Skip to main content

Microsoft .NET Framework Elevation of Privilege Vulnerabilities

Last Update Date: 11 Nov 2015 16:49 Release Date: 11 Nov 2015 3926 Views

RISK: Medium Risk

TYPE: Operating Systems - Windows OS

TYPE: Windows OS
  1. .NET Information Disclosure Vulnerability
    An information disclosure vulnerability exists in the .NET Framework DTD parsing of certain specially crafted XML files. An attacker who successfully exploited this vulnerability could gain read access to local files on the target system.
  2. .NET Elevation of Privilege Vulnerability
    An elevation of privilege vulnerability exists when ASP.NET improperly validates values in HTTP requests, exposing users to a potential cross-site scripting (XSS) attack. An attacker who successfully exploited the vulnerability could leverage a vulnerable website to inject client-side script into a user’s browser and ultimately modify or spoof content, conduct phishing activities, disclose information, or perform any action on the vulnerable website that the target user has permission to perform.
  3. .NET ASLR Bypass
    A security feature bypass exists in a .NET Framework component that does not properly implement the Address Space Layout Randomization (ASLR) security feature, which protects users from a broad class of vulnerabilities. The ASLR bypass could allow an attacker to bypass the security feature and then load additional malicious code in an attempt to exploit another vulnerability. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass in conjunction with another vulnerability, such as a remote code execution vulnerability, to run arbitrary code.

 


Impact

  • Elevation of Privilege
  • Security Restriction Bypass
  • Information Disclosure

System / Technologies affected

  • Microsoft Windows Vista
  • Microsoft Windows Server 2008
  • Microsoft Windows 7
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows 8 and Windows 8.1
  • Microsoft Windows Server 2012 and Windows Server 2012 R2
  • Microsoft Windows RT and Windows RT 8.1
  • Microsoft Windows 10

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.


Vulnerability Identifier


Source


Related Link