ClientState Input and Buffer Overflow

4 posts, 0 answers
  1. Jeff
    Jeff avatar
    2 posts
    Member since:
    Jan 2012

    Posted 21 Sep 2015 Link to this post

    We have an application that uses RadGrid and one of our clients recently performed a penetration test on our application and identified the hidden input _ClientState as a vulnerability because they were able to trigger a buffer overflow error.

    Here is the relevant code from the test where ClientState=AAA repeats ...

    ctl00_ctl00_MainContent_MainContent_MyRequestGrid1_MyRequestCustomRadGrid_ClientState=AAAAAAAAAAAAAAAAAAAAAAAA 

    Is there a way to prevent this from happening? Perhaps some way to set the max length for this hidden input or some other technique that we can utilize to mitigate this vulnerability?

    We are using Telerik RadControls for ASP.NET Ajax.

    For reference, there is another thread related to this topic (i.e., ClientState hidden field) where my colleague posted a similar question but received no response - http://www.telerik.com/forums/what-is-clientstate-input-hidden-for

  2. Viktor Tachev
    Admin
    Viktor Tachev avatar
    1488 posts

    Posted 24 Sep 2015 Link to this post

    Hello Jeff,

    As explained in the article you are referring to the controls are tested for possible issues. Currently we are not aware of such security vulnerability.

    Could you provide additional information on the problem? Also, elaborate in more detail on how it could be reproduced. Please try to reproduce the issue in one of the online examples linked below and provide the steps for replicating the issue.



    Regards,
    Viktor Tachev
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  3. UI for ASP.NET Ajax is Ready for VS 2017
  4. Jeff
    Jeff avatar
    2 posts
    Member since:
    Jan 2012

    Posted 24 Sep 2015 in reply to Viktor Tachev Link to this post

    Hi Victor,

    Thanks for the reply. I attached a documents for you to review, but here is an overview of how we exploited the hidden Telerik fields.

    We are using FireFox-HttpRequester to send a post request using the hidden HTML input. Most Telerik controls add a “_Clienstate” hidden field along with other content.

    The input below doesn’t have a maxLength set, so it's possible to provide a very large input. If you use the Inspect Element tool on the browser, you will see many hidden Telerik fields.

    <input id="ctl00_SideBar_LeftNavigation_CategoryControls_ClientState" name="ctl00_SideBar_LeftNavigation_CategoryControls_ClientState" type="hidden" autocomplete="off" value="{"expandedNodes":[],"collapsedNodes":[],"logEntries":[],"selectedNodes":[],"checkedNodes":[],"scrollPosition":0}">

    I attached a screen shot demonstrating how we passed values to the hidden input to trigger a buffer overflow using the HTTP Requester Tool.

    Those hidden fields should have some kind of validation to validate against max length or strip out extra characters before it sends a request to server. 

    ctl00_SideBar_DemoSearch1_SearchBox_ClientState: AAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    Content-Type: application/json
     
     -- response --
    200 OK
    Cache-Control:  private
    Content-Type:  text/html; charset=utf-8
    Content-Encoding:  gzip
    Server:  Microsoft-IIS/7.5
    X-Powered-By:  UrlRewriter.NET 2.0.0, ASP.NET
    X-AspNet-Version:  4.0.30319
    Date:  Thu, 24 Sep 2015 13:46:13 GMT
    Content-Length:  47646

  5. Viktor Tachev
    Admin
    Viktor Tachev avatar
    1488 posts

    Posted 29 Sep 2015 Link to this post

    Hi Jeff,

    The ClientState hidden field is provided by the framework. Moreover, it is usually used to set settings for the controls. It contains information that is already available on the client. Thus, it does not introduce a security vulnerability. If you would like additional information on keeping the state of the controls you would find the following article interesting.


    As for the limit of the request size, you can specify it in the web.config file as described here. As seen in the screenshot you have provided when the limit is reached the server rejects the request and an error is thrown.

    Regards,
    Viktor Tachev
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top