First of all, the ASP.NET padding oracle patch is now available through Microsoft Update. Patch your servers before you keep on reading!
The saga goes on as lots of information on the ASP.NET padding oracle vulnerability is becoming available around the Internet. Many articles surface that range from days to weeks old. One example is this very detailed explanation of the padding oracle attack, dated September 14th. Linked in the article is the Padbuster tool, which was updated to attack ASP.NET sites in version 0.2 quite recently. Others have also released tools, like the one at Minded Security Blog, dated Tuesday 28th. Note the fortnight in between these two posts. Looking at the first one, no wonder Microsoft was in a hurry to get a patch out!
With the current state of affairs, it would be reckless to not patch Internet facing servers. New tools to exploit ASP.NET are popping up rapidly around the Internet. Web application scanners will be updated to check for the vulnerability. If you still haven't patched your servers, start reading this post from the top again — but this time read the first sentence!
Software security blog by André N. Klingsheim, who's learning to love .NET and Microsoft servers.
Disclaimer
Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).
Sep 30, 2010
Sep 28, 2010
ASP.NET security patch, what's changed
I've snooped around with fiddler to see what changes have been introduced by the patch release today for the ASP.NET framework.
I've seen to notable differences in the behaviour of webresource.axd:
Anyhow, it's time to go home from work. Unfortunately, my local time is quite far from PDT. Happy patching!
I've seen to notable differences in the behaviour of webresource.axd:
- The d parameter is now set to a value much longer than before, it seems it's 50 bytes longer
- Tampering with this parameter will not trigger a 500 server error and an entry in the application event log. A regular 404 error is returned to the browser, and nothing is logged in the event log.
Anyhow, it's time to go home from work. Unfortunately, my local time is quite far from PDT. Happy patching!
ASP.NET padding oracle, check your logs!
Microsoft has now released a patch for the padding oracle attack, but most system owners will still need some time to test the new patch before going live with it. Until the patch is applied we need to keep an eye on our logs in order to detect potential attacks.
In ScottGu's FAQ post he informs that an attack attempt would generate a large amount of entries in the application event log. In the subsequent update he presents a revised workaround to block requests with an aspxerrorpath parameter. To detect attacks involving this parameter, we also need to look at the IIS logs.
In ScottGu's FAQ post he informs that an attack attempt would generate a large amount of entries in the application event log. In the subsequent update he presents a revised workaround to block requests with an aspxerrorpath parameter. To detect attacks involving this parameter, we also need to look at the IIS logs.
ASP.NET security updates are available
*Update 2* ScottGu's blog was once again the best source of information on the new developments, and on which updates to install for a particular system!
*Update* But of course. Links are included in Microsoft's security bulletin.
For some reason the updates are somewhat hidden at the Microsoft download center. Anyhow, here they are:
*Update* But of course. Links are included in Microsoft's security bulletin.
For some reason the updates are somewhat hidden at the Microsoft download center. Anyhow, here they are:
- Microsoft .NET Framework 4
- Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2
- Microsoft .NET Framework 3.5.1 on Windows 7 SP1 Beta and Windows Server 2008 R2 SP1 Beta
- Microsoft .NET Framework 3.5 Service Pack 1, Windows Vista Service Pack 2, and Windows Server 2008 Service Pack 2
- Microsoft .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 1 and Windows Server 2008
- Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 2.0 Service Pack 2 on Windows Server 2003 and Windows XP
- Microsoft .NET Framework 3.5 Service Pack 1 on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008
- Microsoft .NET Framework 3.5, Windows Vista Service Pack 1 and Windows Server 2008
- Microsoft .NET Framework 3.5 on Windows Server 2003 and Windows XP
- Microsoft .NET Framework 3.5 on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008
- Microsoft .NET Framework 1.1 Service Pack 1 and Windows Server 2003 Service Pack 2 (32-bit)
ASP.NET vulnerability gets fixed!
There has been quite some discussion (and speculation!) about the ASP.NET padding oracle vulnerability on various blogs around the Internet the last couple of days. After Microsoft published an advisory on it, the ASP.NET community has been following ScottGu's blog closely.
The issue has seen increasing attention. Yesterday the vulnerability was mentioned on Schneier's blog, where he provided a link to a Threat Post from Kaspersky where the guys behind the exploit were interviewed. The vulnerability and exploit tools were also discussed. The threat post was dated September 13, four days before Microsoft released the first security advisory on the issue. Since then, the amount of information on the vulnerability has only increased throughout the Internet. Now, there's so much information available from different sources that there's not much security through secrecy left.
The issue has seen increasing attention. Yesterday the vulnerability was mentioned on Schneier's blog, where he provided a link to a Threat Post from Kaspersky where the guys behind the exploit were interviewed. The vulnerability and exploit tools were also discussed. The threat post was dated September 13, four days before Microsoft released the first security advisory on the issue. Since then, the amount of information on the vulnerability has only increased throughout the Internet. Now, there's so much information available from different sources that there's not much security through secrecy left.
Labels:
ASP.NET,
security,
vulnerability
Sep 24, 2010
ASP.NET padding oracle vulnerability, the video
A video of the POET-tool — used to exploit the ASP.NET padding oracle vulnerability — have been published to show the tool in action. The video shows the steps taken by the tool to compromise the web.config file of the application, which in this example contains the ASP.NET machine keys.
Labels:
ASP.NET,
security,
vulnerability
On the new ASP.NET vulnerability
Last Saturday (European time), Microsoft released the first version of a security advisory stating that a vulnerability in ASP.NET could allow information disclosure. In the initial report it seemed that a vulnerability had surfaced in a cryptographic function in ASP.NET. The risk appeared to be leakage of information from encrypted viewstate, but there was also a mention of the possibility to disclose files on the IIS. It was unclear whether these were combined or separate issues, but the issue seemed to be viewstate specific.
Sep 5, 2010
Windows server 2003 vs 2008, SSL/TLS comparison
There are many differences between the Windows server 2003 and the 2008 version. We'll focus on the SSL/TLS support in 2003 vs 2008, there are important differences in both default configuration and cryptographic support.
Labels:
security,
server 2003,
server 2008,
TLS
Sep 2, 2010
Hardening Windows Server 2003 SSL/TLS configuration
Though Windows Server 2003 has been around for a while, we'll still see them around the Internet for many years to come. Despite their usefulness, there are some important security considerations to make when running an Internet facing 2003 server.
Labels:
security,
server 2003,
TLS
SSL/TLS configuration, figure it out!
There are several ways to figure out the SSL/TLS configuration of a webserver. If you're dealing with an Internet facing server, the quickest solution is to use a webpage like www.ssllabs.com or www.serversniff.net (Webserver -> SSL Info). SSLLabs will give a "management friendly" presentation of a server's SSL/TLS configuration, underlining that you need not be all l33t H4x0r to uncover a lax security config.
Subscribe to:
Posts (Atom)
Copyright notice
© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.
Read other popular posts
-
Visual Studio Online looks pretty cool so I’ve decided that I'll use it for the next NWebsec release. The project setup was relatively...
-
I just ran into a weird problem while creating a bootable USB-stick, it was impossible to do a full copy of the files from an .iso. I tried...
-
Security headers in an HTTP response There are many things to consider when securing a web application but a definite "quick win...
-
Microsoft's widely used e-mail service Hotmail was recently overhauled and rebranded Outlook.com. One of the less known services they pr...
-
I guess it was long overdue for me to follow up on my Hardening Windows Server 2003 SSL/TLS configuration and Windows server 2003 vs 20...
-
The release of Firesheep a week ago brought a lot of attention to a problem that has been known for many, many years: cookies sent over both...
-
Though Windows Server 2003 has been around for a while, we'll still see them around the Internet for many years to come. Despite their u...
-
Just a quick note on an error I often run into when I'm working on my Azure applications. I usually create Azure packages and upload the...
-
I just discovered that Facebook reveal to search engines the users who "Like" a page , regardless of their privacy settings. Try a...
-
OWASP recently released their Top Ten 2013 list of web application vulnerabilities. If you compare the list to the 2010 version you’ll see t...