Is it vulnerable to ASP Padding oracle

Question

When I open chat.mysite.com/WebResource.axd?d=jzjghMVYzFihd9Uhe_arpA2 It gives me: Padding is invalid and cannot be removed.
When I open chat.mysite.com/WebResource.axd?d=acunetix It gives me: Invalid viewstate.
When I open chat.mysite.com/WebResource.axd?d= It gives me: The resource cannot be found.

However, when I open any of those /WebResource.axd to my main site www.mysite.com, no error happens....

My question, Is my site vulnerable to padding oracle, and if yes, what data can be stolen? Another thing is that once I open the "view source" of www.mysite.com, there is no such thing as script=webresource.axd, or anything like that.... Im confused, if an attacker wants to take control of the site, what can he do? How would he perform his attack? Can the attacker can gain access to admin privilege?

Is your server up to date with all of it's patches? If so, padding oracle was eliminated. You might want to explore this further at security.stackexchange.com — NotMe, Apr 05 '13 at 15:53
This is the Version Information: Microsoft .NET Framework Version:2.0.50727.4927; ASP.NET Version:2.0.50727.4927 — Jagex Online, Apr 05 '13 at 15:57
That would be the 2.0 SP2 version which was released in october of 2009. The padding oracle fix was last updated nearly 2 years later...: http://technet.microsoft.com/en-us/security/bulletin/MS10-070 apply your patches. There have been a LOT of them. — NotMe, Apr 05 '13 at 16:07
Actually, for a web server, I would even go so far as to recommend you turn on windows auto update capabilities; with it set to check every night. — NotMe, Apr 05 '13 at 16:10
I see, thanks for telling me.... However, I want to know, how would an attacker exploit that site with this? Will it work, even though my main site, does not have the script=Webresource code.... Is it still vulnerable? — Jagex Online, Apr 05 '13 at 16:38
I just realized that I was confused on a few things. chat.mysite.com is different from your regular www.mysite.com? Are both hosted on your server? You might want to read this: http://blog.gdssecurity.com/labs/2010/10/4/padbuster-v03-and-the-net-padding-oracle-attack.html — NotMe, Apr 05 '13 at 19:11

score 4 · Answer 1 · answered Apr 05 '13 at 15:48

With the little information provided I would say it is likely that this vulnerable to padding oracle. A padding oracle can be used to decrypt the cipher text, one byte at a time starting at the very end of the message working backwards.

All cipher text should be protected with a MAC.

NotMe · Answer 2 · 2013-04-05T16:27:33.730

Answer based on comments to the question.

Yes, you are currently vulnerable to the padding oracle attack.

This means they can download things like your config file and decrypt your viewstate and cookies.

Regarding access to the "admin priviledge", maybe. Depends on what is found. For example, if you have a database connection string in the web.config file AND that database server is accessible on the internet then the attacker might just completely bypass the app and go straight to the db. There are certainly numerous factors here that might limit the damage down by exposure of the web.config info but unfortunately a LOT of developers don't know what they are doing. They tend to not think about this.

So, what can you do about this?

First up, keep your servers up to date with their patches. Windows has ways to automate this through auto update. Which I highly recommend for web servers. MS tends to patch things pretty quickly. Further, in over 10 years of letting windows servers patch themselves I have never run into an issue. I wish I could say the same for DB patches, but even those are starting to become things you simply must do.

Second, look at the application itself. Is there anything in the web.config that could lead to compromising the data. Things like references to database servers, passwords to other systems, etc. If so, then I'd suggest immediately after patching you change all of those passwords. For DB access I tend towards ensuring even the application doesn't have direct rights to query tables. But that's a completely separate discussion.

Third, develop a tendency to not trust anything. Not your own servers nor even your own code. This will lead to being a better programmer anyway. If an attacker is able to drop a executable file in your website they could get access to literally everything your web app has access to.

Fourth, expose ONLY what's necessary to the internet. This requires a lot of education and testing to make sure your routers/firewalls/etc are properly configured. Unfortunately developers tend to lower those defenses as soon as it's inconvenient. For example, installing debugging tools on a server or exposing a database to the internet in order to get access to it from home... This goes along with #3 above.

Fifth, research research research. Take the time to learn how things are compromised and what that means. It's a lot easier to code defensively when you know what you are protecting and what you are protecting it against. There is a tremendous amount of bad information out there and knowing how attacks work will make it easier for you to filter it out. A simple example are sites showing how to dynamically build a sql statement. The vast majority of those don't use parameters; and the ones that do completely ignore the idea that the web application itself could be bypassed.

There's more, a lot more, but that's enough to chew on for now.

Thanks Alot for all this info!!!! Im still curious, how do attackers exploit the vuln? Like how do they do it, can you please explain to me if possible...Which tools, etc....? — Jagex Online, Apr 05 '13 at 18:09
@JagexOnline: I'm sure you can search for tools that perform padding oracle attacks. Linking to such things is probably not a good idea for this site. — NotMe, Apr 05 '13 at 18:29
Can you do a fix for me? You have freelancer? I do not have access to the guy that did the code — Jagex Online, Apr 05 '13 at 21:41

Is it vulnerable to ASP Padding oracle

2 Answers2

Linked