Re: Context IS Advisory - MS11-066 .NET 4 - Microsoft Chart Control

[Madhur Ahuja <ahuja.madhur () gmail com>]

Is there a POC or an exploit already for this vulnerability ?

On Thu, Aug 11, 2011 at 9:38 PM, Context IS - Disclosure
<disclosure () contextis co uk> wrote:
> ===============================ADVISORY===============================
> Systems Affected:    .NET 4 - Microsoft Chart Control
> Severity:            High
> Category:            Information Disclosure
> Author:              Context Information Security Ltd
> Reported to vendor:  3rd October 2010
> Advisory Issued:     11th August 2011
> Reference:           MS11-066, CVE-2011-1977
> ===============================ADVISORY===============================
>
> Description
> -----------
> The Microsoft Chart Control is vulnerable to an information disclosure vulnerability. By sending a specific GET 
> request to an application implementing the chart control, attackers could read arbitrary files on the system.
>
> Analysis
> --------
> The Microsoft Chart Control plots graphs and with the default configuration stores those as image files in a 
> directory on the system. The graph images are retrieved using GET requests and a file path parameter.
>
> When the control retrieves a request, it verifies that the requested file path lies within the allowed directory and 
> if so reads and returns the file’s contents. However, the verification process was found to be flawed, resulting in 
> the ability to traverse directories to load arbitrary files.
>
> The Microsoft Chart Control is included in the .NET Framework 4 or can be downloaded separately for .NET 3.5 
> (http://code.msdn.microsoft.com/mschart).
>
> This vulnerability was found using the Context App Tool (CAT http://cat.contextis.com).
>
> Technologies Affected
> ---------------------
>
> Microsoft .Net Framework 4
>
>
> Vendor Response
> ---------------
> Microsoft advises users to patch the .Net Framework to the latest version.  See the following Microsoft security 
> bulletin for more details:
> http://www.microsoft.com/technet/security/Bulletin/MS11-066.mspx
>
>
> Disclosure Timeline
> -------------------
> 3rd October 2010 – Vendor Notification
> 4th October 2010 – First Vendor Response
> 16th November 2010 – Vendor Confirms Vulnerability
> 9th August 2011 – Vendor Patch Released
>
>
> Credits
> --------
> Nico Leidecker and James Forshaw of Context Information Security Ltd
>
>
> About Context Information Security
> ----------------------------------
>
> Context Information Security is an independent security consultancy specialising in both technical security and 
> information assurance services.
>
> The company was founded in 1998. Its client base has grown steadily over the years, thanks in large part to personal 
> recommendations from existing clients who value us as business partners. We believe our success is based on the value 
> our clients place on our product-agnostic, holistic approach; the way we work closely with them to develop a tailored 
> service; and to the independence, integrity and technical skills of our consultants.
>
> The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as 
> government organisations.
>
> The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to 
> recruit staff with extensive business experience as well as technical expertise. Our aim is to provide effective and 
> practical solutions, advice and support: when we report back to clients we always communicate our findings and 
> recommendations in plain terms at a business level as well as in the form of an in-depth technical report.
>
> Web:        www.contextis.com
> Email:      disclosure () contextis com
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/