Vulnerabilities > CVE-2013-1337 - Improper Authentication vulnerability in Microsoft .Net Framework 4.5

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
CWE-287
nessus
NVD
Published: 2013-05-15
Updated: 2018-10-12

Summary

Microsoft .NET Framework 4.5 does not properly create policy requirements for custom Windows Communication Foundation (WCF) endpoint authentication in certain situations involving passwords over HTTPS, which allows remote attackers to bypass authentication by sending queries to an endpoint, aka "Authentication Bypass Vulnerability."

Vulnerable Configurations

Part Description Count
Application
Microsoft
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Authentication Abuse
    An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Utilizing REST's Trust in the System Resource to Register Man in the Middle
    This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
  • Man in the Middle Attack
    This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.

Msbulletin

bulletin_idMS13-040
bulletin_url
date2013-05-14T00:00:00
impactSpoofing
knowledgebase_id2836440
knowledgebase_url
severityImportant
titleVulnerabilities in .NET Framework Could Allow Spoofing

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS13-040.NASL
descriptionThe remote Windows host is running a version of the Microsoft .NET Framework that is affected by multiple vulnerabilities : - A spoofing vulnerability exists that could allow an attacker to modify the contents of an XML file without invalidating the signature associated with the file. (CVE-2013-1336) - An authentication bypass vulnerability exists because of the way the Microsoft .NET framework improperly creates policy requirements for authentication when setting up WCF endpoint authentication. A remote attacker who exploited this vulnerability may be able to steal information or take actions in the context of an authenticated user. (CVE-2013-1337)
last seen2020-06-01
modified2020-06-02
plugin id66415
published2013-05-15
reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/66415
titleMS13-040: Vulnerabilities in .NET Framework Could Allow Spoofing (2836440)
code
#
# (C) Tenable Network Security, Inc.
#




include("compat.inc");

if (description)
{
  script_id(66415);
  script_version("1.12");
  script_cvs_date("Date: 2019/11/27");

  script_cve_id("CVE-2013-1336", "CVE-2013-1337");
  script_bugtraq_id(59789, 59790);
  script_xref(name:"MSFT", value:"MS13-040");
  script_xref(name:"MSKB", value:"2804576");
  script_xref(name:"MSKB", value:"2804577");
  script_xref(name:"MSKB", value:"2804579");
  script_xref(name:"MSKB", value:"2804580");
  script_xref(name:"MSKB", value:"2804582");
  script_xref(name:"MSKB", value:"2804583");
  script_xref(name:"MSKB", value:"2804584");

  script_name(english:"MS13-040: Vulnerabilities in .NET Framework Could Allow Spoofing (2836440)");
  script_summary(english:"Checks version of System.Security.dll");

  script_set_attribute(attribute:"synopsis", value:
"The version of the .NET Framework installed on the remote host is
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is running a version of the Microsoft .NET
Framework that is affected by multiple vulnerabilities :

  - A spoofing vulnerability exists that could allow an
    attacker to modify the contents of an XML file without
    invalidating the signature associated with the file.
    (CVE-2013-1336)

  - An authentication bypass vulnerability exists because of
    the way the Microsoft .NET framework improperly creates
    policy requirements for authentication when setting up
    WCF endpoint authentication.  A remote attacker who
    exploited this vulnerability may be able to steal
    information or take actions in the context of an
    authenticated user. (CVE-2013-1337)");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-040");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for .NET Framework 2.0 SP2,
3.5.1, 4.0, and 4.5.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-1337");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/05/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/05/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/05/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_framework");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

# Windows Embedded is not supported by Nessus
# There are cases where this plugin is flagging embedded
# hosts improperly since this update does not apply
# to those machines
productname = get_kb_item("SMB/ProductName");
if ("Windows Embedded" >< productname)
  exit(0, "Nessus does not support bulletin / patch checks for Windows Embedded.");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS13-040';
kbs = make_list(
  '2804576',
  '2804577',
  '2804579',
  '2804580',
  '2804582',
  '2804583',
  '2804584'
);

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'1', win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

vuln = 0;

########## KB2804576 ###########
#  .NET Framework 4.0          #
#  Windows XP SP3,             #
#  Windows XP SP2 x64,         #
#  Windows 2003 SP2,           #
#  Windows Vista SP2,          #
#  Windows 7 SP1,              #
#  Windows Server 2008 SP2,    #
#  Windows Server 2008 R2 SP1  #
################################
missing = 0;
# Windows XP SP3
missing += hotfix_is_vulnerable(os:"5.1", sp:3, file:"System.Security.dll", version:"4.0.30319.1004", min_version:"4.0.30319.0", dir:"\Microsoft.NET\Framework\v4.0.30319");
missing += hotfix_is_vulnerable(os:"5.1", sp:3, file:"System.Security.dll", version:"4.0.30319.2006", min_version:"4.0.30319.1200", dir:"\Microsoft.NET\Framework\v4.0.30319");
# Windows XP SP2 x64 / Server 2003 SP2
missing += hotfix_is_vulnerable(os:"5.2", sp:2, file:"System.Security.dll", version:"4.0.30319.1004", min_version:"4.0.30319.0", dir:"\Microsoft.NET\Framework\v4.0.30319");
missing += hotfix_is_vulnerable(os:"5.2", sp:2, file:"System.Security.dll", version:"4.0.30319.2006", min_version:"4.0.30319.1200", dir:"\Microsoft.NET\Framework\v4.0.30319");
# Windows Vista SP2 / Server 2008 SP2
missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"System.Security.dll", version:"4.0.30319.1004", min_version:"4.0.30319.0", dir:"\Microsoft.NET\Framework\v4.0.30319");
missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"System.Security.dll", version:"4.0.30319.2006", min_version:"4.0.30319.1200", dir:"\Microsoft.NET\Framework\v4.0.30319");
# Windows 7 SP1 / 2008 R2 SP1
missing += hotfix_is_vulnerable(os:"6.1", sp:1, file:"System.Security.dll", version:"4.0.30319.1004", min_version:"4.0.30319.0", dir:"\Microsoft.NET\Framework\v4.0.30319");
missing += hotfix_is_vulnerable(os:"6.1", sp:1, file:"System.Security.dll", version:"4.0.30319.2006", min_version:"4.0.30319.1200", dir:"\Microsoft.NET\Framework\v4.0.30319");

if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2804576");
vuln += missing;

######### KB2804577 ############
#  .NET Framework 2.0 SP2     #
#  Windows XP SP 3,           #
#  Server 2003 SP2            #
###############################
missing = 0;
missing += hotfix_is_vulnerable(os:"5.1", sp:3, file:"System.Security.dll", version:"2.0.50727.7019", min_version:"2.0.50727.5000", dir:"\Microsoft.NET\Framework\v2.0.50727");
missing += hotfix_is_vulnerable(os:"5.1", sp:3, file:"System.Security.dll", version:"2.0.50727.3646", min_version:"2.0.50727.3000", dir:"\Microsoft.NET\Framework\v2.0.50727");
missing += hotfix_is_vulnerable(os:"5.2", sp:2, file:"System.Security.dll", version:"2.0.50727.7019", min_version:"2.0.50727.5000", dir:"\Microsoft.NET\Framework\v2.0.50727");
missing += hotfix_is_vulnerable(os:"5.2", sp:2, file:"System.Security.dll", version:"2.0.50727.3646", min_version:"2.0.50727.3000", dir:"\Microsoft.NET\Framework\v2.0.50727");

if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2804577");
vuln += missing;

########## KB2804579 ############
#  .NET Framework 3.5.1        #
#  Windows 7 SP1,              #
#  Server 2008 R2 SP1          #
################################
missing = 0;
missing += hotfix_is_vulnerable(os:"6.1", sp:1, file:"System.Security.dll", version:"2.0.50727.7018", min_version:"2.0.50727.5600", dir:"\Microsoft.NET\Framework\v2.0.50727");
missing += hotfix_is_vulnerable(os:"6.1", sp:1, file:"System.Security.dll", version:"2.0.50727.5469", min_version:"2.0.50727.4000", dir:"\Microsoft.NET\Framework\v2.0.50727");

if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2804579");
vuln += missing;

########## KB2804580 ############
#  .NET Framework 2.0 SP2      #
#  Windows Vista SP2,          #
#  Server 2008 SP2             #
################################
missing = 0;
missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"System.Security.dll", version:"2.0.50727.7018", min_version:"2.0.50727.5000", dir:"\Microsoft.NET\Framework\v2.0.50727");
missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"System.Security.dll", version:"2.0.50727.4237", min_version:"2.0.50727.4000", dir:"\Microsoft.NET\Framework\v2.0.50727");

if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2804580");
vuln += missing;

########### KB2804582 ###########
#  .NET Framework 4.5          #
#  Windows Vista SP2,          #
#  Server 2008 SP2,            #
#  Windows 7 SP1,              #
#  Windows 2008 R2 SP1         #
################################
missing = 0;
# Windows Vista SP2 / Server 2008 SP2
missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"System.Security.dll", version:"4.0.30319.18038", min_version:"4.0.30319.17900", dir:"\Microsoft.NET\Framework\v4.0.30319");
missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"System.Security.dll", version:"4.0.30319.19057", min_version:"4.0.30319.19000", dir:"\Microsoft.NET\Framework\v4.0.30319");
# Windows 7 SP1 / 2008 R2 SP1
missing += hotfix_is_vulnerable(os:"6.1", sp:1, file:"System.Security.dll", version:"4.0.30319.18038", min_version:"4.0.30319.17900", dir:"\Microsoft.NET\Framework\v4.0.30319");
missing += hotfix_is_vulnerable(os:"6.1", sp:1, file:"System.Security.dll", version:"4.0.30319.19057", min_version:"4.0.30319.19000", dir:"\Microsoft.NET\Framework\v4.0.30319");

if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2804582");
vuln += missing;

########### KB2804583 ###########
#  .NET Framework 4.5          #
#  Windows 8,                  #
#  Server 2012                 #
################################
missing = 0;
missing += hotfix_is_vulnerable(os:"6.2", sp:0, file:"System.Security.dll", version:"4.0.30319.18039", min_version:"4.0.30319.17900", dir:"\Microsoft.NET\Framework\v4.0.30319");
missing += hotfix_is_vulnerable(os:"6.2", sp:0, file:"System.Security.dll", version:"4.0.30319.19058", min_version:"4.0.30319.19000", dir:"\Microsoft.NET\Framework\v4.0.30319");

if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2804583");
vuln += missing;

########## KB2804584 ############
#  .NET Framework 3.5          #
#  Windows 8,                  #
#  Server 2012                 #
################################
missing = 0;
missing += hotfix_is_vulnerable(os:"6.2", sp:0, file:"System.Security.dll", version:"2.0.50727.6404", min_version:"2.0.50727.6000", dir:"\Microsoft.NET\Framework\v2.0.50727");
missing += hotfix_is_vulnerable(os:"6.2", sp:0, file:"System.Security.dll", version:"2.0.50727.7018", min_version:"2.0.50727.7000", dir:"\Microsoft.NET\Framework\v2.0.50727");

if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2804584");
vuln += missing;

if(vuln > 0)
{
  set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, "affected");
}

Oval

accepted2014-08-18T04:01:46.864-04:00
classvulnerability
contributors
  • nameSecPod Team
    organizationSecPod Technologies
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft .NET Framework 4.5 is installed
    ovaloval:org.mitre.oval:def:15925
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows 7 (32-bit) is installed
    ovaloval:org.mitre.oval:def:6165
  • commentMicrosoft Windows 7 x64 Edition is installed
    ovaloval:org.mitre.oval:def:5950
  • commentMicrosoft Windows Server 2008 R2 x64 Edition is installed
    ovaloval:org.mitre.oval:def:6438
  • commentMicrosoft Windows 8 is installed
    ovaloval:org.mitre.oval:def:15732
  • commentMicrosoft Windows Server 2012 (64-bit) is installed
    ovaloval:org.mitre.oval:def:15585
descriptionMicrosoft .NET Framework 4.5 does not properly create policy requirements for custom Windows Communication Foundation (WCF) endpoint authentication in certain situations involving passwords over HTTPS, which allows remote attackers to bypass authentication by sending queries to an endpoint, aka "Authentication Bypass Vulnerability."
familywindows
idoval:org.mitre.oval:def:16741
statusaccepted
submitted2013-05-17T11:39:12
titleMircosoft .NET Framework authentication bypass vulnerability - (CVE-2013-1337) MS13-040
version41

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 59790 CVE(CAN) ID: CVE-2013-1337 .NET就是微软的用来实现XML,Web Services,SOA(面向服务的体系结构service-oriented architecture)和敏捷性的技术。.NET Framework是微软开发的软件框架,主要运行在Microsoft Windows上。 当设置自定义 WCF 终结点身份验证时,Microsoft .NET Framework 不正确地创建身份验证策略,存在一个安全功能绕过漏洞。成功利用此漏洞的攻击者能够像经过身份验证的用户那样访问终结点功能,这样使攻击者能够窃取信息或在经过身份验证的用户的上下文中执行任何操作。 0 Microsoft .NET Framework 4.x Microsoft .NET Framework 3.x Microsoft .NET Framework 2.x 临时解决方法: * 不使用netHttpsBinding,而是将netHttpBinding与TransportWithMessageCredential配合使用 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS13-040)以及相应补丁: MS13-040:Vulnerabilities in .NET Framework Could Allow Spoofing (2836440) 链接:http://technet.microsoft.com/security/bulletin/MS13-040
idSSV:60794
last seen2017-11-19
modified2013-05-17
published2013-05-17
reporterRoot
titleMicrosoft .NET Framework 身份验证绕过漏洞(CVE-2013-1337)(MS13-040)

References