Monday, September 20, 2010

ASP.NET Padding Oracle Exploit Tool Demo

Update #2: Another good post echoing the “MITIGATE” theme (no signs of “PREVENTION” yet.) And some clarification from SO on how machineKey leaves other files (*.config, /bin/*) vulnerable:

“In ASP.NET 3.5 Service Pack 1 and ASP.NET 4.0 there is a feature that is used to serve files from the application. This feature is normally protected by the machine key. However, if the machine key is compromised then this feature is compromised. This goes directly to ASP.NET and not IIS so IIS's security settings do not apply. Once this feature is compromised then the attacker can download files from your application - including web.config file, which often contains passwords.”

This vector was first published in 2002 (8 years ago)  and it’s not unique to .NET either – aspects of JSF, Rails, Django all seem to be affected (is the theme really as simple as encrypted data on the client?).

Update #1: Rinat Abdullin and Vlad Azarkhin offer some good details [4] [5] on this (the only blogs among my subscriptions to even mention the issue so far). Apparently, the difference in response times (among other subtle differences) still allows one to separate errors from accepted responses [6] – though this would require more of a site-specific attack. And the ability to request *.config files might be a secondary exploit for CMS products like DNN or Sitecore that expose the File System through authoring interfaces – though others are suggesting that it can be obtained through WebResource.axd (which uses some kind of key to authenticate incoming request for arbitrary resources).

For a low-level (detailed) explanation of the issue, see Brian Holyfield’s post [6].

 

Speechless.

Here’s a demo of POET [1] on DNN [2] – still unclear how this can be used to actually request *.config files though (potentially more serious, IMO):

The suggested fix [3], part of standard deployment best-practices, is to mask underlying HTTP error codes:

<customErrors mode="On" defaultRedirect="~/error.html" />

That’s the guidance from Microsoft, anyway; the group that released this video claims that “the setting of CustomErrors is _irrelevant_”.

Lots of confusion over this one, let’s hope it gets cleared up ASAP – stay tuned.

[1] – POET: the tool at the heart of the controversy:
http://netifera.com/research/

[2] – DNN Demo:
http://threatpost.com/en_us/blogs/demo-aspnet-padding-oracle-attack-091710

[3] – Guidance from Microsoft:
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

[4] – Details from Rinat:
http://abdullin.com/journal/2010/9/19/details-about-aspnet-security-vulnerability.html

[5] – “Padding Oracle” ASP.NET Vulnerability Explanation
http://blogs.microsoft.co.il/blogs/linqed/archive/2010/09/19/padding-oracle-asp-net-vulnerability-explanation.aspx

[6] – Automated Padding Oracle Attacks with PadBuster
http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/

26 comments:

pokies game said...

Wonderful

help with dissertation said...

Thanks for educational and supportive blog post ASP.NET Padding Oracle Exploit Tool Demo , obviously in your blog all is good. if you post useful comments on blogs there is always the chance that actual humans will click through.

download songs for free said...

I agree with your idea.You look like very talented.It is very happy to meet you. Thank you!

DEWHURST TOULSON said...

This is inspiring; I am very pleased by this post. Nice work, thanks for such information.
url

payment processing said...

I admire the precious information you offer in your articles. I am going to bookmark your site and have absolutely my children visit here often.

dissertation-writing-help.org said...

This is inspiring; I am satisfied by this publish. Awesome perform, thanks for such details. I consent with your concept.You look like very skilled.It is very satisfied to fulfill you. Thank you!

surveillance systems los angeles said...

Pretty interesting post! Thanks it was interesting.

Davies Hall said...

I LOVE the idea. It is good stuff really like it! Thanks for sharing with us.
mba dissertation online

security systems london said...

nice info.thanks

essay said...

To me, as a programmer is always interesting to learn new things even though I live in Arkansas, thak you!

Anonymous said...

I must say that I really enjoyed reading all of Your posts.
electronic cigarette reviews

academic essay said...

I’m delighted that I’ve observed this weblog. Finally something not a junk, which we go through incredibly frequently. The web site is lovingly serviced and saved as much as date. So it should be, thanks for sharing this with us

media auto said...

Your informational post is valuable one for lots of internet users, because they get awareness to understand your blog. So appreciation for your magnificent distribution.

British Made Tiles said...

You can't connect the dots looking forward; you can only connect them looking backwards. So you have to trust that the dots will somehow connect in your future. You have to trust in something

cctv said...

nice info.thanks for your post

Alton Luna said...

I found out your weblog using msn. That is a actually neatly in writing article. I'll make certain to bookmark it and come back to read additional of your helpful info. merchant accounts

jaeef lossan said...

I am impressed by the quality article you have shared on this site and I have learned how effective social blogging can bring awarenes and changes in the society Wooden Door Frames

This website said...

I assume the admin of this web page is actually operating hard for his web page, for the cause that here each and every information is top quality based stuff.

This website said...

I acknowledge the same best work from you at some point or an alternate later.

This website said...

Excellent post. I learned a lot reading it. Thanks!

rimza hassan said...

Thanks a lot for one’s intriguing write-up. It’s actually exceptional. Searching ahead for this sort of revisions.
partytent huren schiedam

get rid of cellulite said...

I really enjoyed reading this post, I always appreciate topics like this being discussed to us. Thanks for sharing.
siliconen bh

rimza hassan said...

Here i found nice environment to get new ideas and views and the i have read the comments of this blog and these are really nice and it is glad to comment here.
partytent huren vlaardingen

get rid of cellulite said...

Really i appreciate the effort you made to share the knowledge. The topic here i found was really effective to the topic which i was researching for a long time.
partytent

get rid of cellulite said...

You can't really say what is beautiful about a place, but the image of the place will remain vividly with you.
vloer huren

get rid of cellulite said...

Thanks for the unmatchable diary.it was rale useful for me.navigator sharing specified ideas in the instant as symptomless.this was actually what i was labour for,and i am voluntary to came here!
 verhuisbedrijf hoorn