=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN394
_____________________________________________________________________

DATE                      : 12/07/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows avec .NET framework  2.0

======================================================================


MS06-033 Vulnerability in ASP.NET Could Allow Information Disclosure
CVE-2006-1300

Affected Software:
  - .NET Framework 2.0 for the following operating system versions:
     - Microsoft Windows 2000 Service Pack 4
     - Microsoft Windows XP Service Pack 1
     - Microsoft Windows XP Service Pack 2
     - Microsoft Windows XP Professional x64 Edition
     - Microsoft Windows XP Tablet PC Edition
     - Microsoft Windows XP Media Center Edition
     - Microsoft Windows Server 2003
     - Microsoft Windows Server 2003 Service Pack 1
     - Microsoft Windows Server 2003 for Itanium-based systems
     - Microsoft Windows Server with SP1 for Itanium-based Systems
     - Microsoft Windows Server 2003 x64 Edition

Non-Affected Software:
  - Microsoft .NET Framework 1.0
  - Microsoft .NET Framework 1.1
  - Microsoft Windows 98
  - Microsoft Windows 98 Second Edition (SE)
  - Microsoft Windows Millennium Edition (Me)

Affected Components:
  - ASP.NET

This Information Disclosure vulnerability could allow an attacker to bypass
ASP.Net security and gain unauthorized access to objects in the Application
folders explicitly by name. Note that this vulnerability would not allow an
attacker to execute code or to elevate their user rights directly, but it
could be used to produce useful information that could be used to try to
further compromise the affected system.
	
Mitigating Factors
- ------------------
Directory browsing is not enabled by default on Application folder
directories. An attacker would have to guess or know the names of the files
they are attempting to retrieve or view.

By default, file extensions that are used by Visual Studio and ASP.NET web
projects are mapped to the aspnet_isapi.dll System.Web.HttpForbiddenHandler
and as a result, files with these extensions cannot be retrieved or viewed
remotely using this vulnerability.

Here's the full list of file extensions that are protected (and not
vulnerable): *.asax, *.ascx, *.master, *.skin, *.browser, *.sitemap,
              *.config (but not *.exe.config or *.dll.config), *.cs,
              *.csproj, *.vb, *.vbproj, *.webinfo, *.licx, *.resx,
              *.resources, *.mdb, *.vjsproj, *.java, *.dd, *.jsl, *.ldb,
              *.ad, *.ldd, *.sd, *.cd, *.adprototype, *.lddprototype,
              *.sdm, *.sdmDocument, *.mdf, *.ldf, *.exclude, *.refresh

IIS 6.0 will not send any file types that do not have a MIME mapping defined
for the IIS 6.0. IIS 6.0 only stores the allowed MIME mappings in the
metabase.

For example if a custom file type with a .data file extension is located in
the app_data folder on an IIS6 server, but there is no MIME association for
.data files defined in IIS or the Windows Registry on that server, Internet
Information Services (IIS) will not serve this type of file and will return
a 404 error (regardless of what folder / directory the file resides in).

Customers using URLScan who have followed the guidance in Knowledge Base
Article 815155 for hardening ASP.NET web applications are at less risk from
this vulnerability.
	
Workarounds
- -----------
Microsoft has tested the following workarounds. While these workarounds will
not correct the underlying vulnerability, they will help to block known
attack vectors.

  - Remove Read permission from all ASP.NET 2.0 Application folders.
    Removal of the Read permissions for Web content helps protect the
    affected system from attempts to exploit this vulnerability.

    To set permissions for Web content on Windows 2000 running IIS5.0 using
    the Microsoft Management Console (MMC):

    1. Click Start, then click Run and then type:
       %systemroot%\system32\inetsrv\iis.msc

    2. When the Internet Information Services MMC snap-in loads, in the left
       pane, click the plus (+) sign next to the computer name to expand the
       list of web sites hosted on that server.

    3. Expand the first web site by clicking the plus (+) sign next to it.

    4. For each ASP.NET 2.0 Application Folder, right click on the folder and
       select Properties

    5. On the Directory or Virtual Directory tab clear the checkbox next to
       Read and press OK

    6. Repeat step 3 for each web site and application hosted on the server.

    To set permissions for Web content on Windows 2003 with IIS 6.0 using the
    Microsoft Management Console (MMC):

    1. Click Start, click Run and then type:
       %systemroot%\system32\inetsrv\iis.msc

    2. When the Internet Information Services MMC snap-in is finished loading,
       in the left pane, click the plus (+) sign next to the computer name

    3. Click the plus (+) sign next to the Web sites folder to expand the
       list of web sites hosted on that server.

    4. Expand the first web site by clicking the plus (+) sign next to it.

    5. For each ASP.NET 2.0 Application Folder, right click on the folder
       and select Properties

    6. On the Directory or Virtual Directory tab clear the checkbox next to
       Read and press OK

    7. Repeat step 4 for each web site and application hosted on the server.

    Impact of Workaround: Denying read access on the virtual directory would
                          block reflection and therefore inhibits remote
                          debugging.

  - Use URLScan with the DenyUrlSequences setting to disallow URLs that
    request protected file extensions.

    1. If URLScan is already installed, make a backup copy of the URLScan.ini
       before continuing to the next step.

    2. Configure the URLScan.ini (located in the
       %windir%\system32\inetsrv\urlscan folder by default) with the following
       settings:

    3. In the [Options] section, ensure that NormalizeUrlBeforeScan is set to 1

    4. In the [Options] section, ensure that VerifyNormalization is set to 1

    5.In the [DenyUrlSequences] section, ensure that the backslash \ character
      is listed

    6. Re-start IIS for the changes to take effect.

    Note: The above settings are enabled by default in versions of URLScan
          installed by the IIS Lockdown wizard and for all stand-alone
          installations of URLScan 2.5.

    Note: For additional information on configuring URLScan to work with
          ASP.NET applications refer to Knowledge Base Article 815155.

    Impact of Workaround: Improper configuration of URLScan could prevent some
                          web applications from functioning properly.

  - Use file extensions for files in the App_* folders that are not mapped to
    ASP.NET and that have no MIME type mapping that IIS can use.

    If a static file extension has no MIME type mapping Internet Information
    Services 6.0 (IIS) will not serve it.

    Impact of Workaround: None


           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================