CVE CyberSecurity Database News

CVE-2023-36899 - ASP.NET Elevation of Privilege Vulnerability Explained with Examples and Exploit Details

Poster -

Published: June 2024

What is CVE-2023-36899?

CVE-2023-36899 is a critical security vulnerability found in Microsoft’s ASP.NET. In simple words, this bug allows a normal user to perform actions reserved for admins—an “Elevation of Privilege” (EoP) vulnerability. If an attacker can exploit this, they could run code or access data as if they were an admin.

This flaw affects specific versions of ASP.NET in Microsoft’s .NET Framework, mostly as deployed on Windows servers running popular web apps.

Microsoft Windows Server hosting web applications

Particularly, if you built your web apps with versions affected before the patches released in Microsoft Security Update June 2023, you need to act.

The Simple Explanation

ASP.NET uses authentication and authorization to make sure users only get access to what they’re allowed. CVE-2023-36899 is a flaw in how certain requests are handled. If a user crafts a malicious request, they can bypass some security checks inside ASP.NET, tricking it into thinking they have higher privileges.

The Technical Part

Under the hood, the vulnerability exists because certain endpoint permissions were incorrectly implemented. By manipulating HTTP verb, route, or token data, the attacker can reach functionality that should be off limits.

For ASP.NET Core, the issue often centers around misapplied [Authorize] or [AllowAnonymous] attributes in combination with middleware mistakes. In classic ASP.NET, path traversal with odd routing can bypass web.config authorization rules.

Proof-of-Concept Exploit Example

Below is a very simple proof-of-concept (POC) showing how the bug can be abused to get admin data as a regular user.

// Example vulnerable endpoint in ASP.NET Core
[Authorize(Roles = "Admin")]
[HttpGet("/admin/secret")]
public IActionResult GetAdminSecret()
{
    return Ok("Sensitive admin info");
}

// A bad request could bypass the [Authorize] check:
GET /admin/secret%2e%2e/

In this example, encoding or tweaking the path might cause the route to be handled by code that forgets to check permissions, and the app returns information meant only for admins.

`

/admin/secret/
/admin/secret%2e%2e/
//admin//secret

If the server responds to any alternate request and shows admin data, it’s exploitable.

Note: Actual working exploit details may vary based on app configuration, middleware, and routing.

Microsoft recommends these immediate steps

- Install the security patch from June 2023.

Make sure your routing, especially custom routes, don’t allow bypassing security.

- Regularly run dotnet security analysis tools.

Mitigation Example (ASP.NET Core)

// Always verify authentication at the start of your middleware pipeline
app.UseAuthentication();
app.UseAuthorization();

Also, avoid allowing odd or double slashes in URLs by normalizing paths with URL rewriting middleware.

Original References

- Microsoft Security Guide for CVE-2023-36899
- NIST NVD CVE Detail
- Microsoft .NET Security Documentation

In Summary

CVE-2023-36899 is a serious bug in ASP.NET that can let attackers gain admin access.
Patch your apps. Audit your authentication and routes. Keep your systems secure.

For any questions about fixing your web app, reach out to your dev team or ask for help in the Microsoft ASP.NET Security Forums.

Timeline

Published on: 08/08/2023 19:15:00 UTC
Last modified on: 08/11/2023 17:56:00 UTC