Saturday, September 18, 2010

Microsoft ASP.NET Security Vulnerability: The 'Padding Oracle' Attack

Early this week, a couple of security researchers, Juliano Rizzo and Thai Duong, have implemented an attack that exploits the way ASP.NET applications handle encrypted session cookies (see more details here). They have discussed this in detail during the Ekoparty conference in Argentina. Their research paper is Practical Padding Oracle Attacks.

In the context of cryptography, an oracle is a system that provides hints as you ask it questions. And this attack explores a vulnerability in ASP.NET which acts as a padding oracle. This vulnerability is explained in details in Understanding the ASP.NET Vulnerability.

This vulnerability allows attackers to have access to decrypt the information stored in the ViewState object. If sensitive information is stored there, such as passwords or database connection strings, then this data is compromised. If an ASP.NET application is using ASP.NET 3.5 SP1 or above, the attacker could use this encryption vulnerability to request the contents of an arbitrary file which the worker process has access to, for example, the web.config file.

Microsoft has released a security advisory about the problem: Microsoft Security Advisory (2416728). If you or your clients have ASP.NET Web sites, then you must apply the necessary changes as described here: Scott Guthrie: ASP.NET Security Vulnerability

Update: Also take a look at Scott Guthrie's FAQ about AS.NET Security Vulnerability.

No comments: