Tuesday, September 21, 2010

ASP.NET Vulnerability Workaround Not Enough

Microsoft keeps calling this a ‘workaround’ but it’s mitigation at best – sure, for the majority of applications it may be all that’s necessary, but it falls short of cross-the-board prevention. It’s not clear why they’re not more open about the cases that aren’t covered by the suggested workaround but it doesn’t take more than simple reasoning to reveal them. If you’re really concerned about the security of your application, keep reading.

Let’s go back to basics and look at where this issue stems from – all you need to do is differentiate between these three cases

When the application is passed an encrypted value, it responds in one of three ways:

  • When a valid ciphertext is received (one that is properly padded and contains valid data) the application responds normally (200 OK)
  • When an invalid ciphertext is received (one that, when decrypted, does not end with valid padding) the application throws a cryptographic exception (500 Internal Server Error)
  • When a valid ciphertext is received (one that is properly padded) but decrypts to an invalid value, the application displays a custom error message (200 OK)

And depending on how your application uses encryption, you are still able to do this even with a constant error page – here’s one blogger’s explanation (misses the point, IMO):

How about Microsoft’s workaround?

Well, while the workaround contains a really valuable information, relevant for every system (as for not disclosing the real error), and it will prevent the automated tool released by the researchers to hack your system, it will, by far, NOT protect you from a potential attack!

How so? The workaround assumes that the potential attacker will look for an HTTP error response status (500), or for an error page containing a specific exception message. However, it is enough for attacker to recognize an abnormal, or just different system behaviour on certain requests.

Let’s get back to our ASP.NET system that stores an encrypted sensitive information in a cookie. Each request, the system will probably decrypt this information and use it. In case the ciphertext in a cookie is invalid, an exception will be thrown, and the system may act according to one of the following scenarios:

· Return a 500 error response  - very user unfriendly!

· Return a default ASP.NET YSOD exception page - extremely bad in production environment!

· Return a page stating only the exception’s message - also very bad!

· Return a constant page, stating there was an error, without providing details– a good practice, this is actually the Microsoft’s workaround

· “Swallow” the exception, and behave like the cookie does not exist. The response may be a redirect to another pager, or just a a slightly changed HTML (instead of user’s name, a “login” link) – This is the way ASP.NET Forms Authentication works.

Note that every one of the possible responses is different from the normal one. Even the last scenario I’ve described above, as clean as it is, still returns a distinctively different response. Therefore, an attacker can take advantage of it, and write a simple script that infers this abnormal behaviour to an Invalid Oracle’s answer. It is that simple!

That’s mostly right except that it’s not sufficient to detect any error condition – you need to be able to discern between two specific error conditions (ciphertext not correctly padded vs. ciphertext is correctly padded but decrypts to an invalid value).

If visitors to your site can do this, you’re still vulnerable. Here’s a scenario: you don’t rely on Forms Authentication, but instead have a custom authentication scheme that relies on encrypted cookies. If an invalid cookie is submitted, you treat the user as anonymous; but if an exception is thrown during decryption, Application_Error kicks in. This scenario, not entirely uncommon, still allows the attacker to replay the request and differentiate between the 3 possible replies.

How does your application respond in these scenarios and how confident are you of the answer?


Venemo said...

Hi Nariman,

As I see it, it is always possible to tell whether the cookie is valid or invalid. But after applying the workaround, the attacker needs to do *lots* of brute force to figure out the key.

(Because the attacker can't deduce from the responses whether the key itself is wrong or content.)

Actually, the correct solution would be to implement an own version of the FormsAuthenticationModule that encrypts the data inside the cookie with some different encryption method before sending it to the client. And the cookie itself should not contain the username, just a random guid or something like that.

What do you think?

Nariman Haghighi said...

Hi Venemo;

If the application is susceptible in this way, the # of iterations doesn’t change after the workaround - each iteration still tells you whether there was a padding error or whether the cookie was rejected based on its value. Again, it depends on how the application was authored to respond to invalid cookies - some just chose to ignore it (and render an anonymous response). In these scenarios, if it's possible to squelch the padding exception and treat it the same as an invalid (but correctly padded) cookie (basically render the anonymous HTML for that page) that should suffice. Each scenario needs some thought – I’d like to set aside some time to actually experiment with a few patterns before coming to any strong conclusions.


Venemo said...

"each iteration still tells you whether there was a padding error or whether the cookie was rejected based on its value"

If the application sends the same error message for both (plus sleeps the thread for a random duration), I don't see how the attacker could tell the difference.

essay writing said...

I totally agree with you. I always prefer mineral makeup rather than traditional makeup.

read more Australia said...

Quite Informative post Thanks for sharing this.......

download free music said...

I admire the precious information you offer in your articles. I am going to bookmark your site and have absolutely my children visit here often.

idealscorp said...

I really loved reading your blog. It was very well authored and easy to understand. I also found your posts very interesting. In fact after reading, I had to go show it to my friend and he enjoyed it as well!

payment processing software said...

Thanks i like your blog very much , i come back most days to find new posts like this.

st petersburg russia tours said...

nice posting...thanks for sharing this..

facials nyc said...

This is so cool..thanks so much for the info. Love it!

mens massage nyc said...

well done! cool!