Este sitio Web utiliza cookies propias y de terceros para realizar el análisis de navegación de los usuarios. Si continua navegando acepta el uso de cookies. Este sitio web es propiedad de Sidertia Solutions S.L., empresa responsable de su mantenimiento. Haga clic aquí para obtener más información acerca de nuestra política de Cookies.


ASPNET Core Unicode Non-Char Encoding DoS

Escrito por David Fernández - 18 May 2017

During a pentest of a web application we discovered a bug in the TextEncoder.EncodeCore function of the ASP.NET Core Mvc System.Text.Encodings.Web package which could be exploited to cause malicious effects on a web application like denial of service.

Affected versions

ASP.NET Mvc < 1.0.3

ASP.NET Mvc < 1.1.2

Vendor Fix

Microsoft released ASP.NET Core Mvc 1.0.4 and 1.1.3 to fix the issue.


Microsoft assigned CVE-2017-0247 to the ASP.NET Core vulnerability and released 4021279 Security Advisory.


The TextEncoder.EncodeCore function fails to properly calculate the length of 4-byte characters belonging to the Unicode Non-Character range while encoding the character, throwing an exception and stopping processing the remaining characters in the string. The flawed code would look like this (taken from the corefx repository):

Codigo ASP.NET

This function, besides being invoked by other functions, is called whenever a ViewBag is rendered or any of the HTML helper methods (HTML.DisplayFor, HTML.EditFor, etc.) is used on a view. As the previous characters in the string to be encoded have been already been sent to the client, the result is the web server will serve an incomplete response (an HTTP response with a shorter content than the announced Content-Length in the case of Kestrel or a chunked-encoding response without trailing chunk in the case of IIS).


The result of the attack will be that no browser will be able to render the webpage which tried to encode the offending character. In case of content being persisted to database (CRUD backoffice application, comments in a blog, etc.) will cause no browser will be able to render the content, causing an effective denial of service on any webpage trying to encode the Unicode non-character. The character would have to be removed from database to return to normal behavior in the application.

Proof of concept

Send a Unicode non-character like FE8FBFBE to a controller action persisting content in the database and visit a view where the character appears:

Prueba Concepto ASP.NET

The following result will be obtained trying to visit any webpage where the character was encoded:

Resultado ASP.NET


  • Consultoría Consultoría

    Servicios de consultoría especializada de la mano de profesionales altamente cualificados.

  • Formación Formación

    Reciba formación experta de calidad ajustada a sus necesidades.

  • Seguridad Seguridad TIC

    Sidertia Solutions le ayuda a implementar y mantener su modelo de seguridad.

  • Desarrollo Desarrollo

    Soluciones de desarrollo seguro para su empresa.

  • Microsoft Silver Partner
  • Citrix Silver Partner
  • Dell Partner Registered