for this list and SecurityFocus (Pen-Test)"
• Previous message: Cynic: "Encryption cracking helper tool?"
• In reply to: webappsec@technicalinfo.net: "ISS6 - ASP.NET"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:39 EDT