Hard times for ASP.NET
On September 28th Microsoft published the bulletin MS10-070 that fixed a information disclosure in ASP.NET ( the .NET framework).
As David Aitel pointed out,
It’s your basic massive break-the-internet nightmare, that Microsoft has avoided for many years since Code Red and the rest of the big worms ran rampant on IIS. It’s interesting that this time around it’s not a buffer overflow.
Looks like some people is having lots of fun lately and many system administrators are going to have a hard time.
ISC also dedicated an entry in the Diary.
In Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config” and ”This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server.
According to the bulletin, MSFT are aware of “active attacks”.
If this is not enough, Packet Storm Security published a proof of concept that exploits this vulnerability.
Proof of concept exploit that demonstrates the downloading of Web.config. This affects unpatched versions of .NET framework 3.5 Sp1. Full details are available on the homepage.