Is there a POC or an exploit already for this vulnerability ? On Thu, Aug 11, 2011 at 9:38 PM, Context IS - Disclosure <[email protected]> wrote: > ===============================ADVISORY=============================== > Systems Affected: .NET 4 - Microsoft Chart Control > Severity: High > Category: Information Disclosure > Author: Context Information Security Ltd > Reported to vendor: 3rd October 2010 > Advisory Issued: 11th August 2011 > Reference: MS11-066, CVE-2011-1977 > ===============================ADVISORY=============================== > > Description > ----------- > The Microsoft Chart Control is vulnerable to an information disclosure > vulnerability. By sending a specific GET request to an application > implementing the chart control, attackers could read arbitrary files on the > system. > > Analysis > -------- > The Microsoft Chart Control plots graphs and with the default configuration > stores those as image files in a directory on the system. The graph images > are retrieved using GET requests and a file path parameter. > > When the control retrieves a request, it verifies that the requested file > path lies within the allowed directory and if so reads and returns the file’s > contents. However, the verification process was found to be flawed, resulting > in the ability to traverse directories to load arbitrary files. > > The Microsoft Chart Control is included in the .NET Framework 4 or can be > downloaded separately for .NET 3.5 (http://code.msdn.microsoft.com/mschart). > > This vulnerability was found using the Context App Tool (CAT > http://cat.contextis.com). > > Technologies Affected > --------------------- > > Microsoft .Net Framework 4 > > > Vendor Response > --------------- > Microsoft advises users to patch the .Net Framework to the latest version. > See the following Microsoft security bulletin for more details: > http://www.microsoft.com/technet/security/Bulletin/MS11-066.mspx > > > Disclosure Timeline > ------------------- > 3rd October 2010 – Vendor Notification > 4th October 2010 – First Vendor Response > 16th November 2010 – Vendor Confirms Vulnerability > 9th August 2011 – Vendor Patch Released > > > Credits > -------- > Nico Leidecker and James Forshaw of Context Information Security Ltd > > > About Context Information Security > ---------------------------------- > > Context Information Security is an independent security consultancy > specialising in both technical security and information assurance services. > > The company was founded in 1998. Its client base has grown steadily over the > years, thanks in large part to personal recommendations from existing clients > who value us as business partners. We believe our success is based on the > value our clients place on our product-agnostic, holistic approach; the way > we work closely with them to develop a tailored service; and to the > independence, integrity and technical skills of our consultants. > > The company’s client base now includes some of the most prestigious blue chip > companies in the world, as well as government organisations. > > The best security experts need to bring a broad portfolio of skills to the > job, so Context has always sought to recruit staff with extensive business > experience as well as technical expertise. Our aim is to provide effective > and practical solutions, advice and support: when we report back to clients > we always communicate our findings and recommendations in plain terms at a > business level as well as in the form of an in-depth technical report. > > Web: www.contextis.com > Email: [email protected] > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
