How was the hash collision issue in ASP.NET fixed (MS11-100)? [closed]

About

Asked 29/12, 2011 at 20:25 Answered 29/12, 2011 at 21:55

Solved asp.net .net denial-of-service hash-collision ms11-100

As reported by Slashdot, MS issued an update to ASP.NET to fix the hash collision attack today. (Listed as "Collisions in HashTable May Cause DoS Vulnerability - CVE-2011-3414" on the linked Technet page.)

The problem is that the POST data are converted into a hash table that uses a known hashing algorithm. And if an attacker uses this by crafting a request that contains lots of collisions, he can easily cause a Denial of Service.

Does anyone know how exactly does that update fix the issue?

Fiore answered 29/12, 2011 at 20:25 Comment(6)

I would expect that they just used a better hash algorithm, but I'm not sure and haven't seen any details anywhere. – Davenport 29/12, 2011 at 20:27

Could also be they introduced some random parameter into the algorithm. – Quatrefoil 29/12, 2011 at 20:32

this might help you ....<weblogs.asp.net/scottgu/archive/2011/12/28/…> – Contend 29/12, 2011 at 21:59

@salman That page does not describe how the issue was fixed, only that a patch is available. – Stonedeaf 29/12, 2011 at 22:3

I don't understand why this is closed as a question that is not constructive. The question could be perfectly answered using facts and references. Maybe all relevant facts are not yet publically known, but that isn't a reason to close the question, or is it? – Scroop 31/12, 2011 at 12:39

Here is a proposed solution: #8697218 – Cornelia 2/1, 2012 at 6:47

The update is not a complete fix, but rather a workaround. It limits the number of POST parameters accepted.

Arrowworm answered 29/12, 2011 at 21:55 Comment(6)

How did you find that out? Do you have some source? – Fiore 29/12, 2011 at 22:9

Guys that presented this vulnerability gave this information. – Catechumen 30/12, 2011 at 23:53

@Peri and where did they do that? – Fiore 31/12, 2011 at 1:32

Here are the slides events.ccc.de/congress/2011/Fahrplan/events/4680.en.html and here is the video mirror.fem-net.de/CCC/28C3/mp4-h264-HQ/… – Catechumen 31/12, 2011 at 10:24

The will be a update, but for now we can use the solution proposed here #8697218 – Cornelia 2/1, 2012 at 6:48

Better to use this solution if you need to workaround the limitation: <add key="aspnet:MaxHttpCollectionKeys" value="2000" /> to your appSettings in web.config. – Tanning 12/1, 2012 at 7:25

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags