-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

           ESB-2002.271 -- Microsoft Security Bulletin MS02-026
           Unchecked Buffer in ASP.NET Worker Process (Q322289)
                                7 June 2002

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                ASP.NET
Vendor:                 Microsoft
Impact:                 Denial of Service
                        Execute Arbitrary Code/Commands
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

- - ----------------------------------------------------------------------
Title:      Unchecked Buffer in ASP.NET Worker Process (Q322289)
Date:       06 June 2002
Software:   .NET Framework
Impact:     Denial of service, potentially run code of attacker's
            choice
Max Risk:   Moderate
Bulletin:   MS02-026

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-026.asp.
- - ----------------------------------------------------------------------

Issue:
======
ASP.NET is a collection of technologies that help developers to
build web-based applications. Web-based applications, including
those built using ASP.NET, rely on HTTP to provide connectivity.
One characteristic of HTTP as a protocol is that it is stateless,
meaning that each page request from a user to a site is reckoned
an independent request. To compensate for this, ASP.NET provides
for session state management through a variety of modes. 

One of these modes is StateServer mode. This mode stores session
state information in a separate, running process. That process
can run on the same machine or a different machine from the
ASP.NET application. There is an unchecked buffer in one of the
routines that handles the processing of cookies in StateServer
mode. A security vulnerability results because it is possible
for an attacker to seek to exploit it by mounting a buffer
overrun attack. A successful attack could cause the ASP.NET
application to restart. As a result, all current users of
the web-based application would see their current session
restart and their current session information would be lost. 

The StateServer mode is not the default mode for session
state management in ASP.NET. ASP.NET applications using
StateServer mode that do not use cookies are not vulnerable. 


Mitigating Factors:
====================
 - StateServer mode is not the default mode for session state
   management in ASP.NET. That ASP.NET application would have
   to be specifically configured to use this mode. 
 - Even if an application was configured to use StateServer
   mode, it would only be at risk if it also used cookies.

Risk Rating:
============
 - Internet systems: Moderate
 - Intranet systems: Moderate
 - Client systems: None

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-026.asp
   for information on obtaining this patch.


- - ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF 
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS 
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO 
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR 
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPP6hA40ZSRQxA/UrAQHJaAf+IKjIB6EkJpDbQ1RlmUrSYMR/icCSHEoI
e/NVBcvx85jgUiD08ZxHukVjDjWRrVsfOrLcsIoYEbpwPynHdpqLYDCW2D+nVX8/
ksAcWUPqdtkoZcNp0o7eXnce6oshy43im+mPc0UwSQi89YOGEYGS3bnKpwRq+Kdm
jpWDo59ibCohxYRev6+02SbuEi7UxMFG9yhQaMmfUOrSvR5xLuwV0Lz0mdb6a7qW
9r+x0P1MIZbFc7jzHj5dVKpCzz2tMLEs2FQ8Yq87dnyXMqo6hrsEUpomBpnA2tz8
qPSenO8BNqSenCBaMH66NF1ndAvfwtoYqCNz/wyY+KHaEv8nFa/4uA==
=mFGj
- -----END PGP SIGNATURE-----


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for member emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPQDOuyh9+71yA2DNAQH/+QP/Zei02fTq21s2UxHMBBccnMAvgCNWHc1r
6o6wGjbQ4AFP1tO+Q1yiC09w+PPgm4Vc2KDSmuczcg/Q3eMCeQ6Xuz/qCgal9K7a
UO+ybtLR7t1bzIWcbTl//jbd4CqsOZ7tB2BO15mEzhYcAp8TgAc0iopy9pn3tG4M
SeHjEJIFstI=
=ubbX
-----END PGP SIGNATURE-----