May 16, 2020

Microsoft Patches More Than Hash Table Collision Problem With .NET Update

(LiveHacking.Com) – Microsoft has released a “Critical” out-of-band update for .NET which fixes an elevation of privilege vulnerability in .NET across all supported versions of Windows. Microsoft’s prime reason for releasing the update was to address the newly disclosed denial-of-service vulnerability affecting a range of Web development languages including Microsoft’s ASP.NET, however the update also included fixes which were already committed to the code base.

Before details of the hash table collision denial-of-service vulnerability were released, Microsoft had planned to release a .NET security update addressing three vulnerabilities, one of which was a Critical elevation of privilege vulnerability. Once they received the notification about the elevation of privilege vulnerability the ASP.NET team fixed it and tested it ready for the next security update. Therefore the hash table collision update includes the already committed privilege elevation.

The elevation of privilege vulnerability, which was privately reported to Microsoft, is exploited when an unauthenticated attacker sends a specially crafted web request to the target site. If successful the attacker can take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. However to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name. The fix changes the way the .NET Framework handles specially crafted requests, and how the ASP.NET Framework authenticates users and handles cached content.

This security update is rated Critical for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4 on all supported editions of Microsoft Windows.

Microsoft First to Patch Universal Hash Table Collision Vulnerability with Out-of-band Update

(LiveHacking.Com) – Security Researchers have exposed a flaw in the way the popular Web programming languages (like PHP, ASP.NET and Python) handle hash table collisions resulting in huge CPU usage and a subsequent denial of service. The discoveries were announced yesterday (Wednesday) at the Chaos Communication Congress event in Germany. The flaw is industry-wide and affects many popular web technologies including PHP, ASP.NET, Java, Python, Ruby, Apache Tomcat, Apache Geronimo, Jetty, and Glassfish, as well as Google’s open source JavaScript engine V8.

Although hash collision denial-of-service attacks have been discussed since 2003, Alexander Klink and Julian Wälde have now shown that many programming languages use hash tables while parsing POST forms to make them easily accessible by application developers. And so it is possible for an attacker to send a small number of specially crafted posts to a server, causing high CPU utilization and creating a denial of service condition.

“If the language does not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request” write the pair in their advisory.

Microsoft have been one of the first to respond to this issue with several announcements including  Security Advisory 2659883 and an advance notification for an out-of-band security update to address the issue. The release is scheduled for today, December 29, at approximately 10 a.m. PST.

According to Microsoft’s security advisory this vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 – 110 seconds. Tthe .NET Framework is vulnerable from version 1.0 right through to version 4.0.

Microsoft are rating this out-of-band bulletin as “Critical” and it is likely it will will release updates for

  • Microsoft .NET Framework 1.0 Service Pack 3 (Media Center Edition 2005 and Tablet PC Edition 2005 only)
  • Microsoft .NET Framework 1.1 Service Pack 1
  • Microsoft .NET Framework 2.0 Service Pack 2
  • Microsoft .NET Framework 3.5 Service Pack 1
  • Microsoft .NET Framework 3.5.1
  • Microsoft .NET Framework 4

For Windows XP, Server 2003, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 across Intel 32 bit, Intel 64 bit and Itanium where applicable.

The Ruby Security Team has updated Ruby 1.8.7. The Ruby 1.9 series is not affected by this attack. Additional information can be found in the ruby 1.8.7 patchlevel 357 release notes.

More information regarding this vulnerability can be found in US-CERT Vulnerability NoteVU#903934 and n.runs Security Advisory n.runs-SA-2011.004.

SQL injection Attack Hits Over 1 Million ASP.NET Pages (and Counting)

(LiveHacking.Com) – An SQL injection attack that infects web pages and causes drive by downloads of malware is spreading rampantly. Reported last week by Armorize, the SQL injection attack which targets ASP.NET sites, had infected some 180,000 pages. The Register reported on Friday that this number had grown to over 600,000. Now according to Google search the number of infected web pages is over 1,000,000.

Infected sites carry invisible links to sites including and These sites in turn redirect to several other websites, including and, that include hidden code to exploit known vulnerabilities in Adobe PDF, Adobe Flash or Java. Any PC with un-patched versions of these programs will most likely become infected with malware. Servers used in the attack have IP addresses based in the US and Russia.

This current round of SQL injection attacks seem to be similar to the LizaMoon attacks which appeared in March and April of this year. The Security company Securi has noted that registration information for the domains used in this attack are the same as the one used on the earlier Lizamoon domains:

Technical Contact:
James Northone
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803

One thing worth noting is that at the time of the LizaMoon attacks Google mentioned that:

“Google Search results aren’t always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time.”

Sites can be scanned to make sure they are clean (or not) at

Mono 2.8.2 Fixes Source Code Disclosure Bug

MonoThe Mono Project have release Mono 2.8.2 which “contains an important security fix for users of ASP.NET”. The vulnerability, tagged CVE-2010-4225, allows under some circumstances ASP.NET applications to misbehave and return the source code (.aspx) of the application or any other file in the web application directory.

Affected are all 2.8.x versions of Mono. The components affected are the XSP web server and the mod_mono Apache module.

The Mono Project advise every Mono 2.8.xx user to upgrade to Mono 2.8.2 if they host web applications with it.

Workaround for ASP.NET server’s encryption vulnerability

In a security advisory Microsoft has confirmed the vulnerability in the process used by ASP.NET applications to encrypt cookies and other session information. In the announcement for the security advisory, Microsoft said it was not, so far, aware of any attacks. However, the security group do encourage users to “review the advisory for mitigations and workarounds”. A blog entry describes how to implement the workarounds and offers a script to help administrator determine whether their ASP.NET applications are vulnerable.

Read the full article here.