News

ASP.NET Patched

• By Scott Bekker
• 06/11/2002

ASP.NET is the .NET generation of Microsoft technologies to help developers build Web-based applications and XML Web services. It's been officially available for about four months.

The vulnerability involves one of the three modes in ASP.NET for handling session state. The problem is more likely to affect an enterprise environment than a small- or medium-business environment, because the vulnerable session state mode, called StateServer, arises in Web server farm configurations. However, Microsoft rated the vulnerability a moderate risk for servers because it recommends that users implementing ASP.NET applications in Web farms use SQL Server to manage session state. Another reason for the less-than-critical risk assessment is that the Web server application must use cookies to be exposed.

The smallest Web server applications can handle session state within the same process as ASP.NET. Applications designed to scale across a Web server farm, however, must store session state in a separate running process so any server in the farm can access it during a user session.

StateServer is one way Microsoft handles the issue. Another way is a SQL Server mode, in which session state is stored and managed in the database. The SQL Server mode is Microsoft's recommended server farm mode because it makes the application more scalable.

The specific vulnerability with StateServer involves an unchecked buffer when processing cookies. An attacker could exploit the buffer to mount an overrun attack. Microsoft says that theoretically the attacker could execute code on an unprivileged account, but it has not been able to replicate that attack through the vulnerability.

Microsoft has been able to show that the buffer overrun attack would cause the ASP.NET application to restart and result in all active users losing session state.

In a FAQ in the patch description, Microsoft itself brings up the most stinging question: "I thought unchecked buffers are impossible in the .NET Framework?"

Redmond's answer to its own question is effectively that the .NET Framework isn't really written all the way with .NET code.

"While the StateServer itself is written using the .NET Framework, there are some helper functions which it calls that are not written using the .NET Framework. The flaw which gives rise to the vulnerability is located in one of these helper functions written using traditional code," the bulletin states.

According to Microsoft, the company is at work migrating all helper functions over to the framework.

The bulletin and patch can be accessed at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-026.asp.