WebApp Sec mailing list archives
Re: ISS6 - ASP.NET
From: H D Moore <sflist () digitaloffense net>
Date: Tue, 9 Sep 2003 11:22:50 -0500
On Tuesday 09 September 2003 05:23 am, webappsec () technicalinfo net wrote:
Anyone been playing with ASP.NET and the error message it automagically creates?
I recently wrote a tool for enumerating .NET info from any given application, it is written in perl and tested under Linux: $ wget http://www.digitaloffense.net/dnascan.pl.gz $ gunzip dnascan.pl.gz $ ./dnascan.pl http://somehost/path/to/someapp.aspx It can determine whether customErrors is enabled, whether tracing is available, what the physical path of the application is, and the remote version of the .NET Framework installed. It would be trivial to add a method in that triggers the request validation error, although similar functionality is already obtained through other techniques. $ ./dnascan.pl http://www.somerandomaspsite.com/ [*] Sending initial probe request... [*] Sending path discovery request... [*] Sending application trace request... [*] Sending null remoter service request... [ .NET Configuration Analysis ] Server -> Microsoft-IIS/5.0 via XCompress (1.1.6806.1) Application -> / FilePath -> D:\Domains\somerandomaspsite.com ADNVersion -> 1.0.3705.288
Given the following helpful error message, what experience have other people had SUCCESSFULLY exploiting this type of vuln on IIS6, given the comprehensive automated response?
It depends on the configuration of the server and whether request validation is enabled or not. Most production systems have customErrors turned on, which prevents you from seeing any of the stack trace output.
Current thread:
- ISS6 - ASP.NET webappsec (Sep 09)
- Re: ISS6 - ASP.NET H D Moore (Sep 09)
- RE: ISS6 - ASP.NET TUER, DON (Sep 09)
- <Possible follow-ups>
- RE: ISS6 - ASP.NET Jackson, Chris (Sep 09)
- Re: ISS6 - ASP.NET Ernie Nelson (Sep 09)
- RE: ISS6 - ASP.NET webappsec (Sep 09)