Re: ISS6 - ASP.NET

[H D Moore <sflist () digitaloffense net>]

On Tuesday 09 September 2003 05:23 am, webappsec () technicalinfo net wrote:
> Anyone been playing with ASP.NET and the error message it automagically
> creates?

I recently wrote a tool for enumerating .NET info from any given 
application, it is written in perl and tested under Linux:

$ wget http://www.digitaloffense.net/dnascan.pl.gz
$ gunzip dnascan.pl.gz
$ ./dnascan.pl http://somehost/path/to/someapp.aspx

It can determine whether customErrors is enabled, whether tracing is 
available, what the physical path of the application is, and the remote 
version of the .NET Framework installed. It would be trivial to add a 
method in that triggers the request validation error, although similar 
functionality is already obtained through other techniques.

 $ ./dnascan.pl http://www.somerandomaspsite.com/
[*] Sending initial probe request...
[*] Sending path discovery request...
[*] Sending application trace request...
[*] Sending null remoter service request...

[ .NET Configuration Analysis ]

       Server   -> Microsoft-IIS/5.0 via XCompress (1.1.6806.1)
  Application   -> /
     FilePath   -> D:\Domains\somerandomaspsite.com
   ADNVersion   -> 1.0.3705.288


> Given the following helpful error message, what experience have other
> people had SUCCESSFULLY exploiting this type of vuln on IIS6, given the
> comprehensive automated response?

It depends on the configuration of the server and whether request 
validation is enabled or not. Most production systems have customErrors 
turned on, which prevents you from seeing any of the stack trace output.