Privilege escalation in ASP.NET Core MVC

1) Privilege Escalation

EUVDB-ID: #VU653

Risk: Medium

CVSSv3.1: 4.4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:C/I:C/A:L/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to obtain elevated privileges.

The vulnerability exists due to design error in View Component implementation within public versions of ASP.NET Core MVC 1.0.0. A malicious user can gain access to potentially sensitive information on the system and obtain elevated privileges on the system.

Successful exploitation of this vulnerability will allow an attacker to obtain elevated privileges on vulnerable system.

The following packages are vulnerable:

• Microsoft.AspNetCore.Mvc
• Microsoft.AspNetCore.Mvc.Abstractions
• Microsoft.AspNetCore.Mvc.ApiExplorer
• Microsoft.AspNetCore.Mvc.Core
• Microsoft.AspNetCore.Mvc.Cors
• Microsoft.AspNetCore.Mvc.DataAnnotations
• Microsoft.AspNetCore.Mvc.Formatters.Json
• Microsoft.AspNetCore.Mvc.Formatters.Xml
• Microsoft.AspNetCore.Mvc.Localization
• Microsoft.AspNetCore.Mvc.Razor
• Microsoft.AspNetCore.Mvc.Razor.Host
• Microsoft.AspNetCore.Mvc.TagHelpers
• Microsoft.AspNetCore.Mvc.ViewFeatures
• Microsoft.AspNetCore.Mvc.WebApiCompatShim

Mitigation

Update ASP.NET Core MVC to 1.0.1.

Microsoft .NET Core 1.0.1 – VS 2015 Tooling Preview 2" updates the ASP.NET Core templates to use the fixed packages.

To download this preview, see the "Tools" section of the .NET Downloads page.

Vulnerable software versions

ASP.NET Core MVC: 1.0.0

External links

http://technet.microsoft.com/en-us/library/security/3181759.aspx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.