Microsoft Security Bulletin: https://technet.microsoft.com/library/security/ms10-070
Padding Oracle Profile: http://blog.zhaojie.me/2010/10/padding-oracle-attack-in-detail.html
WebResource.axd Tutorial: http://www.cnblogs.com/jackielin/archive/2005/11/29/286570.html
Website file: Http://files.cnblogs.com/files/poc-/MS10-070.rar
MD5 Value: 6ea1bb594b688ab2d152c048b5c14c95
The vulnerability of Microsoft is due to the fact that ASP. NET is used to provide information in an error response that could be used by an attacker to read and tamper with encrypted data.
All about padding Oracle's content comes from the link above
First to read the title of the vulnerability, "Padding" refers to the addition/decryption of the fill, the encryption when the plaintext can be any length, but the Block encryption algorithm requires a certain number of the same length of data block composition. In order to meet this requirement, the plaintext needs to be populated.
There are multiple fill rules, but one of the most common fills is the rule defined in the PKCS#5 standard. The pcks#5 is populated by the fact that the last chunk of plaintext contains n bytes of padding data (n depends on the length of the last piece of the plaintext ). The 8-byte data block alignment is as follows:
"Oracle" refers to the hint that most of the Add/decryption programs throw a fill exception if the end of the last block of data that is decrypted does not conform to such a fill. This exception is especially critical for attackers, which is the basis for padding Oracle attacks.
Here's a scenario where an application uses the query string parameter to pass a user-encrypted user name, a company ID and a role ID in plaintext, "brian;12;1;" The parameter uses CBC mode encryption to introduce IV, ciphertext = ENC (key, XOR (iv, clear Text)), each time using a different initialization vector (iv) and added in the ciphertext front segment .
When the application accepts the encrypted value, it returns three cases: 1, is populated correctly and contains a valid value (200-OK) 2, is found to be populated incorrectly after decryption (500-internal Server Error) 3, is populated correctly but the value is illegal (200-OK)
The URL in the scene is Http://sampleapp/home.jsp?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6
The UID parameter uses the ASCII hexadecimal notation, which allows an attacker to infer the size of the data block based on the length of the encrypted value. Since the length (here is 24) can be divisible by 8 but not divisible by 16, it is possible to know that the size of the data block is 8 bytes.
A normal encryption process is as follows, where a circled plus sign indicates an XOR (XOR) operation:
The intermediate value is obtained by the XOR of the IV and plaintext, and the intermediate value is encrypted with the key for 3-heavy DES, and the result of the encryption is the IV of the next block.
The decryption process is a reverse process,
The process for Padding Oracle attacks is as follows:
We will operate a separate block of encryption each time, so we can separate out the first cipher (the block after the IV), preceded by a fully null IV value, and sent to the application. And increment the last byte of the IV
Request:http://sampleapp/home.jsp? uid=00000000000000f851d6cc68fc9537-Internal Server Error
Request:http://sampleapp/home.jsp? uid=00000000000000f851d6cc68fc9537-Internal Server Error
A 500 error is returned because the decrypted padding value does not conform to the rule. Duplicate requests, with only one value for the possible 256 values, produce the correct padding byte 0x01. When the last byte of the IV is incremented to 0x3c, it is decrypted to conform to the fill rule for 0x1.
The response is based on the status code 200, so that we can infer the last byte of the median value (intermediary value) without knowing the encryption key , because we know that it and 0x3c have a different or later result of 0x01, so:
During decryption, each byte of the median value is XOR with the corresponding byte of the previous block in the ciphertext (for the first Data block, IV). So we use the last byte (0x0F) in the original IV in the previous example, and we can get the plaintext in the same way as the middle value. Not surprisingly, we'll get 0x32, which represents the number "2" (the last byte of the first chunk in clear text).
Now that we've cracked the 8th byte in the sample data block, it's time to focus on the 7th byte. When we crack the 8th byte, we use the brute Force enumeration IV, which makes the last byte after decryption become 0x01 (legal padding). When we crack the 7th byte, we're going to do the same thing, but the 7th byte and the 8th byte are required to be 0x02 (again, this means the legal padding). We already know that the last byte of the median is 0x3d, so we can set the 8th byte in the IV to 0x3f (which produces 0x02) and the seventh byte of the violent enumeration IV (starting with 0x00, up to 0xFF). Using this technique, we can decode each byte in the middle value from the back, and finally get the decrypted value.
Padding Oracle is based on the response hint of the fill exception, which causes us to infer the median value without knowing the key.
1. pl script Running Environment (activeperl_5.16.2)
2, the environment affected by the vulnerability, I chose an Enterprise Edition SP2 virtual machine +. NET Framework 3.5
After you install. NET Framework3.5, you can see the installed version by looking at the%windir%\microsoft.net\framework\ directory. View SP information by searching the registry key net Framework Setup.
Download the PL script provided by exploit-db to understand the vulnerability based on the examples in the script. First understand that the first parameter required in the script is a URL pointing to the ScriptResource.axd file.
In ASP. resource files such as JS and CSS can be packaged in a DLL, and the resource files can be accessed by WebResource.axd plus parameters in the package. The ScriptResource.axd function is similar, for returning JS files has more features than WebResource.axd. found that as long as the page embedded in the ASP. UpdatePanel, the page will appear WebResource.axd and ScriptResource.axd, fully compliant with the vulnerability environment. You can write or deploy the Web files I upload.
The website files are as follows:
On the IIS Ready asp.net3.5 environment, the results found that online said Framework2.0, can run, 3.0 and 3.5 are on the basis of 2.0 extension. Enable the ASP. NET Web Service extension for IIS. The Web site's files are then copied to the IIS Web site directory for access.
To understand the second parameter encryptedsample, note that this parameter is from Padbuster. Follow the prompts to download another script, padbuster.pl. You need 3 parameter Url,encryptedsample,blocksize in the Padbuster script. Next, look at the generated HTML source for the deployed page. I'm going to use ScriptResource.axd this link.
The complete command line is as follows, and the block size is typically 16. Found not successful
Search the Padsub script based on the error, and navigate to the decoding function EncodeDecode. You should specify format 3,. NET Urltoken. The format will replace the D parameter '-' = ' + ' + ' _ ' + '/' and fill ' = ' and then base64 decode. This is because the URL encoder will be in the standard Base64 "/" and "+" characters into the form of "%XX", known to have such a substitution exists.
So the final command line as follows, you can increase the-log switch, view the detailed HTTP request log, first will be the IV last byte loop increment request, to determine the hint of padding error. will be determined based on the response information such as Status,length. We just have to choose an ID with two asterisks.
Once the tip of the padding anomaly is determined, it will start blasting. The decrypted value is: nsions,22.214.171.124,,31bf3856ad364e35| Microsoftajax.js|zh-chs. If you cannot respond to a request, you can adjust the connection configuration for the site and then restore the configuration later. The connection timeout is set from 120 seconds to 5 seconds and does not maintain an HTTP connection.
According to the online prompt will be "| | | ~/web.config "Encrypt the command line as follows and get the encrypted result as: Hlcnhlibsorxfmya6ro1ggaaaaaaaaaaaaaaaaaaaaa1.
ciphertext = ENC (key, XOR (IV, plaintext))
The encrypted process is the ciphertext of any given last block, using the ciphertext of the last block, by padding Oracle to know the intermediate value again xor or clear text, to calculate the IV (the process above is to calculate the plaintext), this IV is the ciphertext of the previous cipher block. So just burst out the initial IV to access the "| | | | ~/web.config. "
Then run the exploit-db downloaded script, Web.config_bruter.pl to run, the script burst out the correct IV, eventually get access to the Webconfig URL.
Visit http://192.168.0.15/ScriptResource.axd?d=sGQ6SzO0gY5_kXYCskHWZRy3DYZSG7DkcRTGAOq6NRoAAAAAAAAAAAAAAAAAAAAA0 You can see the contents of the Web. config.
cve-2010-3332 analysis of Microsoft asp.net-padding Oracle (ms10-070)