Researchers Demo ASP.NET Crypto Attack 98
Trailrunner7 writes "The crypto attack against ASP.Net Web apps has gotten a lot of attention this week, and with good reason. Microsoft on Friday night issued a security advisory about the bug, warning customers that it poses a clear danger to their sites. Also on Friday, the researchers who found the bug and implemented the attack against it released a slick video demo of the attack, clearly showing the seriousness of the problem and how simple it is to exploit with their POET tool."
Re:This is why we need to use Ruby on Rails. (Score:5, Funny)
Python is the only solution we can use in the real world. Ruby on Rails is getting close to Django, but it will never be able to catch up with Django because Ruby on Rails doesn't use Python.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Visual basic is for weenies. QBASIC has everything a real programmer needs.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1, Informative)
Impressive video (Score:1, Troll)
There was so much wrong about that, I cannot begin to say it all. But I will say this. That "superuser" is available as a user in a web app is unforgivable. If it wasn't this exploit to take advantage of that fact, it would be another. *NIXes have learned the folly of that long ago and so now, with the exception of certain administrative tools, web services don't run as root, but as apache or some other non-root user. While this doesn't make the feat of root-level compromise impossible, it does make it
You don't know what you are talking about, at all. (Score:5, Informative)
For one, IIS does not run as Administrator, unless you for some reason change it to do that.
For two, this attack has nothing to do with that, at all. This attack basically involves a way to crack COOKIES on a client machine that are supposedly encrypted.
For three, anyone who stores sensitive data in an "encrypted user cookie" is retarded. I don't care if it is encrypted or not, rule #1 is never trust the client with anything. Quote from the article:
"The attack allows someone to decrypt sniffed cookies, which could contain valuable data such as bank balances, Social Security numbers or crypto keys. The attacker may also be able to create authentication tickets for a vulnerable Web app and abuse other processes that use the application's crypto API."
Why on earth anyone would put a bank balance or any other sensitive information in a cookie is totally beyond me. Also why on earth one's session cookie would be based on anything other than a totally random UUID is beyond me.
Basically this exploit takes advantage of people who poorly code ASP sites. The exact same exploit could affect a poorly coded PHP site, or poorly coded JSP site, or poorly coded CGI site.
Re: (Score:2)
Why on earth anyone would put a bank balance or any other sensitive information in a cookie is totally beyond me. Also why on earth one's session cookie would be based on anything other than a totally random UUID is beyond me.
It's beyond me too, but then I also had grave concerns about making email and documents executable code.
Re: (Score:1)
Re:You don't know what you are talking about, at a (Score:4, Informative)
Per Scott Guthrie's blog [asp.net], even if it's on, using anything other than a single default redirect still leaves the app vulnerable.
Re: (Score:1)
Re: (Score:2)
all you need is a 1-bit difference between the response for the padding error case and the non-error case.
once you have that bit you have the machine key. once you have the machine key you have all the sites on that machine that share that machine key.
Re: (Score:1)
Yes, since 99% of all sites are poorly coded then 99% of ASP sites are probably poorly coded.
Re: (Score:2)
The exact same exploit could affect a poorly coded PHP site, or poorly coded JSP site, or poorly coded CGI site.
I might be misreading the article but it appears that the exploit is specific to ASP.NET and the way they implemented AES. Unless, of course, you have some other information on how to implement this attack against the other aforementioned languages.
Re: (Score:2)
no, the AES implementation is fine. the vulnerability is the ability to detect the padding exception in the block cypher.
you don't need to see the padding exception, you just need to know that it occurred. you can do that via a variety of means, not limited to http status codes, timing, etc...
Re: (Score:2)
I for one don't care to give up all "Remember me" checkboxes on the internet.
Re: (Score:2)
it's not just about cookies, it's about extracting the machineKey. for 99.9% of ASP.NET sites that's a complete disaster.
if you admin ASP.NET and you think this doesn't affect you, then you're probably wrong.
Re: (Score:2)
it's not just about cookies, it's about extracting the machineKey. for 99.9% of ASP.NET sites that's a complete disaster.
if you admin ASP.NET and you think this doesn't affect you, then you're probably wrong.
That really isn't true. It should be, if your a moron and you have incorrectly and insecurely setup your asp.net site then this may affect you. If you are said moron you should not be the admin of a site that has confidential data in the first place though. Any correctly configured site will not be vulnerable to this attack.
Re: (Score:2)
If you weren't encrypting data into cookies and using that to store stuff then you would not be vulnerable to this exploit, at all.
Session cookies should always be totally random. If your web app wants to "remember me" then store that random cookie in the database with the user ID affiliated. There is never any reason to store anything about the user on the client side, at all, encrypted or not.
Re: (Score:2)
That was my thought as well. Do what most Java servlet containers do, use a 256 bit securely hashed random number for the session tracking cookie. If you need to track a user for longer than an in-memory session stick that in your database as a key to the necessary info. I've always thought it rather irresponsible for storing encrypted data in cookies. You're just asking for someone to spend time trying to get your keys or session data and if they do they can spoof any data they want.
I'm not a crypto expert
Re: (Score:3, Insightful)
Not as serious as it sounds (Score:2, Interesting)
Re: (Score:2)
You need to keep in mind that most ASP.NET apps are developed in India. A fuck up like that is routine for them.
Yeah, but so is SQL injection, at which point this particular attack is pretty insignificant.
Re: (Score:1, Funny)
India is the world's leading exporter of SQL injection vulnerabilities. It literally makes up approximately 8% of their GDP.
Re: (Score:2, Informative)
If you check out the video it shows that "custom error" messages are turned off. By turning off custom errors you are instructing ASP.NET to send the detailed error message to any connected client. The default value for this setting is "RemoteOnly" which causes the detailed error message to be sent to clients connecting over the loopback adapter and generic error messages to be sent to anyone else.
What the video shows is that the target site was configured poorly. If that is the default setting of DotNet
Re: (Score:2)
the http status code in the generic error message is sufficient for this exploit to work.
Re: (Score:2)
the http status code in the generic error message is sufficient for this exploit to work.
Sure, but I've never seen a professionally built ASP.NET site that would return that, though I'm sure there are some.
There isn't a technology that exists that can survive user stupidity.
Re: (Score:3, Insightful)
I believe it is a s
Re: (Score:1, Redundant)
the http status code is enough error information in order for this exploit to work. RemoteOnly is irrelevant.
Re: (Score:2)
The attack requires the ASP.NET error page that shows exception information to be enabled. No sane person will leave it like this in production let alone that it is turned off by default.
No sane person runs IIS to begin with, so that hurdle has been cleared.
Wow, is this a post from 10 years ago? If not, you should really keep up with technology; IIS has matured quite a bit.
Re: (Score:2)
...come with Active Directory.
It would be against microsoft's philosophy to build better, more secure systems.
This is of course why Windows 7 has no security advantages over XP, and XP has no advantages over 98.</sarcasm>
Re: (Score:1)
Here is a hit, Microsoft.Windows cares about the common person, who doesn't care about anything you listed.
Then on the opposite side you have Open Source teams so driven to program something so unbelievable useless, and call it progress. Tell me why you need to focus on something so useless, when you don't support so many things. Such as Flash 64 bit, until about a week ago.
http://xkcd.com/619/
Re: (Score:3, Insightful)
Wow, is this a post from 10 years ago? If not, you should really keep up with technology; IIS has matured quite a bit.
Yeah, it's still crap compared to BSD, Linux, or even OS X.
A web server is still crap compared to an operating system?
Re: (Score:1)
Re: (Score:2)
Really? Then why are your prices so low?
Re: (Score:2)
volume. Volume! VOLUME!!!
Re: (Score:3, Insightful)
the real question is why are prices in the west so high?
Re: (Score:2)
Hmmm.
Experts say that the bug, which will be discussed in detail at the Ekoparty conference in Argentina this week, affects millions of Web applications.
For some reasons I trust the experts. Is there a reason why this kind of attacks are only done on IIS/ASP.NET? Some time ago there was another exploit According to Google over *114.000 different pages have been infected. [sucuri.net]
Is there a reason why I never read anything about Apache or the other webservers and languages/frameworks?
Re: (Score:1)
That particular issue you are pointing out was an SQL Injection attack and IIS/asp.net can't do anything about that.
Re: (Score:2)
Well, I'm reading /. Don't know if /. is filtering in this way.
It's a SQL injection attack, but why it's not done on the fast majority of web servern out there that are running Apache/Php?
Re: (Score:1)
You should know that these vulnerabilities will also work when running wordpress under IIS.
The server software has nothing to do with it, it's a framework issue.
Re: (Score:1, Troll)
There are 197 results, but half of them are posted on a wordpress blog about something else. This search yields 347 results [google.com] which are all IIS vulnerabilities, my favorite one is 500 Thousand MS Web Servers Hacked [slashdot.org]. A search for the same with Apache is useless, because Slashdot have a menu with an "Apache" item. The Slashdot's own search against "Apache vulnerability" only yields one reacent item Serious Apache Exploit Discovered [slashdot.org], which only affects Windows servers. And the next is from 2008 Mystery Malware [slashdot.org]
Re: (Score:1)
Anyway, put any of these hacked websites running under Apache/Mono and voilá, an Apache vulnerability under your definition.
Thanks for playing.
Re: (Score:1, Troll)
Technically it's not an IIS bug, true. But why is only the IIS affected and not the more used Apache? Actually, why is it always the IIS and almost never the Apache? You should think that a hacker would target the most used webserver to hack as many websites as he/she can.
Re: (Score:1)
It is done on a vast majority of php sites, you just haven't been around long enough to hear about it I guess. phpBB back in the day had this issue like crazy and once someone found it could be injected, any major public forum using phpBB was injected. You just hear about IIS/ASP more on /. because OMG it's M$ products being hacked again. But really SQL injection has nothing to do with the technology being used and everything to do with lazy coding methods being used in applications.
Re: (Score:2)
NOOOO! (Score:5, Insightful)
NO! NO! NO!
This is wrong, and dangerous. There is no such requirement, the HTTP status code is sufficient. Actually, the timing is sufficient, but slightly harder to exploit.
This is correct, and, unfortunately, why the 1st statement is so dangerous.
Assuming that your site is safe just because you've followed best practices is WRONG! You MUST apply the fix in ScottGu's post immediately!
Re: (Score:3, Funny)
Sorry, but real pros replace ALL of the HTTP status codes at random to prevent the client / browser from detecting a pattern. Similarly, pros override "true" and "false" constants to be functions that return random booleans, just to keep the code guessing. Sure, standards are great, but pros make sites that are secure, not standard.
Re: (Score:1, Flamebait)
POET? (Score:2)
demoed at the ekoparty (Score:1)
Not just ASP.NET (Score:5, Informative)
I understand this is Slashdot and all, and it would be very politically incorrect to ask the editors to read the original paper about the attack [usenix.org], much less understand it... but, for God's sake, the paper starts with a demo of this attack on JSF (which has precisely the same issues as ASP.NET)! There's also a presentation [netifera.com] devoted entirely to attacking JSF apps with this.
And starting from there, I'll just quote:
Besides JavaServer Faces, we have also audited someother popular web frameworks to see if they are vulnerable to padding oracle attacks. Here are some of our findings.
Since version 2.3, Ruby On Rails has introduced ActiveSupport::MessageEncryptor which is a set of functions to provide a simple way to encrypt information for storage in an untrusted location (like cookies). If you look at ActiveSupport::MessageEncryptor's source code,
you would probably see that applications that use the provided encrypt/decrypt functions would be vulnerable to padding oracle attacks.
The reason why ASP.NET is most affected by this in practice is because there are many more clueless developers who enable full exception information being passed to the client in production (and that, in turn, is largely because ASP.NET is a common tool of choice for outsourcing bids).
Re:Not just ASP.NET (Score:4, Interesting)
this is irrelevant and misleading, the exploit does not require the stack trace pages to be enabled in order to be effective.
Re: (Score:2, Informative)
The point still stands that, 1) the default in ASP.NET is no information about the error other than something wrong happened, so it's not exploitable; and 2) the common cause of problems in this particular case is people enabling full reporting for development/debugging, and then keeping it that way for production.
Re:Not just ASP.NET (Score:5, Informative)
ARGH! NO!
Why do you guys keep reiterating this crap.
The vulnerability DOES NOT REQUIRE the stack traces in order for it to work. Telling people that this is the case is extremely dangerous and irresponsible because it leads people to believe that they are safe WHEN THEY ARE NOT!
The exploit only needs to know that something went wrong. It doesn't need to know what went wrong. All it needs to know is that the response for a correct padding byte is different than the response for an incorrect one. The difference between a '500' and '404' in the HTTP response header is sufficient, and the 'production' error pages certainly have this difference.
Re: (Score:2)
The exploit only needs to know that something went wrong. It doesn't need to know what went wrong. All it needs to know is that the response for a correct padding byte is different than the response for an incorrect one. The difference between a '500' and '404' in the HTTP response header is sufficient, and the 'production' error pages certainly have this difference.
What I think several people are trying to tell you and you don't seem to be getting is that typically an ASP.NET app won't be providing even th
Re: (Score:1, Insightful)
The timing is the key.
If it takes 100ms to return a normal and 110ms to return a padding error.. they have figured it out.
It doesn't matter about status codes, or stack traces.
Re: (Score:2)
A custom error page with a 200 response code will usually still look like an error page, in that it will look different to the page given when a valid query is made. This exploit only needs to know that an error occurred, it doesn't need to know any more details about it, so a custom error page with a 200 response code will be perfectly sufficient in most cases.
Re: (Score:2)
Just to be crystal clear, the issue doesn't require ANY change in error pages. Bad encryption = error page (app doesn't know what/who/where etc.) Good encryption = proceed within the app with your injected and encrypted value.
Yikes.
Re: (Score:3, Insightful)
Newer ASP.NET versions also have a vulnerability where if you can decrypt their "secret" then the untrusted server process will give you anything it has access to on the server filesystem.
Reference?
Sigh.... (Score:5, Informative)
Remarks about clueless .NET developers aside, there are a lot of clueless comments here.
1. This has nothing to do with exception data or stack traces being returned. It has to do with HTTP status codes. When ASP.NET is decrypting a cookie value, one of three things may happen:
A. The value is decrypted and meaningful. The application returns HTTP 200.
B. The value is decrypted but not meaningful. The application returns HTTP 200 with a human-readable error message.
C. The value is not decrypted because the padding of the ciphertext was not correct. The underlying platform throws an exception that the application does not catch. The server returns HTTP 500.
With a few thousand requests, being able to distinguish among these three cases allows you to eventually decrypt the message. That the attacker can distinguish between cases B and C is an "oracle" provided inadvertently by the platform and the way the application consumes it. The ideal solution is to make these two cases indistinguishable to the attacker. That is all we are talking about.
The advice of "never trusting the client with encrypted data" or lambasting "retarded developers" is not helpful, and, I might add, defeats the entire @#$@#$@$# purpose of encryption!
2. OK. This should sounds scary to you because you can imagine several platforms are vulnerable to this kind of attack. But of all of the platforms vulnerable to this kind of attack, in ASP.NET it is worse because once the machine key is deduced, a special request to the server using that key can be used to download any file within the application directory, such as the web.config file, which could contain sensitive information like database connection strings and passwords.
Re: (Score:2)
mod parent up
Re: (Score:2)
Thank you for an informative post!
But of all of the platforms vulnerable to this kind of attack, in ASP.NET it is worse because once the machine key is deduced, a special request to the server using that key can be used to download any file within the application directory, such as the web.config file, which could contain sensitive information like database connection strings and passwords.
However, this is not correct. There is no key which will let you bypass the IIS/ASP.NET mappings. A number of files and file types are always configured so that they will be served by the special "prohibited" handler. An IIS/ASP.NET server will *never* (barring any bugs) serve the clean text version of web.config, *.aspx or similar files. Not with any key.
This is an attack on the authentication ticket - which is the cookie on the client which holds information about your lo
Re: (Score:2)
Re:Sigh.... (Score:4, Informative)
WebResource.axd provides the oracle. given the oracle, ScriptResource.axd provides the local files.
Re: (Score:1)
Wait wait this can't be right. (Score:1)
Re: (Score:1)
Workaround (Score:2)