Researchers Demo ASP.NET Crypto Attack

Trailrunner7 writes "The crypto attack against ASP.Net Web apps has gotten a lot of attention this week, and with good reason. Microsoft on Friday night issued a security advisory about the bug, warning customers that it poses a clear danger to their sites. Also on Friday, the researchers who found the bug and implemented the attack against it released a slick video demo of the attack, clearly showing the seriousness of the problem and how simple it is to exploit with their POET tool."

Re:Not as serious as it sounds

[Eirenarch]

Not really. This option works the other way around. Custom errors in ASP.NET are the ones provided by the developer. He turned custom errors off. Also in ASP.NET by default this option is set to RemoteOnly meaning that the errors are on for anyone but the localhost. This way you can develop on your own machine but when you deploy you can't be exploited by this or similar exploit even if you don't change the default configuration. Now if you go out and change it this is another thing...

I believe it is a standard security practice to NOT show your error infomation to the user in production environment. If anyone is doing it he should be fired anyway. No need to wait for an exploit to hit.

NOOOO!

[spongman]

The attack requires the ASP.NET error page that shows exception information to be enabled.

NO! NO! NO!

This is wrong, and dangerous. There is no such requirement, the HTTP status code is sufficient. Actually, the timing is sufficient, but slightly harder to exploit.

No sane person will leave it like this in production let alone that it is turned off by default.

This is correct, and, unfortunately, why the 1st statement is so dangerous.

Assuming that your site is safe just because you've followed best practices is WRONG! You MUST apply the fix in ScottGu's post immediately!

Re:Not as serious as it sounds

[spongman]

the real question is why are prices in the west so high?

Re:Not as serious as it sounds

[nacturation]

Wow, is this a post from 10 years ago? If not, you should really keep up with technology; IIS has matured quite a bit.

Yeah, it's still crap compared to BSD, Linux, or even OS X.

A web server is still crap compared to an operating system?

Re:Impressive video

[TrancePhreak]

You should check out this article that was on the front page a couple hours ago. http://linux.slashdot.org/story/10/09/18/2325240/Hole-In-Linux-Kernel-Provides-Root-Rights [slashdot.org]

Re:Not just ASP.NET

[Anonymous Coward]

The timing is the key.

If it takes 100ms to return a normal and 110ms to return a padding error.. they have figured it out.

It doesn't matter about status codes, or stack traces.

Re:Not just ASP.NET

[shutdown -p now]

Newer ASP.NET versions also have a vulnerability where if you can decrypt their "secret" then the untrusted server process will give you anything it has access to on the server filesystem.

Reference?