Microsoft's 'Full Trust ASP.NET in IIS 6.0 is Insecure by Design, by Default and in Deployment' Internal White Paper

Email sent to several Microsoft Contacts after the meeting I had in Redmond (following the Full Trust Asp.Net Security Vulnerabilties, and Microsoft's current position email)

Dear Shawn Nandi and Shankun Niyogi (and Bill, Steve, Mike, Scott and Shawn Farkas)

Following our early July meeting at Redmond's building 42, here is the requested proposal for the creation of a white paper explaining why "Full Trust ASP.NET in IIS 6.0 is Insecure by Design, Insecure by Default and Insecure in Deployment". This document would initially be distributed to Microsoft employees, and later to the general public.

I strongly believe that I (Dinis Cruz) will deliver something worthwhile and valuable to all parties involved.

As you can see by my past Owasp work, all that I am trying to do, is to help you (Microsoft) to do the right thing.

Taking into account that Integrity and Independence are the most valuable assets that the proposed team have (me included), these are our conditions:


 * No NDAs will be signed by any participants
 * All deliverables to Microsoft will be published by the authors 30 days after final delivery (with the exception of selected 0-days)
 * We will retain the copyright of all material created so that it can be (re)used in printed publications (or in other mediums)
 * All vulnerabilities discovered will be published after the agreed initial period (30 days)
 * The only exception to this rule will be 0-days that can be exploited remotely by an anonymous malicious attacker to an IIS/ASP.NET website
 * All exploits (even 0-days) that can executed from an Full Trust or Partial Trust ASP.NET environment will be published after the agreed initial period (30 days)

For this project's implementation we would like to propose two models:

Model A) "ASP.NET/IIS Security Audit/Research executed by some of the best security consultants in the world which are unlikely or unwilling to work directly for Microsoft"


 * Time Allocated: 100 to 200 man days
 * Objectives:
 * Perform an in-depth security audit to ASP.NET/IIS
 * Reverse engineer both managed and unmanaged components (no access to the source-code is required) so that multiple attack vectors/methodologies can be tested. One area that will be particularly tested is the relationship between w3wp and the other IIS components (inetinfo, http.sys, etc...) and see if IIS is able to sustain an internal attack launched from an Full Trust or an Partial Trust Asp.Net environment.
 * The current Partially Trusted environments (High, Medium, Low and Minimal) will be audited with the objective to find ways to jump out of the sandbox (into Full Trust).
 * Analyze the new 2.0 CAS security features
 * Fully investigate the potential security vulnerabilities (discovered by Dinis Cruz) which have not been fully explored due to time constraints
 * Create a document clearly explaining (to Microsoft Internal employees) the security issues and implications of the current ASP.NET/IIS architecture
 * Scope:
 * Asp.Net 1.1 and 2.0
 * IIS 5.0, 6.0 and 7.0 (if public beta is available)
 * Full Trust and Partial Trust Asp.Net
 * Deliverables:
 * White Paper
 * MSDN Article
 * Tools
 * PoC / Exploits
 * Proposed Solutions and Countermeasures
 * 1 presentation in Redmond (if required)
 * Delivery Date/Presentation:
 * 3 to 6 months (from project sign-off)
 * Participants
 * Dinis Cruz (project leader)
 * Several Owasp-dotNet Members
 * 5 to 10 other security consultants (i.e. A 'Hard-Code' Security Research Team made of highly talented and knowledgeable members (which most will not work under normal 'closed' contracts, but will work under the proposed 'no NDA with full disclosure' research environment))

Model B) "Documentation of existing material"


 * Time Allocated 20 days
 * Objectives:
 * Create a document that clearly explains (to Microsoft Internal employees) the security issues and implications of the current ASP.NET/IIS architecture (since Microsoft's staff don't seem to read (and fully understand) the hundreds of technical documentation pages (and tools) sent by Dinis Cruz, maybe what is required is a document commissioned (and paid) by Microsoft)
 * This document will contain public information about Full Trust ASP.NET vulnerabilities and some private research that have yet to be documented.
 * Scope:
 * Asp.Net 1.1
 * IIS 6.0
 * Full Trust Asp.Net
 * Deliverables:
 * White Paper
 * MSDN Article
 * 1 presentation in Redmond (if required)
 * Delivery Date/Presentation:
 * 2 to 4 months (from project sign-off)
 * Participants
 * Dinis Cruz (project leader)
 * Several Owasp-dotNet Members

A [XXXX] company with an existing relationship with Microsoft will be responsible for all financial negotiations and contract arrangements.

If you are interested in this opportunity, you can contact me by email or via my mobile phone (+ 44 XXX XXXXXX).

Ideally, I would like to announce this project during next week's Owasp conference in Washington.

Best regards

Dinis Cruz .Net Security Consultant