Wednesday, January 05, 2005

Security Holes That Run Deep



Click here for AmazonInteresting discussion from SecurityFocus on some implementation details in ASP.NET (Microsoft's strategic web application serving platform) that have dramatic ramifications for its overall security posture.

The specific flaw Beaumont found was deceptively simple: by using a backslash instead of a forward slash you could access secure ASP.NET resources that normally required authentication.

So, if accessing www.example.net/secure/private.aspx is supposed to require authentication, anyone who wants to could still access the file by entering the URL as www.example.net/secure\private.aspx (or using %5C instead of the backslash in IE). Even if you set NTFS permissions to block anonymous users from accessing the file, ASP.NET still allowed access.

As simple as it was to exploit, the existence of the bug told us a lot about ASP.NET's basic security posture -- none of it good.:

* ASP.NET was not always using NTFS permissions to enforce file access.
* You can fool ASP.NET by disguising the file path.
* ASP.NET did not properly filter URL requests.
* ASP.NET authentication fails open rather than failing closed.

...The ASP.NET authorization code determines if the resource requires authentication or not by checking the configuration file of the current application, and looking for rules that match the requested URL. If the URL does not match any of those rules, it checks the configuration of the parent application for a match. If it still finds no match, it continues up to each parent application until it reaches the machine configuration. By default, the machine configuration allows anyone to access anything without authentication.

This means that if you can disguise a URL so that it doesn't match any rule, you will eventually end up at the default rule that says there is no need to authenticate you to access this file.

In other words, if ASP.NET thinks everyone is authorized to access the file, it won't bother running its authentication code to see if a particular user is authorized to have access. ASP.NET opens the file with the security context of the ASP.NET machine account (ASPNET), unless you specifically configure the application to use impersonation. Therefore it completely bypasses any NTFS permissions you might have set on the file...


Security Holes That Run Deep

No comments: