[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Context IS Advisory - MS11-066 .NET 4 - Microsoft Chart Control

To: Context IS - Disclosure <disclosure@xxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Context IS Advisory - MS11-066 .NET 4 - Microsoft Chart Control
From: Madhur Ahuja <ahuja.madhur@xxxxxxxxx>
Date: Fri, 12 Aug 2011 16:20:43 +0530

Is there a POC or an exploit already for this vulnerability ?

On Thu, Aug 11, 2011 at 9:38 PM, Context IS - Disclosure
<disclosure@xxxxxxxxxxxxxxx> wrote:
> ===============================ADVISORY===============================
> Systems Affected:    .NET 4 - Microsoft Chart Control
> Severity:            High
> Category:            Information Disclosure
> Author:              Context Information Security Ltd
> Reported to vendor:  3rd October 2010
> Advisory Issued:     11th August 2011
> Reference:           MS11-066, CVE-2011-1977
> ===============================ADVISORY===============================
>
> Description
> -----------
> The Microsoft Chart Control is vulnerable to an information disclosure 
> vulnerability. By sending a specific GET request to an application 
> implementing the chart control, attackers could read arbitrary files on the 
> system.
>
> Analysis
> --------
> The Microsoft Chart Control plots graphs and with the default configuration 
> stores those as image files in a directory on the system. The graph images 
> are retrieved using GET requests and a file path parameter.
>
> When the control retrieves a request, it verifies that the requested file 
> path lies within the allowed directory and if so reads and returns the file’s 
> contents. However, the verification process was found to be flawed, resulting 
> in the ability to traverse directories to load arbitrary files.
>
> The Microsoft Chart Control is included in the .NET Framework 4 or can be 
> downloaded separately for .NET 3.5 (http://code.msdn.microsoft.com/mschart).
>
> This vulnerability was found using the Context App Tool (CAT 
> http://cat.contextis.com).
>
> Technologies Affected
> ---------------------
>
> Microsoft .Net Framework 4
>
>
> Vendor Response
> ---------------
> Microsoft advises users to patch the .Net Framework to the latest version.  
> See the following Microsoft security bulletin for more details:
> http://www.microsoft.com/technet/security/Bulletin/MS11-066.mspx
>
>
> Disclosure Timeline
> -------------------
> 3rd October 2010 – Vendor Notification
> 4th October 2010 – First Vendor Response
> 16th November 2010 – Vendor Confirms Vulnerability
> 9th August 2011 – Vendor Patch Released
>
>
> Credits
> --------
> Nico Leidecker and James Forshaw of Context Information Security Ltd
>
>
> About Context Information Security
> ----------------------------------
>
> Context Information Security is an independent security consultancy 
> specialising in both technical security and information assurance services.
>
> The company was founded in 1998. Its client base has grown steadily over the 
> years, thanks in large part to personal recommendations from existing clients 
> who value us as business partners. We believe our success is based on the 
> value our clients place on our product-agnostic, holistic approach; the way 
> we work closely with them to develop a tailored service; and to the 
> independence, integrity and technical skills of our consultants.
>
> The company’s client base now includes some of the most prestigious blue chip 
> companies in the world, as well as government organisations.
>
> The best security experts need to bring a broad portfolio of skills to the 
> job, so Context has always sought to recruit staff with extensive business 
> experience as well as technical expertise. Our aim is to provide effective 
> and practical solutions, advice and support: when we report back to clients 
> we always communicate our findings and recommendations in plain terms at a 
> business level as well as in the form of an in-depth technical report.
>
> Web:        www.contextis.com
> Email:      disclosure@xxxxxxxxxxxxx
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Context IS Advisory - MS11-066 .NET 4 - Microsoft Chart Control
  - From: Context IS - Disclosure

Prev by Date: [Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - 0x0B
Next by Date: [Full-disclosure] [Announcement] ClubHack Magazine Issue 19-August2011
Previous by thread: [Full-disclosure] Context IS Advisory - MS11-066 .NET 4 - Microsoft Chart Control
Next by thread: [Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - 0x0B
Index(es):
- Date
- Thread