6

I know there are already a few questions on SO about the oracle padding exploit but none of them explain how it downloads the web.config. I run a couple of ASP .NET apps which I have already tested using Microsoft recommended mitigation factors but i'm still scared that people will be able to get the web.config.

Can someone please explain how they do this or even provide a link to a tool that I can use to test my site with. I find that the official explanation of this part of the attack is really lacking.

The attack that was shown in the public relies on a feature in ASP.NET that allows files (typically javascript and css) to be downloaded, and which is secured with a key that is sent as part of the request. Unfortunately if you are able to forge a key you can use this feature to download the web.config file of an application (but not files outside of the application).

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
Alex
  • 34,776
  • 10
  • 53
  • 68
  • Well if they gave out that info it would be a little dangerous! – redsquare Sep 20 '10 at 06:30
  • Apparently it is out there on a video but I can't find it. Information is already out there for the rest of the exploit anyway. – Alex Sep 20 '10 at 06:31
  • There is no need to broadcast the info through a public q&a site. – redsquare Sep 20 '10 at 06:32
  • 4
    @redsquare Somewhat of an ostrich behavior, don't you think? – Anton Gogolev Sep 20 '10 at 06:40
  • 1
    @Anton Gogolev not at all, do you not think they (Scott Gu et al) would have released this info if they wanted it in the public domain. – redsquare Sep 20 '10 at 06:44
  • All i'm looking for is a way to test if my app is vulnerable. As an ASP.NET product user I think it is well within my rights to be able to know if my app is at risk and I think the community of SO users is the best place to ask and share this information with other site owners. A person who wants to use the exploit will find the info regardless of whether it is on SO or not. – Alex Sep 20 '10 at 06:44
  • @Alex, the test would be to try the exploit - they are not going to release how to do that. Just follow the 'temp' fix as is detailed in his post and wait for the hotfix which due to the serious nature should be pretty darn quick, I would hope! – redsquare Sep 20 '10 at 06:47
  • 2
    @redsquare: that's not good enough. And if you ran a large production asp.net site that perhaps was also a business you would agree. – Matt Kocaj Sep 21 '10 at 00:08
  • @cottsak - what is not good enough, and how in your wisdom do you assume I do not run any 'large' asp.net sites! – redsquare Sep 21 '10 at 00:23
  • "..just follow the temp fix.." not good enough! That fix says nothing about how to prevent the web.config download, which we are all so freaked out about. How can you think that is satisfactory? – Matt Kocaj Sep 21 '10 at 00:27
  • @cottsak - errr do not shoot the messenger, go complain to Scott Gu and the asp.net team. I assume given that you run a business critical large asp.net site you would not appreciate details of how to run the exploit posted here? – redsquare Sep 21 '10 at 00:31
  • 2
    Sure i would. So i can prove that i have fixed it. To me it's not enough that we implement a "fix" but rather prove conclusively that we have "fixed something". – Matt Kocaj Sep 21 '10 at 00:43
  • 1
    @redsquare: exploit is already in the wild, *and* mitigation workarounds have been posted - how would posting exploit details hurt? IMHO details could be useful in order to 1) further protect your sites, 2) avoid making some of the same mistakes in your own code. – snemarch Sep 21 '10 at 14:33
  • @snemarch as I said to the other chap moaning - get on the phone to Scott Gu et al....I do not work for MS!!! – redsquare Sep 21 '10 at 16:02
  • possible duplicate of [How serious is this new ASP.NET security vulnerability and how can I workaround it?](http://stackoverflow.com/questions/3720720/how-serious-is-this-new-asp-net-security-vulnerability-and-how-can-i-workaround) – Artjom B. Aug 16 '15 at 12:13

6 Answers6

3

Guys - the answer is that once they have obtained the machineKey, they can use that key to fetch the files using another feature in ASP.NET

"In ASP.NET 3.5 Service Pack 1 and ASP.NET 4.0 there is a feature that is used to serve files from the application. This feature is normally protected by the machine key. However, if the machine key is compromised then this feature is compromised. This goes directly to ASP.NET and not IIS so IIS's security settings do not apply. Once this feature is compromised then the attacker can download files from your application - including web.config file, which often contains passwords.

Versions of ASP.NET prior to ASP.NET 3.5 SP1 do not have this feature, but are still vulnerable to the main machine key attack."

(see the post at the bottom of here: http://forums.asp.net/t/1603799.aspx from the asp.net team)

James Crowley
  • 3,911
  • 5
  • 36
  • 65
  • This 'feature' appears to be provided by the WebResource.axd and/or ScriptResource.axd files. I haven't seen confirmation that disabling/removing these will fix the web.config file disclosure issue, but it seems likely. It looks like the attack may be able to retrieve the machine key, which is the pre-requisite to attacking these files. – intoOrbit Sep 20 '10 at 20:59
  • 1
    I've tried using the WebResource.axd approach with the `ClientScript` methods and from what i can tell, not only do the files you wish to serve this way need to be built as Embedded Resources but you need to add declaration in the AssembilyInfo too. If im not doing any of this, how does this exploit work? And how does it get something so critical as the web.config? – Matt Kocaj Sep 21 '10 at 00:12
0

Scott Guthrie has a post which explains it to some extent.

TheVillageIdiot
  • 40,053
  • 20
  • 133
  • 188
gautema
  • 634
  • 5
  • 16
  • 4
    "An oracle in the context of cryptography is a system which provides hints as you ask it questions." Has nothing to do with Oracle (the software maker). Oracle PR cannot be too happy about the nomenclature here... – Thilo Sep 20 '10 at 06:50
  • 1
    This post does not help with the details about web.config which is what the asker wants to know – Matt Kocaj Sep 21 '10 at 00:10
0

This blogpost is pretty interesting: http://www.gdssecurity.com/l/b/

also read this: How serious is this new ASP.NET security vulnerability and how can I workaround it?

Community
  • 1
  • 1
Stefanvds
  • 5,868
  • 5
  • 48
  • 72
0

afaik it goes like this:

  • these are hit: webresource.axd and scriptresource.axd, both use an encrypted/signed value that asp.net tries to check if its valid
  • because of differences in the response when the files are or not valid, they can make the padding attack.
  • once the attack is successful they can generate a request for a resources as if it were originally emitted from asp.net

Now, as far as I knew, both of those are supposed to serve embedded resources, but I guess that's not the case (Scott Gu did mention in his post's comments those are the ones being used in the attack showed).

eglasius
  • 35,831
  • 5
  • 65
  • 110
0

The following post may be interesting for this thread:

http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html

Augustine
  • 1
0

FYI, a patch for this bug has been released on Windows Update.

http://weblogs.asp.net/scottgu/archive/2010/09/30/asp-net-security-fix-now-on-windows-update.aspx

Josh Yeager
  • 3,763
  • 1
  • 25
  • 29