Microsoft confirms unpatched ASP.NET data leakage security flaw

The vulnerability, which was discussed at last week's ekoparty security conference in Argentina, exists in the ASP.Net encryption implementation can allow an attacker to decrypt and tamper with sensitive data.

For example, if the target ASP.NET application stores sensitive information (like passwords or database connection strings) in the ViewState object, this data could be compromised. "The ViewState object is encrypted and sent to the client in a hidden form variable, so it is a possible target of this attack," Microsoft explained.

If the ASP.Net application is using ASP.Net 3.5 SP1 or above, the attacker could use this encryption vulnerability to request the contents of an arbitrary file within the ASP.Net application. The public disclosure demonstrated using this technique to retrieve the contents of web.config. Any file in the ASP.Net application which the worker process has access to will be returned to the attacker.

Microsoft said it was not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.

However, it should be noted that a tool has been released to automatically find and exploit this vulnerability.

According to Juliano Rizzo, the researcher who disclosed this vulnerability, an attacker can easily decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the ASP.NET framework's API.

Rizzo said the vulnerabilities exploited affect the framework used by 25 percent of Web sites on the Internet. "The impact of the attack depends on the applications installed on the server, from information disclosure to total system compromise," he added.

Microsoft has posted workarounds and suggested mitigations in its security advisory.