Full Report
On the web, the go to method for maintaining state in the stateless HTTP protocol is cookies. The .NET framework included a way of putting cookies into the URL for clients who couldn't support cookies. This had the view of S(aaaaaaaaaaaaaaaaaaaaaaaa) in part of the path of the URL. Historically, this has been real bad for WAFs and session related issues such as session fixation, session hijacking and more. The author includes a link to various posts about previous issues. Due to these security concerns, the feature was removed from the .NET core in newer versions. From the WAF bypasses the author posted on Twitter, it's clear that putting sessions into the middle of a URL causes weird problems. While testing new WAF bypass techniques, they noticed two weird anomalies. The cookieless feature could circumvent the protected directories and URL filters in IIS. Normally, paths in these locations would be blocked. However, by including two sessions in the URL, the validation was bypassed. Why does this occur? In the rewrite portion of the cookieless paths in the .NET framework, it appears to only perform the removal once for verification. Then, during the resolution process, it will remove the second session and allow the user to access the path. At least, this is what it seems like but it's not explained very well. In IIS, there are application pools. Some paths could use one pool while others would use another. By using the double session path from above, it is possible to create pool confusion. This can lead to a privilege escalation, given the right scenario. Interesting bug! It turns out that string parsing is very hard to do correctly. Double adding a value is something I'll be testing for in the future.
Analysis Summary
# Vulnerability: Cookieless DuoDrop - IIS Auth Bypass & App Pool Privesc
## CVE Details
- **CVE ID:** CVE-2023-36899 (ASP.NET Remote Code Execution Vulnerability) & CVE-2023-36560 (IIS Information Disclosure Vulnerability)
- **CVSS Score:** 7.5 / 8.8 (High)
- **CWE:** CWE-287 (Improper Authentication), CWE-667 (Improper Locking), CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:** Microsoft ASP.NET Framework, Internet Information Services (IIS).
- **Versions:** All versions of .NET Framework (e.g., 3.5, 4.7.2, 4.8, 4.8.1) running on Windows Server. *Note: .NET Core/5+ are not affected as the cookieless feature was removed.*
- **Configurations:** Systems where the cookieless session state feature is enabled (typically via `cookieless="UseUri"` in `web.config`) or incorrectly handled by the default "AutoDetect" setting.
## Vulnerability Description
The vulnerability stems from how the ASP.NET `FormsAuthenticationModule` and `SessionStateModule` parse "cookieless" sessions embedded in URLs (formatted as `/(S(sessionid))/`).
When a "Double Session" (e.g., `/(S(id1))(S(id2))/`) is provided in the URL, a logic flaw occurs in the rewriting process. IIS/ASP.NET performs an initial validation check, typically removing only one instance of the session string to authorize the path. However, during the subsequent resolution process to serve the file, the second session string is also stripped. This discrepancy allows an attacker to bypass folder-level authorization rules (such as protected directories) and URL filters. Furthermore, this "DuoDrop" technique can cause "Application Pool Confusion," where a request intended for one application pool is processed by another, potentially leading to privilege escalation between different security contexts on the same server.
## Exploitation
- **Status:** PoC available (Technique documented by Soroush Dalili).
- **Complexity:** Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Access to protected files, directories, and sensitive data).
- **Integrity:** High (Potential to execute code or modify data via App Pool Confusion).
- **Availability:** Low (Potential for service instability during App Pool confusion).
## Remediation
### Patches
- Apply the August 2023 Security Updates provided by Microsoft for the relevant .NET Framework version.
- **CVE-2023-36899** specifically addresses the vulnerability within the .NET Framework.
### Workarounds
- Disable cookieless sessions in `web.config` by setting `cookieless="UseCookies"`.
- Ensure `Extended Protection for Authentication` is enabled in IIS.
- Use WAF rules to block any URL patterns containing the `(S(string))` pattern, especially repeated occurrences.
## Detection
### Indicators of Compromise
- Log entries in IIS showing multiple session identifiers in a single path, e.g., `/folder/(S(aaa))(S(bbb))/default.aspx`.
- Requests to protected directories (like `/bin/` or `/App_Code/`) that return a `200 OK` rather than a `403 Forbidden` or `404 Not Found`.
### Detection Methods and Tools
- **Log Analysis:** Scan IIS logs for the regex pattern `/\(S\([a-zA-Z0-9]+\)\)\(S\([a-zA-Z0-9]+\)\)/`.
- **Vulnerability Scanning:** Use specialized web scanners to test for path normalization bypasses using double cookieless patterns.
## References
- [https://soroush.me/blog/cookieless-duodrop-iis-auth-bypass-app-pool-privesc-in-asp-net-framework-cve-2023-36899]
- [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36899]
- [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36560]