[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-MICROSOFT-XSS-ELEVATION-OF-PRIVILEGE.txt
Microsoft .NET Framework
XSS / Elevation of Privilege
Microsoft .NET Framework is prone to a cross-site scripting vulnerability because it fails
to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary
script code in the browser of an unsuspecting user in the context of the affected site. This may
allow the attacker to steal cookie-based authentication credentials and launch other attacks.
.NET Elevation of Privilege Vulnerability - CVE-2015-6099
An elevation of privilege vulnerability exists when ASP.NET improperly validates values in HTTP requests,
exposing users to a potential cross-site scripting (XSS) attack. An attacker who successfully exploited the
vulnerability could leverage a vulnerable website to inject client-side script into a user’s browser and
ultimately modify or spoof content, conduct phishing activities, disclose information, or perform any action on
the vulnerable website that the target user has permission to perform. To exploit this vulnerability, user interaction
is required. In a web-browsing scenario a user would have to navigate to a compromised website.
In an email attack scenario an attacker would have to convince a user who is logged on to a vulnerable server to
click a specially crafted link in an email. The update addresses the vulnerability by modifying how ASP.NET validates
the value of an HTTP request.
Microsoft received information about the vulnerability through coordinated vulnerability disclosure. At the time this security
bulletin was originally issued, Microsoft was unaware of any attack attempting to exploit this vulnerability.
Microsoft has not identified any mitigating factors for this vulnerability.
Microsoft has not identified any workarounds for this vulnerability.
The following workarounds may be helpful in your situation:
Remove requestPathInvalidCharacters key from web.config
In order to work around this issue, administrators can remove the
non-default setting from web.config, or at least include “:” in the requestPathInvalidCharacters setting.
How to undo the workaround:
Restore the previously removed line.
Vendor Notification: August 15, 2015
November 10, 2015 : Public Disclosure
Request Method(s): [+] GET / POST
Vulnerable Product versions:
Microsoft .NET Framework 4.0
Microsoft .NET Framework 4.5
Microsoft .NET Framework 4.5.1
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6
Microsoft Windows 10 for 32-bit Systems
Microsoft Windows 10 for x64-based Systems
Microsoft Windows 10 version 1511 for 32-bit Systems
Microsoft Windows 10 version 1511 for x64-based Systems
Microsoft Windows 7 for 32-bit Systems SP1
Microsoft Windows 7 for x64-based Systems SP1
Microsoft Windows 8 for x64-based Systems
Microsoft Windows 8.1 for 32-bit Systems
Microsoft Windows 8.1 for x64-based Systems
Microsoft Windows RT
Microsoft Windows RT 8.1
Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows Vista SP2
Microsoft Windows Vista x64 Edition SP2
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.
# Iranian Exploit DataBase = http://IeDb.Ir [2015-11-17]