ASP.NET Security Vulnerability Workaround
Update on ASP.NET Vulnerability
Earlier this week We posted about an ASP.NET Vulnerability.
Microsoft is actively working on releasing a security update that fix the issues ready for broad distribution across all Windows platforms via Windows Update. We’ll post details about this once it is available.
Revised Workaround and Additional URLScan Step
In our first community post we covered a workaround you can apply immediately on your sites and applications to prevent attackers from exploiting it. Today, we are revising it to include an additional defensive measure.
This additional step can be done at a server-wide level, and should take less than 5 minutes to implement. Importantly, this step does not replace the other steps in the original workaround, rather it should be done in addition to the steps already in it. Below are instructions on how to enable it.
Install and Enable IIS URLScan with a Custom Rule
If you do not already have the IIS URLScan module installed on your IIS web server, please download and install it:
It takes less than a minute to install on your server.
Add an Addition URL Scan Rule
Once URLScan is installed, please open and modify the UrlScan.ini file in this location:
%windir%system32inetsrvurlscanUrlScan.ini
Near the bottom of the UrlScan.ini file you’ll find a [DenyQueryStringSequences] section. Add an additional “aspxerrorpath=” entry immediately below it and then save the file:
[DenyQueryStringSequences]
aspxerrorpath=
The above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return an HTTP error. Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.
After saving this change:
run “iisreset”
from a command prompt (elevated as admin
For the above changes to take effect. To verify the change has been made, try accessing a URL on your site/application that has a querystring with an aspxerrorpath and verify that an HTTP error is sent back from IIS.
URL Scan Summary
If you’ve already implemented the workaround we’ve previously published, please add the above step to help block attackers from exploiting the vulnerability.
Our team is working around the clock to release an update via Windows Update that fixes the underlying product vulnerability. Until that update is available, you can use the above workaround to help prevent attackers from using the vulnerability against your applications.
Once we release the security update, you will no longer need to implement any workaround steps.
The alternative option: Using IIS request filtering:
These instructions are an alternative for the UrlScan instructions above for systems running IIS on Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, or Windows Server 2008 R2.
1. Install the Request Filtering feature in IIS through either Add/Remove Programs or Role Manger by selecting the feature under Internet Information Services, World Wide Web Services, Security.
2. Launch Internet Information Services (IIS) Manager.
3. Select the server node in the left pane.
4. Double-click Request Filtering.
5. Select the Query Strings tab and click Deny Query String … in the Actions pane.
6. Enter aspxerrorpath= in the dialog box and select OK.
Alternatively, you can also use the following appcmd command to set this request querystring:
appcmd set config /section:requestfiltering /+denyQueryStringSequences.[sequence='aspxerrorpath=']
For more information on using appcmd to configure IIS, see Getting Started with AppCmd.exe.
Configure ASP.Net applications to use uniform custom errors
In the root folder of each ASP.NET web application, determine if you already have a web.config file in this folder. You must have rights to create a file in the target directory to implement this workaround.
If the ASP.NET application does not have a web.config file:
On .NET Framework 3.5 and earlier
1. Create a text file named web.config in the root folder of the ASP.NET application, and insert the following contents:
<configuration>
<location allowOverride=”false”>
<system.web>
<customErrors mode=”On” defaultRedirect=”~/error.html” />
</system.web>
</location>
</configuration>
2. Create a text file named error.html containing a generic error message and save it in the root folder of the ASP.NET application.3. Alternatively, you can rename error.html in the web.config file to point to an existing error page, but that page must display generic content, not context-specific content.
On .NET Framework 3.5 Service Pack 1 and later
1. Create a text file named web.config in the root folder of the ASP.NET application, and insert the following contents:
<configuration>
<location allowOverride=”false”>
<system.web>
<customErrors mode=”On” redirectMode=”ResponseRewrite” defaultRedirect=”~/ErrorPage.aspx” />
</system.web>
</location>
</configuration>
2. If you are comfortable using C#, we recommend using the following ErrorPage.aspx
file:
<%@ Page Language=”C#” AutoEventWireup=”true” %>
<%@ Import Namespace=”System.Security.Cryptography” %>
<%@ Import Namespace=”System.Threading” %>
<script runat=”server”>
void Page_Load()
{
byte[] delay = new byte[1];
RandomNumberGenerator prng = new RNGCryptoServiceProvider();
prng.GetBytes(delay);
Thread.Sleep((int)delay[0]);
IDisposable disposable = prng as IDisposable;
if (disposable != null)
{
disposable.Dispose();
}
}</script>
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head runat=”server”>
<title> </title>
</head>
<body>
<div> An error occurred while processing your request. </div>
</body>
</html>
3. If you are comfortable using Visual Basic .NET, we recommend using the following ErrorPage.aspx file:
<%@ Page Language=”VB” AutoEventWireup=”true” %>
<%@ Import Namespace=”System.Security.Cryptography” %>
<%@ Import Namespace=”System.Threading” %>
<script runat=”server”>
Sub Page_Load()
Dim delay As Byte() = New Byte(0)
{
}
Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()
prng.GetBytes(delay)
Thread.Sleep(CType(delay(0), Integer))
Dim disposable As IDisposable = TryCast(prng, IDisposable)
If
Not disposable Is Nothing
Then
disposable.Dispose()
End IfEnd Sub
</script>
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head runat=”server”>
<title></title>
</head>
<body>
<div> An error occurred while processing your request. </div>
</body>
</html>
If the ASP.NET application already has a web.config file:
On .NET Framework 3.5 RTM and earlier
1. Insert the bracketed text in the sample below into your existing web.config file:
<?xml version=”1.0″?>
<configuration>
<configSections> … </configSections>
<appSettings> … </appSettings>
<connectionStrings> … </connectionStrings>
[
<location allowOverride="false">
<system.web>
<customErrors mode="On" defaultRedirect="~/error.html" />
</system.web>
</location>
]
<system.web> … </system.web>
<system.codedom> … </system.codedom>
</configuration>
2. Create a text file named error.html containing a generic error message and save it in the root folder of the ASP.NET application.
3. Alternatively, you can rename error.html in the web.config file to point to an existing error page, but that page must display generic content, not context-specific content.
On .NET Framework 3.5 Service Pack 1 and later
1. Insert the bracketed text in the sample below into your existing web.config file:
<?xml version=”1.0″?>
<configuration>
<configSections> … </configSections>
<appSettings> … </appSettings>
<connectionStrings> … </connectionStrings>
[
<location allowOverride="false">
<system.web>
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/ErrorPage.aspx" />
</system.web>
</location>]
</configuration>
<system.web> … </system.web>
<system.codedom> … </system.codedom>
</configuration>
2. If you are comfortable using C#, we recommend using the following ErrorPage.aspx file:
<%@ Page Language=”C#” AutoEventWireup=”true” %>
<%@ Import Namespace=”System.Security.Cryptography” %>
<%@ Import Namespace=”System.Threading” %>
<script runat=”server”>
void Page_Load()
{
byte[] delay = new byte[1];
RandomNumberGenerator prng = new RNGCryptoServiceProvider();
prng.GetBytes(delay);
Thread.Sleep((int)delay[0]);
IDisposable disposable = prng as IDisposable;
if
(disposable != null)
{
disposable.Dispose();
}
}
</script>
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head runat=”server”>
<title></title>
</head>
<body>
<div> An error occurred while processing your request. </div>
</body>
</html>
3. If you are comfortable using Visual Basic .NET, we recommend using the following ErrorPage.aspx file:
<%@ Page Language=”VB” AutoEventWireup=”true” %>
<%@ Import Namespace=”System.Security.Cryptography” %>
<%@ Import Namespace=”System.Threading” %>
<script runat=”server”>
Sub Page_Load()
Dim delay As Byte() = New Byte(0)
{
}
Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay)
Thread.Sleep(CType(delay(0), Integer))
Dim disposable As IDisposable = TryCast(prng, IDisposable)
If
Not disposable Is Nothing
Then
disposable.Dispose()
End If
End Sub
</script>
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head runat=”server”>
<title></title>
</head>
<body>
<div> An error occurred while processing your request. </div>
</body>
</html>
Impact of Workaround:
If an error occurs during a Web transaction, the Web clients will see the same generic error message on the server, regardless of what error actually occurs. Additionally, any requests for Web pages which contain the string aspxerrropath= in the querystring portion of the URL will be blocked, and an HTTP error message returned to the client.
You can learn more about this vulnerability and the workaround from:
- Microsoft Security Advisory 2416728 (Updated 9/24)
- Understanding the ASP.NET Vulnerability
- My Initial Blog Post
- My Frequently Asked Questions Post
- SharePoint Team Blog Post
- Microsoft Security Response Center Blog Post
- Microsoft Security Response Center Update Post
Tags: ASP.net, attack, C#, configuration, Development, framework, IIS, Microsoft, Microsoft Security Advisory, Microsoft Security Response Center, Security, server 2008, Server Core, ssysadmin, URLScan, VB, Vulnerability, web, Web server, web.config, Windows 7, Windows Server
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3
Microsoft released ASP.net security vulnerability patch through Microsoft download center. Please follow this URL to download and install on your web servers: http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx.
We applied ASP.Net patch on all web servers. It’s recommended update for VPS and dedicated server administrators.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3
Microsoft released ASP.net security vulnerability patch through Microsoft download center. Please follow this URL to download and install on your web servers: http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx.