Microsoft confirms unpatched ASP.NET data leakage security flaw

Microsoft confirms unpatched ASP.NET data leakage security flaw

Summary: An attacker can easily decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the ASP.NET framework API.

SHARE:

Microsoft has released a security advisory to confirm an unpatched information disclosure hole in its ASP.NET Web application framework.

The vulnerability, which was discussed at last week's ekoparty security conference in Argentina, exists in the ASP.Net encryption implementation can allow an attacker to decrypt and tamper with sensitive data.

For example, if the target ASP.NET application stores sensitive information (like passwords or database connection strings) in the ViewState object, this data could be compromised. "The ViewState object is encrypted and sent to the client in a hidden form variable, so it is a possible target of this attack," Microsoft explained.follow Ryan Naraine on twitter

If the ASP.Net application is using ASP.Net 3.5 SP1 or above, the attacker could use this encryption vulnerability to request the contents of an arbitrary file within the ASP.Net application. The public disclosure demonstrated using this technique to retrieve the contents of web.config. Any file in the ASP.Net application which the worker process has access to will be returned to the attacker.

Microsoft said it was not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.

However, it should be noted that a tool has been released to automatically find and exploit this vulnerability.

According to Juliano Rizzo, the researcher who disclosed this vulnerability, an attacker can easily decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the ASP.NET framework's API.

Rizzo said the vulnerabilities exploited affect the framework used by 25 percent of Web sites on the Internet. "The impact of the attack depends on the applications installed on the server, from information disclosure to total system compromise," he added.

Microsoft has posted workarounds and suggested mitigations in its security advisory.

Topics: Software, Enterprise Software, Microsoft, Security, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • RE: Microsoft confirms unpatched ASP.NET data leakage security flaw

    Just another flaw in a human-written OS. Just fix the problem, Microsoft (if it is fixable) and I'll let you off the hook.
    Lerianis10
    • Just another reason to avoid ViewState

      Which also brings the interesting thought that how much we still need Asp.Net with SilverLight growing and growing.
      LBiege
  • This is a biggie, given the potential

    This will see widespread attacks against ASP.NET sites. I *hope* Microsoft rushes out a patch, because this is *by far* the most serious vuln. *ever* to hit ASP.NET.

    (Note, this is not just a ASP.NET issue - JSF is mentioned as well. But given that forms authentication tickets (FATs) in ASP.NET are encrypted this way and that FATs are *the* way to do internet authn - hit hits ASP.NET really hard).
    honeymonster
    • RE: Microsoft confirms unpatched ASP.NET data leakage security flaw

      @honeymonster <br>You're not gonna blame Linux or Firefox for this, are ya?<br><br>:p<br><br>lol....
      ahh so
      • RE: Microsoft confirms unpatched ASP.NET data leakage security flaw

        @ahh so <br><i>You're not gonna blame Linux or Firefox for this, are ya?</i><br>Why would I? Linux has its own problems, like servers currently being rooted through a bug which was fixed in 2007 and then <i>due to poor version control</i> was <u>re-introduced</u>. And this time it is being actively exploited. But that's another story...<br><br>This ASP.NET problem is not a rooting - but it is almost as bad. For most sites there's no difference: If the attacker can choose to run as site "admin" it is a pretty bad "information leakage". Many sites based on some kind of CMS (SharePoint included) allows the admin to perform changes - or even upload files. In that case the distinction between root and "site admin" becomes unimportant.<br><br>And as I said - this is not just an ASP.NET issue. The researcher initially demonstrated this attack against Apache ICEfaces. Ruby on Rails is vulnerable, too. No need to feel smug. This is a basic problem with the decryption algorithm: The attacker can gradually learn more and more from the key just by starting with a "known good" encrypted text. The only real defense against this is to <b>both</b> encrypt <b>and</b> sign the ciphertext.
        honeymonster
      • RE: Microsoft confirms unpatched ASP.NET data leakage security flaw

        So you're admitting a failing on the part of your great benefactor, Micro$oft.

        Well this is a historic moment.

        lol...
        ahh so
  • All that was missing was the outrage...

    Or not. After all, it only affects every version of ASP.net.

    One wonders how long it'll take to patch...
    zkiwi
    • RE: Microsoft confirms unpatched ASP.NET data leakage security flaw

      @zkiwi,

      Actually it only affects 3.5 SP1 and and above.
      bmonsterman
  • RE: Microsoft confirms unpatched ASP.NET data leakage security flaw

    Not again!

    thank God, we ripped out (g)ASP.NET from each computer that did not absolutely NEED to have it.

    When it comes to Windows^H^HZE boxen, getting rid of unused stuff (call it bloat if you want), is IMHO, the best choice. The smaller the attack surface, the better off you are.
    fatman65535
    • RE: Microsoft confirms unpatched ASP.NET data leakage security flaw

      @fatman65535

      Ahem, ASP.NET is not installed by default. No need to "rip" it out. Unless you need some drama?

      IIS is not installed by default. No need to "rip" it out.

      If you want to go on message boards and tell the world what a hero you are to have "ripped" out ASP.NET you need to install it first.

      Some admin your company has there! Good call!
      honeymonster
      • RE: Microsoft confirms unpatched ASP.NET data leakage security flaw

        @honeymonster
        May I humbly suggest you learn to read....fatman said he "ripped" it out....which makes me think that it was previously installed for some reason.

        You HoneyTroller made the assumption he thought it was installed by default.

        nt
        ColdFusion_z
  • Wow-- MS is getting better!

    It only took the community, what, almost a DECADE to break ViewState encryption! LOL. Guess MS will just up the ante to a 1k cipher and we'll be seein' ya'll in another decade or so! Seriously-- I've been tooling with .NET since ~2001 or was it '02?
    kckn4fun
  • use the ASP.NET MVC Framework

    No viewstate...problem solved.
    bmonsterman
    • RE: Microsoft confirms unpatched ASP.NET data leakage security flaw

      @bmonsterman
      Nope. ViewState is not even encrypted by default (it is only hashed/signed by default). But even if it was, that would be the least of the problem.

      The big one here is that the <i>forms authentication tickets</i> are encrypted. Once you crach the machine key you can choose your identity freely. If the site has an admin role you can choose that.

      ASP.NET MVC taps into forms authentication, too. It is just as vulnerable.
      honeymonster
    • ViewState vulnerable? No. MVC? - still vulnerable!

      @bmonsterman
      Nope. ViewState is not even encrypted by default (it is only hashed/signed by default). But even if it was, that would be the least of the problem.

      The big one here is that the <i>forms authentication tickets</i> are encrypted. Once you crach the machine key you can choose your identity freely. If the site has an admin role you can choose that.

      ASP.NET MVC taps into forms authentication, too. It is just as vulnerable.
      honeymonster