{"uuid": "0972d4fe-2aed-4880-98f2-6cd575e8b19a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-36899", "type": "published-proof-of-concept", "source": "https://t.me/ptswarm/182", "content": "Cookieless DuoDrop: IIS Auth Bypass & App Pool Privesc in ASP[.]NET Framework (CVE-2023-36899)\n\n\ud83d\udc64 by Soroush Dalili\n\nIn modern web development, while cookies are the go-to method for transmitting session IDs, the .NET Framework also provides an alternative: encoding the session ID directly in the URL. This method is useful to clients that do not support cookies. \nResearcher identified a strange anomaly when the cookieless pattern was repeated twice. This resulted in two vulnerabilities reported to Microsoft as their impact and the exploitation were different:\n   \u2022 IIS restricted path bypass leading to potential authentication and path-filtration bypass\n   \u2022 Application Pool confusion leading to potential privilege escalations\n\n\ud83d\udcdd Contents:\n\u25cf Introduction\n\u25cf Finding the vulnerability\n\u25cf IIS Restricted Path Bypass\n\u25cf The root cause\n\u25cf Application Pool Confusion\n\nhttps://soroush.me/blog/2023/08/cookieless-duodrop-iis-auth-bypass-app-pool-privesc-in-asp-net-framework-cve-2023-36899/", "creation_timestamp": "2023-08-10T16:18:02.000000Z"}