Microsoft ships emergency .NET fix to thwart hash table collision attacks

Summary: Microsoft .NET is one of several programming languages vulnerable to elevation of privilege attacks.

By Ryan Naraine for Zero Day | January 3, 2012 -- 05:59 GMT (21:59 PST)

While you were out making the most of your "use it or lose it" vacation time, Microsoft shipped a emergency security update to fix several serious security problems in the Microsoft .NET Framework.

The MS11-100 fixes a total of four security vulnerabilities (one publicly disclosed) and Microsoft is urging all Windows users to treat this as a "critical" issue because of the risk of privilege escalation attacks if an unauthenticated attacker sends a specially crafted web request to the target site.

follow Ryan Naraine on twitter

An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name.

The problem is not unique to Microsoft. As explained by German security outfit n.runs AG (.pdf), some programming language implementations do not sufficiently randomize their hash functions or provide means to limit key collision attacks. This can be be leveraged by an unauthenticated attacker to cause a denial-of-service (DoS) condition.

More details in this oCERT advisory:

The issue finds particular exposure in web server applications and/or frameworks. In particular, the lack of sufficient limits for the number of parameters in POST requests in conjunction with the predictable collision properties in the hashing functions of the underlying languages can render web applications vulnerable to the DoS condition. The attacker, using specially crafted HTTP requests, can lead to a 100% of CPU usage which can last up to several hours depending on the targeted application and server performance, the amplification effect is considerable and requires little bandwidth and time on the attacker side.

In addition to Microsoft .NET, the following programming languages are affected:

Java, all versions
JRuby <= 1.6.5
PHP <= 5.3.8, <= 5.4.0RC3
Python, all versions
Rubinius, all versions
Ruby <= 1.8.7-p356
Apache Geronimo, all versions
Apache Tomcat <= 5.5.34, <= 6.0.34, <= 7.0.22
Oracle Glassfish <= 3.1.1
Jetty, all versions
Plone, all versions
Rack <= 1.3.5, <= 1.2.4, <= 1.1.2
V8 JavaScript Engine, all versions

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments

Log in or register to join the discussion

more reasons to use FOSS

because the design was right from the start!

The Linux Geek
3 January, 2012 06:27

Reply Vote
- RE: Microsoft ships emergency .NET fix to thwart hash table collision attacks
  
  @The Linux Geek Did you actually read the article
  
  In addition to Microsoft .NET, the following programming languages are affected:
  
  Java, all versions
  JRuby <= 1.6.5
  PHP <= 5.3.8, <= 5.4.0RC3
  Python, all versions
  Rubinius, all versions
  Ruby <= 1.8.7-p356
  Apache Geronimo, all versions
  Apache Tomcat <= 5.5.34, <= 6.0.34, <= 7.0.22
  Oracle Glassfish <= 3.1.1
  Jetty, all versions
  Plone, all versions
  Rack <= 1.3.5, <= 1.2.4, <= 1.1.2
  V8 JavaScript Engine, all versions
  
  John J. Jordan
  3 January, 2012 06:54
  
  Reply Vote
- FOSS?
  
  @The Linux Geek
  
  Can you please provide a little clarity here. How does using FOSS help with this?
  
  bmonsterman
  3 January, 2012 07:02
  
  Reply Vote
- RE: Microsoft ships emergency .NET fix to thwart hash table collision attacks
  
  @The Linux Geek You really are just a dumb f, aren't you?
  
  BFD
  3 January, 2012 07:37
  
  Reply Vote
Perl was fixed in 2003 when this vulnerability was first discovered.

Full disclosure.

Rabid Howler Monkey
3 January, 2012 07:31

Reply Vote
That was last week

You're a little late, Ryan.

Doh

ScorpioBlue
3 January, 2012 11:35

Reply Vote
RE: Microsoft ships emergency .NET fix to thwart hash table collision attacks

this vuln has been peddled on crime forums as long as I can remember. GJ M$ 'rushing' out the emergency patch.

Derpsaucex
4 January, 2012 16:14

Reply Vote
dsfd

Eye Mask Wholesale Coaster http://www.chinawholesaletown.com/wholesale-Digital-Photo-Frame/ Photo Frame
Wholesale Frisbee World Cup Products http://www.chinawholesaletown.com/ Gift Bags
Pen Holder Wholesale Clothes Rack http://www.chinawholesaletown.com/wholesale-iPod---iPhone/ Flag
Promotional Gifts Wholesale Waterproof Case http://www.chinawholesaletown.com/wholesale-Bottle-Opener/ Garden Decorations
Vocal Concert Products Stuffed Animals http://www.chinawholesaletown.com/wholesale-Heating-Products/ Digital Photo Frame
Name Card Holder Wholesale Scissors http://www.chinawholesaletown.com/wholesale-Knife/ Lanyard
Wholesale Lanyard Wholesale Pin http://www.chinawholesaletown.com/ Book Light
Outdoor Leisure Products Electrical Gifts http://www.chinawholesaletown.com/wholesale-Fishing/ Mouse Pad
Wholesale Calendar Wholesale Racks http://www.chinawholesaletown.com/wholesale-Apron/ Jewelry
Wholesale Bracelet Silicone Products http://www.chinawholesaletown.com/wholesale-Medicine-Instrument/ Fan
Wholesale Puzzle Wholesale Massager http://www.chinawholesaletown.com/wholesale-Furniture/ Tableware
Wine Set Industrial Supplies http://www.chinawholesaletown.com/wholesale-Pen-Holder/ Scarf
Wholesale Scissors Wholesale Lighter http://www.chinawholesaletown.com/wholesale-Jewelry/ Heating Products
Lunch Box Wholesale Mouse http://www.chinawholesaletown.com/wholesale-Clothes-Rack/ Wedding Favors
Wholesale Flashlight Wholesale Helmet http://www.chinawholesaletown.com/wholesale-MP3---MP4---MP5-Player/ lable
Business Gift Health Care Products http://www.chinawholesaletown.com/wholesale-Stapler/ Whistle
Wholesale Album Wholesale Apron http://www.chinawholesaletown.com/wholesale-Valentine-Gifts/ Promotional Gifts
Wholesale Racks Wholesale Memory Card http://www.chinawholesaletown.com/wholesale-Poncho-Raincoat/ Reflective Safety Vest
Poncho Raincoat Wholesale Mp3 http://www.chinawholesaletown.com/wholesale-Glasses/ Mobile Phone
Health Care Products Wholesale Hardware Tools http://www.chinawholesaletown.com/wholesale-Recorder-Pen/ Pin
Wholesale Umbrella Electroluminescent http://www.chinawholesaletown.com/wholesale-Entertainment/ First Aid Kit
Wholesale Swimming Products Wholesale TelePhone http://www.chinawholesaletown.com/wholesale-USB-Products/ Sticker
Wholesale Kitchenware Wholesale Tag http://www.chinawholesaletown.com/wholesale-First-Aid-Kit/ Cards
Wholesale Sticker Wholesale Stationery http://www.chinawholesaletown.com/wholesale-Waterproof-Case/ Poncho
Wholesale Towel Entertainment Supplies http://www.chinawholesaletown.com/wholesale-Dartboard/ Dartboard
Wholesale Gift Bags Voice Recorder http://www.chinawholesaletown.com/wholesale-Bracelet---Bangle/ Promotional Products
Wholesale Mat Money Clip http://www.chinawholesaletown.com/wholesale-Silicone/ Pet Supplies
Tape Measure Wholesale Sticker http://www.chinawholesaletown.com/wholesale-Halloween-Gift/ Lighter
Gift Box Beauty Equipment http://www.chinawholesaletown.com/wholesale-Belt/ Tie
Baby Products Suppliers CD Holde http://www.chinawholesaletown.com/wholesale-Whistle/ Towel
Wholesale Tableware Vocal Concert Products http://www.chinawholesaletown.com/wholesale-Bracelet---Bangle/ Lighting Products
Wholesale First Aid Kit Wholesale Scarf http://www.chinawholesaletown.com/wholesale-Lanyard/ Glass
Garden Decorations Wholesale Speakers http://www.chinawholesaletown.com/wholesale-Bag/ Frisbee
Entertainment Supplies Wholesale Compass http://www.chinawholesaletown.com/wholesale-Consumer-Electronics/ Scissors
Wholesale Memory Card Wholesale Knife http://www.chinawholesaletown.com/wholesale-Mouse/ Massager
Wholesale Radio Giveaway Material http://www.chinawholesaletown.com/wholesale-Sticker/ Money Bank

jywhy888
7 March, 2012 01:11

Reply Vote