Researchers Demo ASP.NET Crypto Attack

Trailrunner7 writes "The crypto attack against ASP.Net Web apps has gotten a lot of attention this week, and with good reason. Microsoft on Friday night issued a security advisory about the bug, warning customers that it poses a clear danger to their sites. Also on Friday, the researchers who found the bug and implemented the attack against it released a slick video demo of the attack, clearly showing the seriousness of the problem and how simple it is to exploit with their POET tool."

Re:This is why we need to use Ruby on Rails.

[mangu]

Ruby is the only solution we can use in the real world. Django is getting close, but it will never be able to catch up with Ruby on Rails because Django doesn't use Ruby.

Python is the only solution we can use in the real world. Ruby on Rails is getting close to Django, but it will never be able to catch up with Django because Ruby on Rails doesn't use Python.

Re:

[flyingfsck]

Fortran is the only solution we can use in the real world. C is getting close, but...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Joce640k]

Visual basic is for weenies. QBASIC has everything a real programmer needs.

Re:

[whitedsepdivine]

The only reason Visual Basic has a bad rep, is that it was an horrible language when it was immature. Since Visual Basic uses the Common Language Runtime (CLR), it can do the majority of what C# can. C# is an extremely powerful language, with great frameworks and libraries. Visual Studio and the CLR, seems to have a completely different management process than windows, and has very few issues. (Microsoft.Windows != Microsoft.VisualStudio) And so what they had an stupid simple default web application th

Re:

[kiddygrinder]

also ruby on rails is vulnerable to this same attack.

Re:

[aurelianito]

I've talked with the 0-day authors and they said that RoR had (or have, I don't remember) the same kind of vulnerability reported in ASP.NET. The problem is that using encrypted but not signed content allows an attacker to decrypt it (check out the authors' paper for details, it is really cool).

Re:

[Caesar Tjalbo]

From a set of slides [netifera.com] (pdf, page 15) they used at the Black Hat Europe 2010:

• Since RubyOnRails 2.3, to provide a simple way to encrypt
  information.
• Vulnerability: encrypt and decrypt functions.
• Use encrypt_and_sign and decrypt_and_verify instead.

Impressive video

[erroneus]

There was so much wrong about that, I cannot begin to say it all. But I will say this. That "superuser" is available as a user in a web app is unforgivable. If it wasn't this exploit to take advantage of that fact, it would be another. *NIXes have learned the folly of that long ago and so now, with the exception of certain administrative tools, web services don't run as root, but as apache or some other non-root user. While this doesn't make the feat of root-level compromise impossible, it does make it

You don't know what you are talking about, at all.

[brunes69]

For one, IIS does not run as Administrator, unless you for some reason change it to do that.

For two, this attack has nothing to do with that, at all. This attack basically involves a way to crack COOKIES on a client machine that are supposedly encrypted.

For three, anyone who stores sensitive data in an "encrypted user cookie" is retarded. I don't care if it is encrypted or not, rule #1 is never trust the client with anything. Quote from the article:

"The attack allows someone to decrypt sniffed cookies, which could contain valuable data such as bank balances, Social Security numbers or crypto keys. The attacker may also be able to create authentication tickets for a vulnerable Web app and abuse other processes that use the application's crypto API."

Why on earth anyone would put a bank balance or any other sensitive information in a cookie is totally beyond me. Also why on earth one's session cookie would be based on anything other than a totally random UUID is beyond me.

Basically this exploit takes advantage of people who poorly code ASP sites. The exact same exploit could affect a poorly coded PHP site, or poorly coded JSP site, or poorly coded CGI site.

Re:

[sjames]

Why on earth anyone would put a bank balance or any other sensitive information in a cookie is totally beyond me. Also why on earth one's session cookie would be based on anything other than a totally random UUID is beyond me.

It's beyond me too, but then I also had grave concerns about making email and documents executable code.

Re:

[Eirenarch]

For four he turned the default (and secure) custom error mode setting to off.

Re:You don't know what you are talking about, at a

[wizbit]

Per Scott Guthrie's blog [asp.net], even if it's on, using anything other than a single default redirect still leaves the app vulnerable.

Re:

[Eirenarch]

I may be wrong on this but I believe the multiple errors are just theoretically exploitable and practically it is impossible for an exploit to track the information needed to decrypt the cookie that way. Same goes for the timing of the error page.

Re:

[spongman]

all you need is a 1-bit difference between the response for the padding error case and the non-error case.

once you have that bit you have the machine key. once you have the machine key you have all the sites on that machine that share that machine key.

Re:

[kmoorman]

Yes, since 99% of all sites are poorly coded then 99% of ASP sites are probably poorly coded.

Re:

[adamchou]

\

The exact same exploit could affect a poorly coded PHP site, or poorly coded JSP site, or poorly coded CGI site.

I might be misreading the article but it appears that the exploit is specific to ASP.NET and the way they implemented AES. Unless, of course, you have some other information on how to implement this attack against the other aforementioned languages.

Re:

[spongman]

no, the AES implementation is fine. the vulnerability is the ability to detect the padding exception in the block cypher.

you don't need to see the padding exception, you just need to know that it occurred. you can do that via a variety of means, not limited to http status codes, timing, etc...

Re:

[Peach Rings]

I for one don't care to give up all "Remember me" checkboxes on the internet.

Re:

[spongman]

it's not just about cookies, it's about extracting the machineKey. for 99.9% of ASP.NET sites that's a complete disaster.

if you admin ASP.NET and you think this doesn't affect you, then you're probably wrong.

Re:

[bloodhawk]

it's not just about cookies, it's about extracting the machineKey. for 99.9% of ASP.NET sites that's a complete disaster.

if you admin ASP.NET and you think this doesn't affect you, then you're probably wrong.

That really isn't true. It should be, if your a moron and you have incorrectly and insecurely setup your asp.net site then this may affect you. If you are said moron you should not be the admin of a site that has confidential data in the first place though. Any correctly configured site will not be vulnerable to this attack.

Re:

[brunes69]

If you weren't encrypting data into cookies and using that to store stuff then you would not be vulnerable to this exploit, at all.

Session cookies should always be totally random. If your web app wants to "remember me" then store that random cookie in the database with the user ID affiliated. There is never any reason to store anything about the user on the client side, at all, encrypted or not.

Re:

[goofy183]

That was my thought as well. Do what most Java servlet containers do, use a 256 bit securely hashed random number for the session tracking cookie. If you need to track a user for longer than an in-memory session stick that in your database as a key to the necessary info. I've always thought it rather irresponsible for storing encrypted data in cookies. You're just asking for someone to spend time trying to get your keys or session data and if they do they can spoof any data they want.

I'm not a crypto expert

Re:

[TrancePhreak]

You should check out this article that was on the front page a couple hours ago. http://linux.slashdot.org/story/10/09/18/2325240/Hole-In-Linux-Kernel-Provides-Root-Rights [slashdot.org]

Not as serious as it sounds

[Eirenarch]

The attack requires the ASP.NET error page that shows exception information to be enabled. No sane person will leave it like this in production let alone that it is turned off by default.

Re:

[shutdown -p now]

You need to keep in mind that most ASP.NET apps are developed in India. A fuck up like that is routine for them.

Yeah, but so is SQL injection, at which point this particular attack is pretty insignificant.

Re:

[Anonymous Coward]

India is the world's leading exporter of SQL injection vulnerabilities. It literally makes up approximately 8% of their GDP.

Re:

[Anonymous Coward]

If you check out the video it shows that "custom error" messages are turned off. By turning off custom errors you are instructing ASP.NET to send the detailed error message to any connected client. The default value for this setting is "RemoteOnly" which causes the detailed error message to be sent to clients connecting over the loopback adapter and generic error messages to be sent to anyone else.

What the video shows is that the target site was configured poorly. If that is the default setting of DotNet

Re:

[spongman]

the http status code in the generic error message is sufficient for this exploit to work.

Re:

[Mongoose Disciple]

the http status code in the generic error message is sufficient for this exploit to work.

Sure, but I've never seen a professionally built ASP.NET site that would return that, though I'm sure there are some.

There isn't a technology that exists that can survive user stupidity.

Re:

[Eirenarch]

Not really. This option works the other way around. Custom errors in ASP.NET are the ones provided by the developer. He turned custom errors off. Also in ASP.NET by default this option is set to RemoteOnly meaning that the errors are on for anyone but the localhost. This way you can develop on your own machine but when you deploy you can't be exploited by this or similar exploit even if you don't change the default configuration. Now if you go out and change it this is another thing...

I believe it is a s

Re:

[spongman]

the http status code is enough error information in order for this exploit to work. RemoteOnly is irrelevant.

Re:

[Giometrix]

The attack requires the ASP.NET error page that shows exception information to be enabled. No sane person will leave it like this in production let alone that it is turned off by default.

No sane person runs IIS to begin with, so that hurdle has been cleared.

Wow, is this a post from 10 years ago? If not, you should really keep up with technology; IIS has matured quite a bit.

Re:

[Timothy Brownawell]

The only real value of microsoft products is to admins, because they

...come with Active Directory.

It would be against microsoft's philosophy to build better, more secure systems.

This is of course why Windows 7 has no security advantages over XP, and XP has no advantages over 98.</sarcasm>

Re:

[whitedsepdivine]

And maybe one day linux will support 512bit CPUs, since it already supports 256 bit(I think).

Here is a hit, Microsoft.Windows cares about the common person, who doesn't care about anything you listed.

Then on the opposite side you have Open Source teams so driven to program something so unbelievable useless, and call it progress. Tell me why you need to focus on something so useless, when you don't support so many things. Such as Flash 64 bit, until about a week ago.

http://xkcd.com/619/

Re:

[nacturation]

Wow, is this a post from 10 years ago? If not, you should really keep up with technology; IIS has matured quite a bit.

Yeah, it's still crap compared to BSD, Linux, or even OS X.

A web server is still crap compared to an operating system?

Re:

[prudhvi]

I see horrible ASP.NET/PHP Code from my American counterparts aswell. Stop blaming India/Indians from everything. And remember you get what you pay for Plain and simple.

Re:

[The Yuckinator]

Really? Then why are your prices so low?

Re:

[JustOK]

volume. Volume! VOLUME!!!

Re:

[spongman]

the real question is why are prices in the west so high?

Re:

[devent]

Hmmm.

Experts say that the bug, which will be discussed in detail at the Ekoparty conference in Argentina this week, affects millions of Web applications.

For some reasons I trust the experts. Is there a reason why this kind of attacks are only done on IIS/ASP.NET? Some time ago there was another exploit According to Google over *114.000 different pages have been infected. [sucuri.net]

Is there a reason why I never read anything about Apache or the other webservers and languages/frameworks?

Re:

[t0y]

Yes, there's a reason: you're filtering the information you get.
That particular issue you are pointing out was an SQL Injection attack and IIS/asp.net can't do anything about that.

Re:

[devent]

Well, I'm reading /. Don't know if /. is filtering in this way.

It's a SQL injection attack, but why it's not done on the fast majority of web servern out there that are running Apache/Php?

Re:

[t0y]

It is. Often. Here's an example search within slashdot for wordpress vulnerabilities [google.com].

You should know that these vulnerabilities will also work when running wordpress under IIS.
The server software has nothing to do with it, it's a framework issue.

Re:

[devent]

There are 197 results, but half of them are posted on a wordpress blog about something else. This search yields 347 results [google.com] which are all IIS vulnerabilities, my favorite one is 500 Thousand MS Web Servers Hacked [slashdot.org]. A search for the same with Apache is useless, because Slashdot have a menu with an "Apache" item. The Slashdot's own search against "Apache vulnerability" only yields one reacent item Serious Apache Exploit Discovered [slashdot.org], which only affects Windows servers. And the next is from 2008 Mystery Malware [slashdot.org]

Re:

[t0y]

This discussion would be over quickly once you understand that this isn't a IIS bug.
Anyway, put any of these hacked websites running under Apache/Mono and voilá, an Apache vulnerability under your definition.

Thanks for playing. ;)

Re:

[devent]

Technically it's not an IIS bug, true. But why is only the IIS affected and not the more used Apache? Actually, why is it always the IIS and almost never the Apache? You should think that a hacker would target the most used webserver to hack as many websites as he/she can.

Re:

[NuclearRampage]

It is done on a vast majority of php sites, you just haven't been around long enough to hear about it I guess. phpBB back in the day had this issue like crazy and once someone found it could be injected, any major public forum using phpBB was injected. You just hear about IIS/ASP more on /. because OMG it's M$ products being hacked again. But really SQL injection has nothing to do with the technology being used and everything to do with lazy coding methods being used in applications.

Re:

[Jaime2]

Neither this bug nor the one you linked to would affect a properly written web application on ASP.Net. This one requires the developer to store the user name in a cookie (and then trust it), and the linked one was SQL injection, which is easily preventable.

NOOOO!

[spongman]

The attack requires the ASP.NET error page that shows exception information to be enabled.

NO! NO! NO!

This is wrong, and dangerous. There is no such requirement, the HTTP status code is sufficient. Actually, the timing is sufficient, but slightly harder to exploit.

No sane person will leave it like this in production let alone that it is turned off by default.

This is correct, and, unfortunately, why the 1st statement is so dangerous.

Assuming that your site is safe just because you've followed best practices is WRONG! You MUST apply the fix in ScottGu's post immediately!

Re:

[angst_ridden_hipster]

Sorry, but real pros replace ALL of the HTTP status codes at random to prevent the client / browser from detecting a pattern. Similarly, pros override "true" and "false" constants to be functions that return random booleans, just to keep the code guessing. Sure, standards are great, but pros make sites that are secure, not standard.

Re:

[KarmaMB84]

Standards are often riddled with security holes.

POET?

[itlurksbeneath]

POET tool? More like Pwnit.

demoed at the ekoparty

[sergiusens]

This was demoed at the ekoparty and was pretty cool, they gave away three copies of their POET tool, the crowd was like crazy for those pen drives thrown out.

Not just ASP.NET

[shutdown -p now]

I understand this is Slashdot and all, and it would be very politically incorrect to ask the editors to read the original paper about the attack [usenix.org], much less understand it... but, for God's sake, the paper starts with a demo of this attack on JSF (which has precisely the same issues as ASP.NET)! There's also a presentation [netifera.com] devoted entirely to attacking JSF apps with this.

And starting from there, I'll just quote:

Besides JavaServer Faces, we have also audited someother popular web frameworks to see if they are vulnerable to padding oracle attacks. Here are some of our findings.

Since version 2.3, Ruby On Rails has introduced ActiveSupport::MessageEncryptor which is a set of functions to provide a simple way to encrypt information for storage in an untrusted location (like cookies). If you look at ActiveSupport::MessageEncryptor's source code,
you would probably see that applications that use the provided encrypt/decrypt functions would be vulnerable to padding oracle attacks.

The reason why ASP.NET is most affected by this in practice is because there are many more clueless developers who enable full exception information being passed to the client in production (and that, in turn, is largely because ASP.NET is a common tool of choice for outsourcing bids).

Re:Not just ASP.NET

[spongman]

clueless developers who enable full exception information

this is irrelevant and misleading, the exploit does not require the stack trace pages to be enabled in order to be effective.

Re:

[shutdown -p now]

The point still stands that, 1) the default in ASP.NET is no information about the error other than something wrong happened, so it's not exploitable; and 2) the common cause of problems in this particular case is people enabling full reporting for development/debugging, and then keeping it that way for production.

Re:Not just ASP.NET

[spongman]

ARGH! NO!

Why do you guys keep reiterating this crap.

The vulnerability DOES NOT REQUIRE the stack traces in order for it to work. Telling people that this is the case is extremely dangerous and irresponsible because it leads people to believe that they are safe WHEN THEY ARE NOT!

The exploit only needs to know that something went wrong. It doesn't need to know what went wrong. All it needs to know is that the response for a correct padding byte is different than the response for an incorrect one. The difference between a '500' and '404' in the HTTP response header is sufficient, and the 'production' error pages certainly have this difference.

Re:

[Mongoose Disciple]

The exploit only needs to know that something went wrong. It doesn't need to know what went wrong. All it needs to know is that the response for a correct padding byte is different than the response for an incorrect one. The difference between a '500' and '404' in the HTTP response header is sufficient, and the 'production' error pages certainly have this difference.

What I think several people are trying to tell you and you don't seem to be getting is that typically an ASP.NET app won't be providing even th

Re:

[Anonymous Coward]

The timing is the key.

If it takes 100ms to return a normal and 110ms to return a padding error.. they have figured it out.

It doesn't matter about status codes, or stack traces.

Re:

[Bert64]

A custom error page with a 200 response code will usually still look like an error page, in that it will look different to the page given when a valid query is made. This exploit only needs to know that an error occurred, it doesn't need to know any more details about it, so a custom error page with a 200 response code will be perfectly sufficient in most cases.

Re:

[pegr]

Just to be crystal clear, the issue doesn't require ANY change in error pages. Bad encryption = error page (app doesn't know what/who/where etc.) Good encryption = proceed within the app with your injected and encrypted value.

Yikes.

Re:

[shutdown -p now]

Newer ASP.NET versions also have a vulnerability where if you can decrypt their "secret" then the untrusted server process will give you anything it has access to on the server filesystem.

Reference?

Sigh....

[Anonymous Coward]

Remarks about clueless .NET developers aside, there are a lot of clueless comments here.

1. This has nothing to do with exception data or stack traces being returned. It has to do with HTTP status codes. When ASP.NET is decrypting a cookie value, one of three things may happen:

A. The value is decrypted and meaningful. The application returns HTTP 200.
B. The value is decrypted but not meaningful. The application returns HTTP 200 with a human-readable error message.
C. The value is not decrypted because the padding of the ciphertext was not correct. The underlying platform throws an exception that the application does not catch. The server returns HTTP 500.

With a few thousand requests, being able to distinguish among these three cases allows you to eventually decrypt the message. That the attacker can distinguish between cases B and C is an "oracle" provided inadvertently by the platform and the way the application consumes it. The ideal solution is to make these two cases indistinguishable to the attacker. That is all we are talking about.

The advice of "never trusting the client with encrypted data" or lambasting "retarded developers" is not helpful, and, I might add, defeats the entire @#$@#$@$# purpose of encryption!

2. OK. This should sounds scary to you because you can imagine several platforms are vulnerable to this kind of attack. But of all of the platforms vulnerable to this kind of attack, in ASP.NET it is worse because once the machine key is deduced, a special request to the server using that key can be used to download any file within the application directory, such as the web.config file, which could contain sensitive information like database connection strings and passwords.

Re:

[spongman]

mod parent up

Re:

[benjymouse]

Thank you for an informative post!

But of all of the platforms vulnerable to this kind of attack, in ASP.NET it is worse because once the machine key is deduced, a special request to the server using that key can be used to download any file within the application directory, such as the web.config file, which could contain sensitive information like database connection strings and passwords.

However, this is not correct. There is no key which will let you bypass the IIS/ASP.NET mappings. A number of files and file types are always configured so that they will be served by the special "prohibited" handler. An IIS/ASP.NET server will *never* (barring any bugs) serve the clean text version of web.config, *.aspx or similar files. Not with any key.

This is an attack on the authentication ticket - which is the cookie on the client which holds information about your lo

Re:

[davros-too]

I wish you were right, but according to Microsoft's own blog: 'The public disclosure demonstrated using this technique to retrieve the contents of web.config. '

Re:Sigh....

[spongman]

WebResource.axd provides the oracle. given the oracle, ScriptResource.axd provides the local files.

Re:

[Newcastle22]

A recent Technet (http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx) article claims that using the customErrors tag to set all error types to return the same error page will fix this security hole. But according to the research paper (linked in another comment), the POET tool can simply check the HTTP return code. I don't know enough about ASP.Net and IIS, but is the MS Technet blog article totally off here?

Wait wait this can't be right.

[shoehornjob]

Microsoft acknowleged a zero day threat AND advised its' customers of the threat IN THE SAME WEEK???? Nope can't happen> Stop smokin that crack... obviously you're delusional.

Re:

[whitedsepdivine]

At least there is someone to be held responsible, unlike linux. This entire thread is just Microsoft vs Linux. This isn’t really an important exploit. Any security expert can tell you not to not to put exception information to your end user. This is why you provide generic errors. Like, when word crashes, it says “An unexpected error happened.” The real problem is the default configuration displays exception information, which is very simple to change. Any educated developer should

Workaround

[BcNexus]

Couldn't maybe a work around be: "Don't respond to 37 thousand requests in 260 seconds from an attacker?" At least not from the same IP?