Microsoft releases a security advisory about a vulnerability affecting Web applications built on ASP.NET.
Microsoft issued a security
Sept. 17 with a workaround for a vulnerability
impacting Web applications built on ASP.NET.
The advisory was in response to findings by security
researchers Juliano Rizzo and Thai Duong, who developed the "Padding
Oracle Exploit Tool" to demonstrate the attack. At the heart of the issue
is a vulnerability in the way ASP.NET
implements encryption to protect data. The problem, Microsoft said, is caused
by ASP.NET providing Web clients details in
error messages when decrypting certain ciphertext.
"An oracle in the context of cryptography is a system which provides
hints as you ask it questions," explained
, Microsoft Security Response Center Engineering, in a post on
Microsoft's Security Research & Defense blog. "In this case, there is
a vulnerability in ASP.NET which acts as a
padding oracle. This allows an attacker to send chosen cipher text to the
server and learn if it was decrypted properly by examining which error code was
returned by the server.
"By making many requests the attacker can learn enough to successfully
decrypt the rest of the cipher text," he continued. "The attacker can
then alter the plain text and re-encrypt it as well."
If the ASP.NET application
stores sensitive information, such as passwords or database connection
strings, in the ViewState object the data could be compromised, Brown blogged.
"The ViewState object is encrypted and sent to the client in a hidden
form variable, so it is a possible target of this attack," he wrote.
"If the ASP.NET application is using
ASP.NET 3.5 SP1 or above, the attacker could
use this encryption vulnerability to request the contents of an arbitrary file
within the ASP.NET application."
"The public disclosure demonstrated using this technique to retrieve
the contents of web.config," he added, noting that any "file in
the ASP.NET application which the worker
process has access to will be returned to the attacker."
Microsoft said it is planning an update to address the issue, and as of
Sept. 17 was not aware of any attacks targeting the flaw. According to the
advisory, using Triple DES encryption
instead of AES encryption will have no
effect, since the "cryptographic vulnerability being presented involves
revealing cryptographic padding errors to a client for algorithms that use PKCS
#7 padding" and Triple DES shares
that padding mode with AES.
As a workaround, the company recommends enabling ASP.NET
custom errors and mapping all error codes to the same error page to make it
more difficult for an attacker to distinguish the different types of errors.
Advice on how to do that is contained within the advisory.