[Owasp-o2-platform] [Owasp-dotnet] ASP.NET POET Vulnerability

dinis cruz dinis.cruz at owasp.org
Tue Sep 21 21:46:19 EDT 2010


James I think you are on to something and my gut feeling (have not looked at
all at how this works) is that this is much bigger issue than it looks.

I would say that the first thing we need to do is to be able to recriate the
problem in a script.

So here is the scenario: *"Assume you can execute a C# script locally or on
an ASP.NET website, using that script (which can invoke any public or
private method of the .NET Framework), how can we find the machine key used
to create the FormsAuthentication Cookie and ViewState."*

Once we have this script we can verify if the current proposed protections
work at all.

And if there is a crypto expert on this list, can you try to find out the
root cause of this problem (since we should be trying to find the pattern
that creates this vuln so that we can check it on other crypo
implementations/usage (or sample crypto documentation))

Also, who wants to work with me on an stand-alone O2 module to help identify
vulnerable web.config configurations?

Dinis Cruz

On 21 September 2010 18:51, James Knowles <james at unwindsoftware.com> wrote:

>
> Can I ask a real set of dumb questions..
>
> Why does CustomErrors fix work as described here.
>
>
> http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
>
> Having read http://netifera.com/research/poet/PaddingOracleBHEU10.pdf
>
> I would read it that even with Custom Errors on a POET attack would be
> successful
>
> Slide 29 of the presentation says this ..
>
> Most JSF frameworks allow developers to turn off error messages.
>
> Then we can use the following simple trick:
>
> Padding oracle in JSF frameworks when error-page is turned off
>
> Say we want to decrypt block Ci of an encrypted view state
> C0jC1j:::jCn􀀀1, then we send C0jC1j:::jCn1jCrandomjCi to the target.
>
> Since Java ignores those extra blocks while decrypting and
> deserializing view states, it’s VALID padding if the target returns the
> same page as when the view state is unaltered.
>
> And it’s probably INVALID padding if we see something else, e.g. a
> HTTP 500 error message.
>
>
> So I could make my attack generic against say Webresource.axd or I could
> focus my attack my targeting a page, starting with knowing that page gave me
> back a valid request.
>
> Would you not need something in the Global.asax tracking exceptions and
> then drop IP address for a period when you had to many exceptions for
>
> System.Security.Cryptography.CryptographicException
>
> This would considerable slow attack down although not stop distributed
> attacks it would certainly slow the process down.
>
> I am probably being dumb but I don’t see why CustomErrors workaround works,
> can anyone help me understand this issue better?
>
> James
>
>
>
> -----Original Message-----
> From: owasp-dotnet-bounces at lists.owasp.org [mailto:
> owasp-dotnet-bounces at lists.owasp.org] On Behalf Of Mike Lonergan
> Sent: 21 September 2010 18:09
> To: alessio.marziali at cyphersec.com
> Cc: OWASP .NET
> Subject: Re: [Owasp-dotnet] ASP.NET POET Vulnerability
>
> Personally I'd recommend posting it to your blog. Opinions and analysis
> mixed together are a great guide with personal touches and real first person
> authority. Then if you're amenable, we could reference your blog article and
> extract the key technical analysis and place it in the wiki. That way we get
> a great reference (wiki) that is backed up by deep articles (blog).
>
> Mike
>
> On Sep 21, 2010, at 3:29 AM, alessio.marziali at cyphersec.com wrote:
>
> > All,
> >
> > In addition to the links I've sent out yesterday; This is another
> interesting reading on the Padding Oracle Crypto Attack (POET).
> >
> >
> http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310
> >
> > I've started creating a very long post for my blog last night then I
> thought I could just post it directly on the OWASP.NET wiki.
> >
> > Let me know. I could get this done in a couple of days.
> >
> > Cheers,
> > Alessio
> > _______________________________________________
> > Owasp-dotnet mailing list
> > Owasp-dotnet at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-dotnet
> _______________________________________________
> Owasp-dotnet mailing list
> Owasp-dotnet at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-dotnet
>
>
> _______________________________________________
> Owasp-dotnet mailing list
> Owasp-dotnet at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-dotnet
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20100922/77e91468/attachment.html 


More information about the Owasp-o2-platform mailing list