A few days after MIcrosoft released a patch to fix a vulnerability in ASP.NET that could enable a denial-of-service attack, someone has released exploit code for the vulnerability.
The proof-of-concept exploit code was posted to the Full Disclosure mailing list and is available for download from GitHUb. Posted by a user named HybrisDisaster, the code is designed to exploit a recently discovered vulnerability in ASP.NET that’s related to the way that the software handles certain HTTP post requests. The vulnerability was first disclosed in late December at the Chaos Communications Congress in Germany.
The problem isn’t actually specific to ASP.NET, but affects a variety of languages and applications. Microsoft shipped an emergency patch for the flaw on Dec. 29, recommending that users install it as quickly as possible.
“This vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 – 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers,” Microsoft’s Suha Can and Jonathan Ness said in a blog post about the problem.
The base cause of the problem is that when ASP.NET comes across a form submission with some specific characteristics, it will need to perform a huge amount of computations that could consume all of the server’s rresources.