ASP.NET dll download vulnerability

Attack:

  1. Guess what the dll of the core application is called.  By default it will be called the same name as the ASP.NET project created by the programmer.   Other than taking a guess based on the name of the web site, often it’s possible to determine the name by browsing HTML source or by triggering errors.
  2. Download the main dll by requesting the following URL:  http://domain.com/bin/application.dll
  3. Once you’ve got the .dll downloaded you can decompile it using ILSpy or your own favorite reversing tool.   If you’re lucky, you may find hardcoded passwords.  If not, you can now look for SQL and Linq injection opportunities that the source code is likely to reveal.

Defence:

  • Most IIS installations restrict access to /bin/ folder by default, but I’ve noticed that for some reason, some don’t.   One way to block this attack is by adding a hidden segment “bin”.

Notes:

  • I found at least one Linux system running Apache with Mono that was vulnerable.  Linux is not immune, if anything I’d say it’s more likely to allow this attack.

Leave a Reply

Your email address will not be published. Required fields are marked *