Microsoft ASP.NET StateServer Cookie Handling Buffer Overflow Vulnerability
by Nikola Strahija on June 9th, 2002 The StateServer process suffers from a buffer overflow vulnerability when processing large cookie data. Exploitation may lead to a denial of service condition. It may be possible to execute arbitrary code as the server process, this has not however been confirmed.
Microsoft's ASP.NET is a collection of technology. ASP.NET supports a range of common HTTP tasks, including the ability to maintain session state through the usage of client cookies. This may be accomplished through the use of ASP.NET's StateServer mode, in which state information is stored in a separate server process.
Remote: Yes
Exploit: No
Solution: A patch is available from Microsoft for .NET Framework 1.0 SP1. This fix will be included in SP2.
Microsoft has advised ensuring that VS.NET is closed prior to manually installing any available patch.
Patches available:
Microsoft .NET Framework 1.0 SP1:
Microsoft Patch Q322289
http://download.microsoft.com/download/NETFrameworkRedistributable/Patch/1/NT45XP/EN-US/NDP10_QFEM_Q322289_En.exe
To be applied to Microsoft .NET Framework 1.0 SP1.
Microsoft .NET Framework 1.0:
