ASP.NET and the Padding Oracle Attack

12:14 AM j. montgomery 3 Comments

UPDATE: Read my final analysis and wrap-up here: http://securitythroughabsurdity.com/2010/09/aspnet-and-padding-oracle-attack-wrap.html

The Padding Oracle attack affects all block ciphers that are configured to use CBC + PKCS7...and it's been demonstrated that both AES and 3DES are both vulnerable to this attack in ASP.NET. Once the machine key is recovered it appears that the Forms Auth Tickets (and any other encrypted element) can be decrypted and re-encrypted allowing a full compromise of any ASP.NET Web Site that relies on Forms Authentication. Additionally MS revealed that on Framework 3.5+, even arbitrary files could be retrieved from the web server due to this vulnerability, though I'm not clear as to why this would be possible:

"If the ASP.Net application is using ASP.Net 3.5 SP1 or above, the attacker could use this encryption vulnerability to request the contents of an arbitrary file. The public disclosure demonstrated using this technique to retrieve the contents of web.config. Any file which the worker process has access to will be returned to the attacker."

Watch this video on youtube POET vs ASP.NET: DotNetNuke to see Dot Net Nuke using 3DES getting Pwnt using 3DES with Custom Errors OFF.

It appears from the video that if Custom Errors are ON, then the Oracle isn't present and the attack may not succeed.

This is a serious vulnerability for ASP.NET web sites that have CustomErrors set to 'Off' - out of the box ASP.NET is secure, as it's default setting is 'RemoteOnly'.

More information as well as a script to detect web sites with CustomerErrors set to 'Off' here: http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx

3 comments:

  1. "out of the box ASP.NET is secure, as it's default setting is 'RemoteOnly'"

    this is incorrect. 'RemoteOnly' is STILL vulnerable.

    ReplyDelete
  2. Explain - do you mean they could run the exploit on the server? If an attacker has access to the server they could just extract the machine key directly...

    According to MS, the exploit requires knowing "which error code was returned by the server" - how would a remote attacker be able to use this to their advantage?

    ReplyDelete
  3. Okay - i think i fully understand the issues now - will require another blog post to wrap this one up. :)

    ReplyDelete