[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-MICROSOFT-XSS-ELEVATION-OF-PRIVILEGE.txt Vendor: ================== www.microsoft.com Product: =========================== Microsoft .NET Framework Vulnerability Type: ============================ XSS / Elevation of Privilege CVE Reference: ============== CVE-2015-6099 Vulnerability Details: ====================== Microsoft .NET Framework is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. .NET Elevation of Privilege Vulnerability - CVE-2015-6099 An elevation of privilege vulnerability exists when ASP.NET improperly validates values in HTTP requests, exposing users to a potential cross-site scripting (XSS) attack. An attacker who successfully exploited the vulnerability could leverage a vulnerable website to inject client-side script into a user’s browser and ultimately modify or spoof content, conduct phishing activities, disclose information, or perform any action on the vulnerable website that the target user has permission to perform. To exploit this vulnerability, user interaction is required. In a web-browsing scenario a user would have to navigate to a compromised website. In an email attack scenario an attacker would have to convince a user who is logged on to a vulnerable server to click a specially crafted link in an email. The update addresses the vulnerability by modifying how ASP.NET validates the value of an HTTP request. Microsoft received information about the vulnerability through coordinated vulnerability disclosure. At the time this security bulletin was originally issued, Microsoft was unaware of any attack attempting to exploit this vulnerability. Microsoft has not identified any mitigating factors for this vulnerability. Microsoft has not identified any workarounds for this vulnerability. The following workarounds may be helpful in your situation: Remove requestPathInvalidCharacters key from web.config In order to work around this issue, administrators can remove the non-default setting from web.config, or at least include “:” in the requestPathInvalidCharacters setting. How to undo the workaround: Restore the previously removed line. https://technet.microsoft.com/library/security/MS15-118 http://www.symantec.com/security_response/vulnerability.jsp?bid=77479&om_rssid=sr-advisories http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6099 Disclosure Timeline: ======================================== Vendor Notification: August 15, 2015 November 10, 2015 : Public Disclosure Exploitation Technique: ======================= Remote Severity Level: =============== High Description: ================================================ Request Method(s): [+] GET / POST Vulnerable Product versions: Microsoft .NET Framework 4.0 Microsoft .NET Framework 4.5 Microsoft .NET Framework 4.5.1 Microsoft .NET Framework 4.5.2 Microsoft .NET Framework 4.6 Microsoft Windows 10 for 32-bit Systems Microsoft Windows 10 for x64-based Systems Microsoft Windows 10 version 1511 for 32-bit Systems Microsoft Windows 10 version 1511 for x64-based Systems Microsoft Windows 7 for 32-bit Systems SP1 Microsoft Windows 7 for x64-based Systems SP1 Microsoft Windows 8 for x64-based Systems Microsoft Windows 8.1 for 32-bit Systems Microsoft Windows 8.1 for x64-based Systems Microsoft Windows RT Microsoft Windows RT 8.1 Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 Microsoft Windows Server 2008 R2 for x64-based Systems SP1 Microsoft Windows Server 2008 for 32-bit Systems SP2 Microsoft Windows Server 2008 for Itanium-based Systems SP2 Microsoft Windows Server 2008 for x64-based Systems SP2 Microsoft Windows Server 2012 Microsoft Windows Server 2012 R2 Microsoft Windows Vista SP2 Microsoft Windows Vista x64 Edition SP2 =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx # Iranian Exploit DataBase = http://IeDb.Ir [2015-11-17]