Microsoft .NET Framework Multiple Vulnerabilities

Secunia ID	SA26003
CVE-ID	CVE-2007-0041, CVE-2007-0042, CVE-2007-0043
Release Date	10 Jul 2007
Last Change	26 Mar 2008
Criticality	Moderately Critical Typically used for remotely exploitable Denial of Service vulnerabilities against services like FTP, HTTP, and SMTP, and for vulnerabilities that allow system compromises but require user interaction. This rating is also used for vulnerabilities allowing system compromise on LANs in services like SMB, RPC, NFS, LPD and similar services that are not intended for use over the Internet.
Solution Status	Vendor Patch
Software	Microsoft .NET Framework 1.x Microsoft .NET Framework 2.x
Where	From remote "From remote" describes other vulnerabilities where the attack vector doesn't require access to the system or a local network. This category covers services that are acceptable to expose to the Internet (e.g. HTTP, HTTPS, SMTP). It also covers client applications used on the Internet and certain vulnerabilities where it is reasonable to assume that a security conscious user can be tricked into performing certain actions.
Impact	System access This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user. Exposure of sensitive information Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote. Exposure of system information Vulnerabilities where excessive information about the system (e.g. version numbers, running services, installation paths, and similar) are exposed and can be revealed from remote and in some cases locally.
Description	Some vulnerabilities have been reported in Microsoft .NET Framework, which can be exploited by malicious people to disclose potentially sensitive information or compromise a user's system. 1) A boundary error in the PE Loader can be exploited to execute arbitrary code with permissions of the logged-on user when the user is tricked into visiting a malicious web page and performs certain actions. This vulnerability does not affect the .NET Framework when installed on Windows Vista. 2) An error exists in ASP.NET when processing URLs containing NULL-bytes, which can be exploited to disclose potentially sensitive information by gaining unauthorised access to certain parts of a web site via specially crafted requests. 3) A boundary error in the Just In Time Compiler (JIT) can be exploited to execute arbitrary code with permissions of the logged-on user when the user is tricked into visiting a malicious web page and performs certain actions. This vulnerability only affects .NET Framework 2.0 and does not affect the .NET Framework when installed on Windows Vista.
Solution	Apply patches. -- Microsoft .NET Framework 1.0 -- Windows 2000 SP4: http://www.microsoft.com/downloads/details.aspx?FamilyId=91D7AFE4-069B-4CE8-976E-9A01345A8603 Windows XP SP2: http://www.microsoft.com/downloads/details.aspx?FamilyId=91D7AFE4-069B-4CE8-976E-9A01345A8603 Windows XP Professional x64 Edition (optionally with SP2): http://www.microsoft.com/downloads/details.aspx?FamilyId=91D7AFE4-069B-4CE8-976E-9A01345A8603 Windows XP Tablet PC Edition 2005 and Windows XP Media Center Edition 2005: http://www.microsoft.com/downloads/details.aspx?FamilyId=829A2C5B-11EC-4ED7-91AB-6961034147BC Windows Server 2003 SP1/SP2: http://www.microsoft.com/downloads/details.aspx?FamilyId=91D7AFE4-069B-4CE8-976E-9A01345A8603 Windows Server 2003 with SP1/SP2 for Itanium-based systems : http://www.microsoft.com/downloads/details.aspx?FamilyId=91D7AFE4-069B-4CE8-976E-9A01345A8603 Windows Server 2003 x64 Edition (optionally with SP2): http://www.microsoft.com/downloads/details.aspx?FamilyId=91D7AFE4-069B-4CE8-976E-9A01345A8603 Windows Vista (optionally with SP1): http://www.microsoft.com/downloads/details.aspx?FamilyId=91D7AFE4-069B-4CE8-976E-9A01345A8603 Windows Server 2008: http://www.microsoft.com/downloads/details.aspx?FamilyId=91D7AFE4-069B-4CE8-976E-9A01345A8603 Windows Server 2008 for Itanium-based Systems: http://www.microsoft.com/downloads/details.aspx?FamilyId=91D7AFE4-069B-4CE8-976E-9A01345A8603 Windows Server 2008 x64 Edition: http://www.microsoft.com/downloads/details.aspx?FamilyId=91D7AFE4-069B-4CE8-976E-9A01345A8603 -- Microsoft .NET Framework 1.1 -- Windows 2000 SP4: http://www.microsoft.com/downloads/details.aspx?FamilyId=281FB2CD-C715-4F05-A01F-0455D2D9EBFB Windows XP SP2: http://www.microsoft.com/downloads/details.aspx?FamilyId=281FB2CD-C715-4F05-A01F-0455D2D9EBFB Windows XP Professional x64 Edition (optionally with SP2): http://www.microsoft.com/downloads/details.aspx?FamilyId=281FB2CD-C715-4F05-A01F-0455D2D9EBFB Windows Server 2003 SP1/SP2: http://www.microsoft.com/downloads/details.aspx?FamilyId=2495E656-1E0A-4B83-90DA-821E68067A71 Windows Server 2003 with SP1/SP2 for Itanium-based systems: http://www.microsoft.com/downloads/details.aspx?FamilyId=281FB2CD-C715-4F05-A01F-0455D2D9EBFB Windows Server 2003 x64 Edition (optionally with SP2): http://www.microsoft.com/downloads/details.aspx?FamilyId=281FB2CD-C715-4F05-A01F-0455D2D9EBFB Windows Vista (optionally with SP1): http://www.microsoft.com/downloads/details.aspx?FamilyId=7EEA368D-7B82-4583-8537-30351718A4E9 Windows Vista x64 Edition (optionally with SP1): http://www.microsoft.com/downloads/details.aspx?FamilyId=7EEA368D-7B82-4583-8537-30351718A4E9 Windows Server 2008: http://www.microsoft.com/downloads/details.aspx?FamilyId=7EEA368D-7B82-4583-8537-30351718A4E9 Windows Server 2008 for Itanium-based Systems: http://www.microsoft.com/downloads/details.aspx?FamilyId=7EEA368D-7B82-4583-8537-30351718A4E9 Windows Server 2008 x64 Edition: http://www.microsoft.com/downloads/details.aspx?FamilyId=7EEA368D-7B82-4583-8537-30351718A4E9 -- Microsoft .NET Framework 2.0 -- Windows 2000 SP4: http://www.microsoft.com/downloads/details.aspx?FamilyId=BA3CEB78-8E1B-4C38-ADFD-E8BC95AE548D Windows XP SP2: http://www.microsoft.com/downloads/details.aspx?FamilyId=BA3CEB78-8E1B-4C38-ADFD-E8BC95AE548D Windows XP Professional x64 Edition (optionally with SP2): http://www.microsoft.com/downloads/details.aspx?FamilyId=BA3CEB78-8E1B-4C38-ADFD-E8BC95AE548D Windows Server 2003 SP1/SP2 : http://www.microsoft.com/downloads/details.aspx?FamilyId=BA3CEB78-8E1B-4C38-ADFD-E8BC95AE548D Windows Server 2003 with SP1/SP2 for Itanium-based systems: http://www.microsoft.com/downloads/details.aspx?FamilyId=BA3CEB78-8E1B-4C38-ADFD-E8BC95AE548D Windows Server 2003 x64 Edition (optionally with SP2): http://www.microsoft.com/downloads/details.aspx?FamilyId=BA3CEB78-8E1B-4C38-ADFD-E8BC95AE548D Windows Vista: http://www.microsoft.com/downloads/details.aspx?FamilyId=CBC9F3CF-C3C3-45C4-82E3-E11398BC2CD2 Windows Vista x64 Edition: http://www.microsoft.com/downloads/details.aspx?FamilyId=CBC9F3CF-C3C3-45C4-82E3-E11398BC2CD2
Reported by	1) The vendor credits Dinis Cruz, OWASP. 2) Paul Craig, Security-Assessment.com. 3) The vendor credits Jeroen Frijters, Sumatra.
Original Advisory	MS07-040 (KB931212): http://www.microsoft.com/technet/security/Bulletin/MS07-040.mspx Security-Assessment.com: http://security-assessment.com/files/advisories/2007-07-11_Multiple_.NET_Null_Byte_Injection_Vulnerabilities.pdf