Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft To Release Emergency Fix For ASP.NET Bug

Soulskill posted about 4 years ago | from the don't-make-us-do-stuff dept.

Microsoft 73

Trailrunner7 writes "Microsoft on Tuesday will release an emergency out-of-band patch for the ASP.NET padding oracle attack that was disclosed earlier this month. The patch will only be available on the company's Download Center for the time being, however. The company is taking the step of releasing an emergency fix for the bug because of the seriousness of the vulnerability — which potentially affects millions of Web applications — and the fact that there are attacks ongoing against it already. The patch will fix the flaw in all versions of the .NET framework. Although Microsoft issued guidance about workarounds to defend against attacks on the ASP.NET bug shortly after it was publicly disclosed, the researchers, Juliano Rizzo and Thai Duong, said that the workarounds did not fully protect users against their attack."

Sorry! There are no comments related to the filter you selected.

foist! (-1, Troll)

Anonymous Coward | about 4 years ago | (#33718878)

foist poist bioitches!

Re:foist! (-1, Troll)

Anonymous Coward | about 4 years ago | (#33718924)

You misspelled "Frosty Piss".

Thoid poist (0, Funny)

Anonymous Coward | about 4 years ago | (#33719022)

First I got foist, and now thoid. Where is everybody, out patching their servers?

Re:Thoid poist (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#33719082)

I'm wondering the same thing. 5th piss.

Re:Thoid poist (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#33719092)

Man I just pissed myself yellow

That is correct. (1)

apparently (756613) | about 4 years ago | (#33719310)

Everybody is busy patching their servers with the patch that isn't going to be released until tomorrow.

First I got foist, and now thoid. Where is everybody, out patching their servers?

Re:That is correct. (0)

Anonymous Coward | about 4 years ago | (#33719378)

It's already tomorrow here in 'Strayla. Give me the URL to your web and I'll break in and patch it for you.

haha (-1, Troll)

Anonymous Coward | about 4 years ago | (#33719028)

where's the haha tag?

That Bogus Feeling (0)

Tablizer (95088) | about 4 years ago | (#33719078)

That link to the Microsoft Security Response Center looks bogus as hell. It doesn't have MS's usual (bland) colors and logo; and "Microsoft" is nowhere in the root of the URL. If I encountered that during the course of real work, I would probably just tilt my head and skip it.

Re:That Bogus Feeling (2, Funny)

Anonymous Coward | about 4 years ago | (#33719102)

You obviously don't go there very often. TechNet has been a part of Microsoft for many years. It's where all the "IT Pros" go.

Re:That Bogus Feeling (-1, Flamebait)

Anonymous Coward | about 4 years ago | (#33719178)

"IT Pros"

ie: ITT Tech flunkies.

Re:That Bogus Feeling (1)

game kid (805301) | about 4 years ago | (#33719200)

"IT Pros"

ie: ITT Tech flunkies.

But "Flunkies Before Junkies" doesn't have the same appeal. :(

Re:That Bogus Feeling (-1, Troll)

Anonymous Coward | about 4 years ago | (#33719554)

I haven't paid any attention to MS sysadmin stuff for a while, but the URL was historically at technet.microsoft.com.

One would think "IT PR0Z" could deal with a domainname with some dots in it.

Re:That Bogus Feeling (1)

sharkey (16670) | about 4 years ago | (#33728384)

Speaking as one MS IT Pro, I am eagerly waiting the latest planning and strategy guide. They are supposed to be covering Freecell Game #12269, which has proven rather difficult in my past attempts to agilely incentivize my proficiencies to maximize my spend and boost my TCO.

Re:That Bogus Feeling (1, Insightful)

Anonymous Coward | about 4 years ago | (#33719206)

The only thing that is bogus is all the FOSS propaganda that you are spreading.

Interesting side note: The captcha /. wants me to type out says "idiotic"

Re:That Bogus Feeling (0)

Anonymous Coward | about 4 years ago | (#33721250)

I so wish I could Mod You Up. *thumbs up*

Re:That Bogus Feeling (1)

Tablizer (95088) | about 4 years ago | (#33729448)

I only mentioned bland colors and logos. That's a tiny bash. If I *really* wanted to bash Microsoft, there'd be no mistaking.

Re:That Bogus Feeling (1)

VGPowerlord (621254) | about 4 years ago | (#33721382)

This is both a security advisory [microsoft.com] about the bug and a security bulletin [microsoft.com] about the upcoming patch on Microsoft's site. Does that make you happier?

The person you replied to? He's obviously... (0)

Anonymous Coward | about 4 years ago | (#33726610)

A malware maker (per his reply (which you replied to) and telling others here to "skip it"). Thank goodness someone (you) put up something contrary to his utter bullshit, with actual links to Microsoft's other pages to verify this as a legit security patch to .NET and the OS itself. You never know what others MIGHT believe, so thank goodness someone set that idiot straight. Good job on your part.

Re:That Bogus Feeling (0)

Anonymous Coward | about 4 years ago | (#33731536)

Happier than with the first reaction of MSFT's cheerleaders who shamelessly claimed everywhere that this was NOT a security issue.

Now there's an 'out-of-band' patch ("coming soon") reading their clueless (but agressive against the researchers and the media which replyed the information) comments just look like the usual way of MICROSOFT to do business.

Shame on you MICROSOFT. Such a "vulnerability" should have never existed.

How serious is this really? (2, Insightful)

TheLink (130905) | about 4 years ago | (#33719116)

Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config.

Why would decrypting a cookie allow you to read data from files on the target server?

What if you just use cookies for storing session ids?

Using cookies to store lots of secrets seems like a stupid idea to me. Server-side secrets belong server-side.

Furthermore what if the user wants to use more than one browser window? If you are too reliant on cookies to store state it means the webapp would get confused in that scenario.

Re:How serious is this really? (4, Informative)

D Ninja (825055) | about 4 years ago | (#33719208)

First off...it's not a "decrypted cookie" - it's not that at all. The entire bug allows an attacker to download server-side information (such as web.config) which can potentially contain (and often does) information that should not be public.

Scott Guthrie wrote up a very detailed post on the vulnerability [asp.net] . It's fairly easy to exploit (there are videos available showing the ease in which it can be exploited), so it should be of concern to administrators and individuals writing websites/web applications running on ASP.NET.

Re:How serious is this really? (1)

DiegoBravo (324012) | about 4 years ago | (#33719316)

I really don't understand why some random client can access such information, even after breaking any encryption mechanism.

From http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx [technet.com]

"For example, if the ASP.Net application stores sensitive information, such as passwords or database connection strings, in the ViewState object this data could be compromised. The ViewState object is encrypted and sent to the client in a hidden form variable, so it is a possible target of this attack.

If the ASP.Net application is using ASP.Net 3.5 SP1 or above, the attacker could use this encryption vulnerability to request the contents of an arbitrary file within the ASP.Net application. The public disclosure demonstrated using this technique to retrieve the contents of web.config. Any file in the ASP.Net application which the worker process has access to will be returned to the attacker. "

Re:How serious is this really? (1)

corsec67 (627446) | about 4 years ago | (#33719580)

If the ASP.Net application is using ASP.Net 3.5 SP1 or above, the attacker could use this encryption vulnerability to request the contents of an arbitrary file within the ASP.Net application.

Breaking the encryption is one thing, that is just !!!! GAH !!!

Does that mean that a client that is authorized with a key to decrypt the encryption has access to "an arbitrary file within the ASP.Net application"?

This would then seem like 2 very different issues: the oracle helping break the encryption, and the "request a file" issue.

Re:How serious is this really? (0, Troll)

ls671 (1122017) | about 4 years ago | (#33719350)

But, but...

Being an equal opportunity fan and enjoying playing the devil advocate, I went to search for an instance where a remote attacker could read web.xml to no avail.

web.xml is used by multiple application server implementations offering the most prevalent alternative to ASP.NET.

So did anybody ever heard of a security hole that allowed a remote attacker to read web.xml ?

Re:How serious is this really? (0)

Anonymous Coward | about 4 years ago | (#33719572)

^^^^ Some java guy is willing to put his penis on the butcher block betting that Java doesn't have any obscure cryptographic flaws.

Not that he needs it anyway, he's probably Indian. ;)

Re:How serious is this really? (1)

ls671 (1122017) | about 4 years ago | (#33719650)

Not really ;-)

I remember freaking out when servlets and jsps came out and I realized that web.xml was by default right under the root directory of the site, right under WEB-INF. I thought back then that some implementation would screw up and make it readable.

The natural approach I was used to back then was to put httpd.conf in a directory that only root could read while apache would run under a different uid.

Still, never mind my fears from 10 years ago but I have never heard about a remote attacker managing to read web.xml although I would bet some implementation must have had that security hole.

So, short story, I was really looking for a case where a remote attacker managed to read web.xml although my quick search didn't reveal anything ;-)

Re:How serious is this really? (1)

SplashMyBandit (1543257) | about 4 years ago | (#33719720)

I'm sure you're aware Java EE technologies are pretty secure in general. Sun were much better than Microsoft at security - even if Sun were much worse at business.

Re:How serious is this really? (1)

@madeus (24818) | about 4 years ago | (#33720976)

Hmm....Solaris was pretty remote exploit tastic :-) I'd say even worse (shudder) than Windows NT, until you shut off all the hideous exploitable RPC services which were on by default!

Re:How serious is this really? (1)

SplashMyBandit (1543257) | about 4 years ago | (#33725454)

Agreed. I once was called into to clean up a 1 million dollar Nuclear Magnetic Resonance system (on IRIX) where the software developers had use RPC that ran as root but had no password. Needless to say it was taken over remotely.

Re:How serious is this really? (1)

ls671 (1122017) | about 4 years ago | (#33731064)

I should have replied to parent but I try to avoid conflicts ;-)

So anyways; you were basically right in your GGP post. Never mind the RPC topic.

I have learned around 1990 (from people who had learned it before that date ) that RPC access should be filtered at the firewall + host level.

I am still using RPC because it is just to handy for some tasks and other people are doing it too.

Oh, and by the way, as I speak today; same goes for SMB shares and services (ports 137, 139, 445) even in a Microsoft only implementation environment. I made some money out of it (fixing things, of course).

So, I believe that it is fair to say that the two most prevalent alternatives are at par with regards to this topic (RPC vs SMB).

Re:How serious is this really? (0)

Anonymous Coward | about 4 years ago | (#33721296)

I'm sure you're aware Java EE technologies are pretty secure in general. Sun were much better than Microsoft at security - even if Sun were much worse at business.

And how many flaws have been found in the java runtime? Lots.

Re:How serious is this really? (1)

TheLink (130905) | about 4 years ago | (#33719826)

Does that really mean if anyone knows the secret they can get any file the webserver can access?

If that's true about ASP.NET in general, then ASP.NET's _design_ is broken.

In contrast, with sane designs, I could even tell you the db password that the webapps use to access data/state from the db, but if you're outside, you can't touch anything (unless you're one of those elite hackers who have dozens of "zero days" stored up for a rainy day).

You could even have the ssh login credentials, but you'd have to get inside in the first place to use them.

So this is a design bug, not an implementation bug?

Re:How serious is this really? (2, Informative)

spongman (182339) | about 4 years ago | (#33719690)

the padding oracle vulnerability allows you to do two things:
1) decrypt cyphertet that has been encrypted using the site's machineKey
2) encrypt arbitrary plaintext as if you knew the machineKey

it doesn't give you the machineKey, but you can encrypt/decrypt as if you had it.

There's another vulnerability that allows you to download arbitrary files (even 'protected' ones) if you are able to encode plaintext with the site's machineKey. ScriptResource.axd is used by asp.net to compress/bundle scripts, and it takes a parameter that is encoded using the machineKey. The assumption is that the machineKey is secret, so it bypasses the regular pipeline that includes the checks for protected files. However, even though the attacker doesn't know the machine key, he is able to use the oracle to correctly encode the parameter to ScriptResource.axd, download web.config and learn further secrets.

Further, if the site encodes authentication tickets into the cookies in a predictable manner, the attacker can use the oracle to forge other valid authentication tickets. This is the attack that's shown in the video.

Re:How serious is this really? (1)

benjymouse (756774) | about 4 years ago | (#33720804)

You are wrong. This vulnerability is actually an artifact of the underlying encryption algorithm, and as such other products are also vulnerable, e.g. JSF (for which attacks were demonstrated before the ASP.NET one) and Ruby-on-Rails. It allows you to retrieve the full key. And the key is symmetrix, meaning that you can both decrypt and encrypt.

The attacker can gradually learn the exact machine key by manipulating something he knows to be encrypted. By padding the encrypted text from the end, and watching to see whether the server decryption fails or he hits something which *can* actually decrypt (but which may causes the app to fail), he can learn something about the key. Presumably this is because he knows that the last part of the key is used to encrypt the last part of the text.

Anything encrypted will do. Even the timing of the failure may offer the attacker valuable information, e.g. failure to decrypt results in faster fails than the application trying to run with something which actually decrypted without error only to fail a little later.

This is not specific to ASP.NET. But ASP.NET happens to use the machine key to encrypt authentication tickets. If you learn the machine key then you can fake any identity.

As this is a standard algorithm, expect the ASP.NET fix to be a sanity check (hash/signature) on the entire ciphertext so that it can reject it up front before even attempting to decrypt. Ruby-on-Rails has a similar method where you must explicitly request verify and decrypt instead of just decrypt.

Re:How serious is this really? (2, Informative)

spongman (182339) | about 4 years ago | (#33723674)

You are wrong. This vulnerability is actually an artifact of the underlying encryption algorithm, and as such other products are also vulnerable, e.g. JSF (for which attacks were demonstrated before the ASP.NET one) and Ruby-on-Rails.

the vulnerability isn't in the encryption algorithm, it's in the implementation of the CBC [wikipedia.org] operation of the block cypher.

It allows you to retrieve the full key. And the key is symmetrix[sic], meaning that you can both decrypt and encrypt.

No, the oracle doesn't give you the key. The key and the encryption algorithm are irrelevant. The oracle allows you to retrieve the IV [wikipedia.org] for a given cypher block, but most importantly it allows you to encrypt/decrypt without the key.

The attacker can gradually learn the exact machine key by manipulating something he knows to be encrypted. By padding the encrypted text from the end, and watching to see whether the server decryption fails or he hits something which *can* actually decrypt (but which may causes the app to fail), he can learn something about the key. Presumably this is because he knows that the last part of the key is used to encrypt the last part of the text. Anything encrypted will do. Even the timing of the failure may offer the attacker valuable information, e.g. failure to decrypt results in faster fails than the application trying to run with something which actually decrypted without error only to fail a little later.

The above is mostly correct, but again, the attacker doesn't learn the key, just the IV required to generate correct padding.

This is not specific to ASP.NET. But ASP.NET happens to use the machine key to encrypt authentication tickets.

The built-in authentication methods do encrypt the ticket with the machine key. However...

If you learn the machine key then you can fake any identity.

This is not necessarily true. The identity placed in the ticket is generated by the application. If the developer chooses a predictable form of ticket, then, yes, you can generate tickets for other users. However, a developer can easily use a non-predictable ticket format to thwart this part of the attack.

As this is a standard algorithm, expect the ASP.NET fix to be a sanity check (hash/signature) on the entire ciphertext so that it can reject it up front before even attempting to decrypt. Ruby-on-Rails has a similar method where you must explicitly request verify and decrypt instead of just decrypt.

They could fix this just by hiding the padding exception, and maybe adding a little random delay. It'll be interesting to see what changes they made, in 45 minutes or so...

Scott Guthrie's post with details (3, Informative)

Anonymous Coward | about 4 years ago | (#33719224)

Better link for details and workarounds:

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

The promis of Managed Code? (0, Troll)

ChapterS (666029) | about 4 years ago | (#33719236)

Excuse me?

"padding oracle"? (2, Funny)

93 Escort Wagon (326346) | about 4 years ago | (#33719248)

So does this involve an Oracle database somehow - in which case "Oracle" should have been capitalized - or are we talking about a real, honest-to-goodness oracle? Did the attack originate in Greece?

Re:"padding oracle"? (0)

Anonymous Coward | about 4 years ago | (#33719302)

Indeed, here are the steps for taking advantage of this flaw:

1. travel to Greece
2. look up one of the oracles mentioned in TFA who were discovered to know the secret behind this flaw
3. submit a web.config file from your chosen target's site
4. wait...Thread.Sleep(9000)...zzz...
5. oracle will provide you with decrypted web.config
6. use sensitive data to ruin company
7. rinse and repeat

Re:"padding oracle"? (1, Informative)

Anonymous Coward | about 4 years ago | (#33719376)

Oracle in the sense of an oracle telling you information.
The delay in the response among other things reveals the key.

Re:"padding oracle"? (1)

jamesh (87723) | about 4 years ago | (#33719386)

So does this involve an Oracle database somehow - in which case "Oracle" should have been capitalized - or are we talking about a real, honest-to-goodness oracle?

For a moment I thought we were talking about _the_ Oracle, although that also should have been capitalized. I think it's unwise to draw any conclusions from spelling or grammatical forms that you might see on the internet though. Even more unwise if the source is slashdot :)

For instance, if you saw the phrase "I had to help my uncle Jack off a horse" [urbandictionary.com] on slashdot, it would be probably still be a story about equine masturbation.

Re:"padding oracle"? (0)

Anonymous Coward | about 4 years ago | (#33719408)

Why would someone capitalize the "J" in that phrase if they were referring to masturbation?

Re:"padding oracle"? (2, Funny)

ardeez (1614603) | about 4 years ago | (#33720932)

Did the attack originate in Greece?

Yeah, it was written in Dephi

Re:"padding oracle"? (1)

L4t3r4lu5 (1216702) | about 4 years ago | (#33721576)

No, it was developed by Atreyu in Fantasia. Falkor helped.

Flashbacks (-1, Troll)

Platinum Dragon (34829) | about 4 years ago | (#33719334)

Wow. I feel like I'm reading a summary from 2000 to, say, 2003, during the good ol' days of emergency patches for zero-day IIS holes and Outlook Express-exploiting worms.

Thanks for the memories, MS. Apple may one day produce bigger security holes, but you did it with pathetic panache and stack-smashing style.

Those were the days...

Re:Flashbacks (0, Flamebait)

shutdown -p now (807394) | about 4 years ago | (#33719638)

The pwnage is not restricted to ASP.NET, it's just the angle on which Slashdot focuses (unsurprisingly, considering the target audience). Same attack can be used against JSF - indeed, that's what the original presentation did, in painstaking detail - you've read it, right? The authors also claim that Rails applications can be similarly vulnerable, depending on whether one of the stock modules is used.

Another reason why the stories mainly center around ASP.NET is that it's vulnerable out of the box (though so is JSF), and, more importantly, of all vulnerable frameworks, it's the single most common one, and also the one for which the admins are most likely to be clueless.

Good job shutdown -p now (0)

Anonymous Coward | about 4 years ago | (#33726776)

"The pwnage is not restricted to ASP.NET, it's just the angle on which Slashdot focuses (unsurprisingly, considering the target audience). Same attack can be used against JSF - indeed, that's what the original presentation did, in painstaking detail - you've read it, right? The authors also claim that Rails applications can be similarly vulnerable, depending on whether one of the stock modules is used.

Another reason why the stories mainly center around ASP.NET is that it's vulnerable out of the box (though so is JSF), and, more importantly, of all vulnerable frameworks, it's the single most common one, and also the one for which the admins are most likely to be clueless." - by shutdown -p now (807394) on Tuesday September 28, @01:05AM (#33719638)

Per my subject-line, good job man: Have to give you that much here.

I mean, this site, being so "pro-*NIX" only makes sense - they're a "sister site" to Linux world iirc (same publications online owned by same party iirc (but, do correct me if I am wrong here, it's been a while since I checked on this much, thanks)) so, it's always in their "best interest" to attack MS whenever possible.

I have no problem with it though, as long as the news is legit though, & not b.s., such as this post here was I replied to as well started by Tablizer (who strikes me as a malware maker who is currently taking advantage of this security vulnerability based on his reply, see for yourself on that account, & judge for yourself as to my conclusion):

http://it.slashdot.org/comments.pl?sid=1801306&threshold=-1&commentsort=0&mode=thread&pid=33721382 [slashdot.org]

They never cease to amaze. I am a user of Linux myself, I actually have grown to LIKE KDE's "latest/greatest" on Linux's "latest/greatest" from KUbuntu (10.04.1/64-bit) but, I do NOT like when "FUD" and utter disinforming/misinforming b.s. is spewed around here. DISCLAIMER: Yes, I am also a Windows 7 64-bit MS fan too!

(However, bottom-line & MOST HILARIOUS PART HERE? Look how you were "modded down" for merely telling it how it is around here... unbelievable!)

APK

Ah, that's the answer (1)

thePowerOfGrayskull (905905) | about 4 years ago | (#33719344)

Release it as an optional download in the download center. I'm sure that the vast majority of Windows admins (especially shared web hosts, but ) will get that installed right away! While I understand why they have to do it this way (forcing an update on your enterprise clients is generally Very Bad for some very valid reasons), I would think that they (and those who could be impacted) would be better served if they said "This will be available for 3 days on the download center for you to download and test; then it will become mandatory in order for your enterprise to receive continued support.

Re:Ah, that's the answer (1)

Anpheus (908711) | about 4 years ago | (#33719516)

It will be released as the highest level of critical update on Windows Update for home and small business users and for WSUS for small to large enterprise users that control patch distribution in-house. The former will be able to choose to ignore the update (but if they ever called support, the question "Are you up to date?" could come up) and the latter can even choose to require the update by a deadline in their business. If some department neglects to schedule and manually install at an appropriate time, the server will follow orders from on high and install that update, department head be damned.

Actually I'm not sure if the update will require a restart, but it probably will.

Re:Ah, that's the answer (1)

thePowerOfGrayskull (905905) | about 4 years ago | (#33724016)

Damn. I hate it when I post without knowing what I'm talking about.

A quick explanation (4, Informative)

rabtech (223758) | about 4 years ago | (#33719360)

First, the ViewState is encrypted so figuring out the key allows you to inject your own data into the ViewState. The worse an app's code, the worse the exploit on this because some apps even store their "IsAdmin" flag in the ViewState and other such nonsense, so this lets you impersonate any user you like. DotNetNuke is one example of a crappy system. Worse, it allows you to upload ZIP files of themes and whatnot, so you can use this to impersonate the superuser, upload some hacks, then try to execute them. Depending on what account ASP.Net runs under and whether you are fully patched, this can lead to escalation to admin and owning the box. If you have followed all the other in-depth security practices (and for coders don't store any sensitive info in the ViewState) then this isn't nearly as big of a deal.

The big hole is that starting with 3.5 SP1 (and also in 4.0) the WebResource.axd handler takes an encrypted filename as its parameter, so you can encrypt say "web.config" and get it to happily pipe web.config to you... or any other file. It completely bypasses the normal restricted file handler. In previous releases this was not the case, the stuff it would let you download was much more limited. Granted, there are facilities to encrypt connection strings/etc in web.config, but a lot of people are lazy and just deploy with plaintext passwords and whatnot. Again, following defense in-depth practices greatly restricts the scope of any potential attack.

IMHO the WebResource.axd issue is inexcusable. There is no legitimate reason for allowing the new behavior.

Re:A quick explanation (0)

ls671 (1122017) | about 4 years ago | (#33719396)

WTF ?

Is this serious ? I thought rule 1 of using cookies was to only put meaningless data into one. I am still having a hard time to believe this is occurring out of the box in an enterprise platform like ASP.NET.

Re:A quick explanation (5, Informative)

Anonymous Coward | about 4 years ago | (#33719416)

Seriously? This is the second reply to this story that seems to think that it's about cookies.

Please listen carefully: this has NOTHING to do with cookies!

As the GP post and Scott Guthrie's post linked elsewhere (so helpfully) explain, this affects two encrypted elements in use by most (if not all) ASP.NET apps: the ViewState (not a cookie, rather a hidden, encrypted field for storing state across postbacks) and encrypted web.config files which tend to store sensitive connection info (among other things) that needs to be protected from attackers. The flaw allows attackers to decrypt these storage mechanisms and so get at (potentially) sensitive data, depending on how the app was coded.

Re:A quick explanation (2, Interesting)

ls671 (1122017) | about 4 years ago | (#33719470)

> not a cookie, rather a hidden, encrypted field for storing state across postbacks

Thanks a lot for the clarification, it seriously helps me understand the problem better and I really mean it.

Now I will re-phrase my post:

WTF ?

Is this serious ? I thought rule 1 of using hidden form fields was to only put meaningless (OK: or already submitted data by the user) data into one. I am still having a hard time to believe this is occurring out of the box in an enterprise platform like ASP.NET.

A hidden form field in more or less the request scoped version of a cookie, never ever store your guts into one, no matter how well it is encrypted ! ;-)

Re:A quick explanation (1, Interesting)

Anonymous Coward | about 4 years ago | (#33719672)

Hey, you won't find me disagreeing on your point about not storing sensitive things in cookies or ViewState and, as the OP pointed out, with proper security practices in place, this is less of an issue than having your encrypted web.config file exposed.

As for your disbelief, I honestly can't imagine having the foresight to protect against an attack that involves:

This allows an attacker to send cipher text to the web server and learn if it was decrypted properly by examining which error code was returned by the web server. By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text.

and the TechNet site even mentions that an attacker can use the timing of the response to deduce the type of error (devious!) even if you use the proposed customErrors workaround.

People make mistakes and MS is being quick about releasing the fix. Can't realistically ask for much more than that. Also, a comment above seems to indicate that this isn't restricted to ASP.NET, but can affect other frameworks that use similar mechanisms.

Re:A quick explanation (1)

ls671 (1122017) | about 4 years ago | (#33719688)

> but can affect other frameworks that use similar mechanisms.

Yep, JSF included apparently ;-)

Some people tend to forget rule 1...

I mean it must be just too easy to store a meaningless token in a cookie or hidden form field and to map it to something meaningful on the server. Why adopt the easy way when we can do more complicated stuff some would say ?

Re:A quick explanation (1)

david_thornley (598059) | about 4 years ago | (#33722470)

Since modern ciphers appear to be completely unbreakable when used properly, people have been turning to "side-channel" attacks, such as observing the timing or where the CPU heats up or such things to break into the processing of the cipher and getting clues about the key. These are becoming increasingly common and important.

There are reasonable people out there who trust AES just fine when all encryption and decryption is done off-line, but don't if a possible attacker can get timing information or some other sort of observation.

Re:A quick explanation (1)

ls671 (1122017) | about 4 years ago | (#33729882)

> completely unbreakable

By design, they are meant to be broken so why take a risk that brings you nothing when an easy alternative is available ?

There is many stories about encryption being broken and attackers taking advantage of it.

Only rely on encryption when you have no other choices. See poster below about best practices.

Re:A quick explanation (1)

mr exploiter (1452969) | about 4 years ago | (#33720772)

Making up rules after the fact when an exploit is found doesn't make you wise, it makes you look like a smart ass. Please point up to where somebody that matters said that posting encrypted data was not good enough BEFORE this was know. Encrypted data seems pretty meaningless to me.

Re:A quick explanation (0)

Anonymous Coward | about 4 years ago | (#33720834)

Well, the guy who reviewed my code for our administrative backend system objected to this design in part of our system (encrypted data as auth token sent to another server via a web client) over a year ago on the basis that it violated best practice.

And in our system there is no padding oracle, and it's available only to a a few dozen IP addresses of machines physically located in our offices.

We switched to sending an arbitrary UUID to the client and associating the authorization with the UUID and a timestamp in a database shared between the two servers. That meant a hypothetical attacker needs an active MitM attack on an HTTPS connection rather than just a way to encrypt his own authorization messages. If they can break into our SSL traffic we're game over anyway.

But then we're also one of those companies who gets audits done and then fixes what they found, whereas ASP.NET is some cowboy operation by people who still think Visual BASIC is a pretty neat idea.

Re:A quick explanation (1)

ls671 (1122017) | about 4 years ago | (#33720996)

I learned rule 1 15 years ago. It seems like you are the smart ass ;-)

hidden form element is no different than a cookie (0)

Anonymous Coward | about 4 years ago | (#33719480)

one is in the header, the other is in content, but its all equally visible to the user, there is no difference in how each should be protected, none, EXACT SAME PRINCIPLES APPLY

Re:hidden form element is no different than a cook (1)

Anpheus (908711) | about 4 years ago | (#33719528)

Agreed, and as he said, if you apply all the right practices, your connection strings will be encrypted, your app won't do something stupid, your IIS worker will be a limited rights user, etc, etc.

Re:A quick explanation (0)

Anonymous Coward | about 4 years ago | (#33719508)

So what exactly is the difference between storing an encrypted data (eg authentication tokens) in a cookie, and storing it in ViewState?

Re:A quick explanation (1, Interesting)

Anonymous Coward | about 4 years ago | (#33719532)

Practically nothing with regards to what kind of data shouldn't be stored in either, but it pays to be precise when talking about a problem that needs fixing to ensure you're not "fixing" the wrong code.

Re:A quick explanation (1)

Yaur (1069446) | about 4 years ago | (#33719668)

It isn't WebResource.axd... its ScriptResource.axd that has the file download vulnerability.
The purposes of this (mis)feature is to allow the ScriptManager to prevent clients from using stale versions of a script from cache. The problem is that ScriptResource.axd doesn't sanity check what kind of files it is serving up. Furthermore, since this behavior is out in the field it is impossible for MS to know if anyone is using it, so "fixing" it might break some unknown customers' sites in a way that is non trivial to fix. This will obviously piss people off.

I wrote a module [codeplex.com] that uses a user configurable white list of file types that are permitted for download through the ScriptManager which is more rational behavior IMO. Of course, depending on what MS pushes tomorrow this may or may not still be relevant.

Re:A quick explanation (1, Informative)

Anonymous Coward | about 4 years ago | (#33721148)

First, the ViewState is encrypted so figuring out the key allows you to inject your own data into the ViewState.

The hidden ViewState field is not encrypted. It's base-64 encoded, which is a big difference. You can view any .NET page's ViewState field contents by simply running it through a base 64 decoder. THAT'S why you're not supposed to store sensitive shit in it...it was never encrypted in the first place, and any jackass willing to read the documentation to .NET can explore it freely.

"This combined, saved state is then serialized into a base-64 encoded string. In stage 7, when the page's Web Form is rendered, the view state is persisted in the page as a hidden form field." - http://msdn.microsoft.com/en-us/library/ms972976.aspx

Re:A quick explanation (1)

Shados (741919) | about 4 years ago | (#33723268)

Its not encrypted (by default: it -CAN- be encrypted using features out of the box), but there is a hash to prevent tempering of the viewstate.

However you have to be careful, by default this is still vulnerable to a replay attack, so its still better not to push your luck with it.

oracle attack ??? (1)

MadMaverick9 (1470565) | about 4 years ago | (#33719644)

must be larry who's behind all this ...

Re:oracle attack ??? (0)

Anonymous Coward | about 4 years ago | (#33720696)

Nope, it's Agent Smith.

So... where`s the fix? (1)

fatbuckel (1714764) | about 4 years ago | (#33721690)

am I just overlooking it?

Re:So... where`s the fix? (0)

Anonymous Coward | about 4 years ago | (#33725078)

You can find it here:

http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?