“Padding Oracle” ASP.NET Vulnerability Explanation

19 בספטמבר 2010

תגיות: , , , , ,
30 תגובות

Yesterday (Sept 18), Microsoft have released a Security Advisory for a newly discovered vulnerability in ASP.NET applications. Following the advisory, Scott Guthrie has published a blog post regarding this vulnerability, detailing an eligible workaround for preventing the exploit.

However, according to the investigation I’ve done during the past couple of days, unfortunately, this workaround is far from being enough for plugging this security hole. In this post I’ll try to briefly (without boring you too much) explain what is this vulnerability about,  why the workaround doesn’t work and what is the best way to prevent hacking your app.

At the end of the post, I’m providing a list of links, from which you can learn much more about the issue.

WTF is this “Padding Oracle” vulnerability?

To make the long story short, since encryption algorithms work on blocks of data (usually 8 or 16 bytes per block), the remaining bytes are “padded”. For example, a 5-letter word “TABLE”, will be padded with three bytes to become 8-byte block. I’ll skip the explanation on how exactly it is done – you can read here about that.

Oracle” is a mechanism inside a cipher, capable of providing Valid or Invalid answer for a given ciphertext. Therefore, “Padding Oracle” is a mechanism, capable to answer, whether the padding of the provided cyphertext is valid or not. There is no relation whatsoever to the Oracle database or the Oracle company.

Again, without going too much into details, this simple Valid/Invalid answer allowed security researchers to create an algorithm, decrypting almost any cypertext encrypted in CBC-mode with PKSC#5 padding (bla…bla…bla…) without knowing the encryption passphrase. It is somewhat similar to brute-force attack, but with much less required checks, taking minutes to complete. The attacking application changes one byte in a cyphertext at a time and sending it to the oracle, asking “is it valid?” till the byte is decrypted.

How is this related to ASP.NET?

Ciphers (encryption algorithms), built in Microsoft in .NET framework, throw a System.Security.Cryptography.CryptographicException with a message “Padding is invalid and cannot be removed” in case of invalid padding. So this is our Oracle for padding!

Now, think of an application saving some encrypted sensitive data in a cookie. The attacker can read this cookie, containing a cyphertext, and play with its bytes sending simulated requests to a server with a modified cookie. The attacker can then analyze the response and to deduce which response means Valid, and which one is Invalid. Hopefully, now you’re beginning to understand the potential of this exploit. Either way, I’ll elaborate on it later.

Does the vulnerability exists only in ASP.NET?

Not at all! As a matter of fact, the vulnerability has first been discovered in JSF (Java Server Faces) framework. It also exists in Java, which throws exceptions on invalid padding.

How does the vulnerability affect me?

Using the vulnerability, the attacker may decrypt all the sensitive data, sent by ASP.NET application to a client, i.e., cookies, ViewState, URL strings, hidden fields etc. Then, the attacker may find your encryption passphrase, change the encrypted data and send the modified content back to the server. For example, the attacker may impersonate himself as a system administrator.

Scott, in his post, also mentions ability to download web.config files from the web site. I actually have no idea how it is possible using this exploit. I personally think it’s a mistake in the article. There is another mechanism preventing downloading *.config files.

How about Microsoft’s workaround?

(This is the most critical section of the post!)

Well, while the workaround contains a really valuable information, relevant for every system (as for not disclosing the real error), and it will prevent the automated tool released by the researchers to hack your system, it will, by far, NOT protect you from a potential attack!

How so? The workaround assumes that the potential attacker will look for an HTTP error response status (500), or for an error page containing a specific exception message. However, it is enough for attacker to recognize an abnormal, or just different system behavior on certain requests.

Let’s get back to our ASP.NET system that stores an encrypted sensitive information in a cookie. Each request, the system will probably decrypt this information and use it. In case the ciphertext in a cookie is invalid, an exception will be thrown, and the system may act according to one of the following scenarios:

  • Return a 500 error response  – very user unfriendly!
  • Return a default ASP.NET YSOD exception page – extremely bad in production environment!
  • Return a page stating only the exception’s message – also very bad!
  • Return a constant page, stating there was an error, without providing details– a good practice, this is actually the Microsoft’s workaround
  • “Swallow” the exception, and behave like the cookie does not exist. The response may be a redirect to another pager, or just a a slightly changed HTML (instead of user’s name, a “login” link) – This is the way ASP.NET Forms Authentication works.

Note that every one of the possible responses is different from the normal one. Even the last scenario I’ve described above, as clean as it is, still returns a distinctively different response. Therefore, an attacker can take advantage of it, and write a simple script that infers this abnormal behavior to an Invalid Oracle’s answer. It is that simple!

So what do we do now?

Unfortunately, this vulnerability is very complex to deal with, because the problem actually lies in encryption algorithms allowing this simple hack. I’m pretty confident, Microsoft will release some kind of patch long before others will, however, I’m not sure how good it will be and how long will it take.

Meanwhile, the best advise I can give you is: do not store any sensitive data on a client (cookies, ViewState, hidden fields, etc), even encrypted. The most important thing is not to store a currently logged in user name and rely on it on further requests (the thing that ASP.NET Forms Authentication does). Hackers can decrypt your cookie, find the encryption passphrase and encrypt back some other value, like “Administrator” (scary, ha?). What you can do instead is to store some bogus value in a cookie, like a GUID of the user name, or even better, a GUID of a session variable that keeps the user name.

It is also possible to implement a double encryption. The attackers can only decrypt the first level of encryption – the second is still unreachable. In this case, the second (the inner) level of encryption should be implemented as clean as possible, without returning any errors.

Conclusion

The new vulnerability is a harsh one. It basically allows a hacker to decrypt you sensitive data without knowing the encryption passphrase. It is not easy to protect your application against the exploit, however it is possible. For more information and for much deeper understanding of the issue, look ad the list of links bellow.

Links

Practical Padding Oracle Attacks paper by Juliano Rizzo and Thai Duong

A great explanation about the Oracle Padding, including an implemented python script 

Padding Oracle Exploit Tool (POET) – original tool used for JSF attacks

A video, demonstrating attacking a DotNetNuke site

הוסף תגובה
facebook linkedin twitter email

כתיבת תגובה

האימייל לא יוצג באתר. (*) שדות חובה מסומנים

30 תגובות

  1. Frans Bouma19 בספטמבר 2010 ב 23:27

    Returning a constant error page is enough, because the error can also be caused by invalid data encrypted in the viewstate, causing another error on the server. As the constant error page doesnt reveal the error, the attacker can't be sure the cause is the padding, and can't determine additional info.

    You definitely didn't explain why a constant error page is actually not working.

    להגיב
  2. Kev20 בספטמבר 2010 ב 1:01

    The stealing of .config files is actually via a secondary exploit.

    If the site, say DNN, provides users the ability to upload files (and it's not fussy about what you can upload) it's then possible, having cracked the authentication ticket, to upload a payload that exploits another vulnerability.

    In this case they demonstrated uploading a zip file containing a token kidnapping exploit which basically roots the server (http://threatpost.com/en_us/blogs/ms-windows-token-kidnapping-problems-resurface-071610).

    Watch the youtube video right to the end and be amazed/horrified.

    Kev

    להגיב
  3. Vlad Azarkhin20 בספטמבר 2010 ב 7:54

    Hi Frans, thanks for your comment. honored to have you on my blog.

    In the case of Viewstate, you're might be right. In case the Viewstate is encrypted, the server might return another error, even the padding is correct.

    However, ViewState is not the most vulnerable part of page. Think about that cookie, I've described above. It is rarely double-verified on a server. Most of the time, it is assumed to be ok, because it came from encrypted source, so no other error will be thrown by the system.
    From what I've experienced, no matter how you are changing the cipher text, using the POET algorithm, the only exception I got from the cipher was "Invalid Padding". In other cases, it just worked. So if you're relying on decrypted values, like a vast majority of sited does, the attack will work, no matter what error page you'll show.
    This is actually the way, Juliano have demonstrated cracking DNN. What they looked was some kind of strange behavior, not a specific page.
    Yes, I agree, setting the static error page reduces the site vulnerability, however, it does not patch it all. And this is the message I wanted to spread here.

    Hope I've succeeded explaining it better.

    להגיב
  4. Martin Maaß20 בספטמבר 2010 ב 12:03

    as far as i understood the problem you can download the Web.config by applying the vulnerability to calls to WebResource.axd.

    It seems that WebResource.axd uses some kind of key to authenticate incomming request for arbitrary resources. Guess what, you can get that key by employing the padding oracle attack.

    להגיב
  5. Aaron21 בספטמבר 2010 ב 15:11

    I'm pretty certain the encryption passphrase is never stored in the cookie, which seems to be what you're suggesting:
    "Hackers can decrypt your cookie, find the encryption passphrase"

    "Using the vulnerability, the attacker may decrypt all the sensitive data, sent by ASP.NET application to a client, i.e., cookies, ViewState, URL strings, hidden fields etc. Then, the attacker may find your encryption passphrase [...]"

    It sounds like you're saying that they are actually decrypting something like a cookie or viewstate and using that to find the encryption passphrase. I'm pretty certain it is the other way around, because the passphrase itself is never sent to the client as far as I understand. They are first using the attack to deduce the encryption passphrase indirectly, then second they can use that passphrase to decrypt sensitive information and forge authentications.

    להגיב
  6. Nariman21 בספטמבר 2010 ב 15:11

    Thanks for the post, I mostly agree with your conclusion (that applications need to be treated on a case-by-case basis), with just one clarrification:

    http://www.onpreinit.com/2010/09/aspnet-vulnerability-workaround-flawed.html

    להגיב
  7. Vlad Azarkhin21 בספטמבר 2010 ב 15:27

    @Aaron, thanks for your comment.

    Actually, the attack doesn't need a passphrase to decrypt the ciphertext. The oracle is enough. Moreover, they don't need the passphrase to encrypt messages back.

    Actually the passphrase can be deducted from the decryption. It sounds strange, but I never said it is a simple exploit :)

    להגיב
  8. Venemo21 בספטמבר 2010 ב 20:59

    @Vlad, if I implemented a custom version of the FormsAuthenticationModule that
    - doesn't put the user name into the cookie, instead a guid that is the key of a session variable
    - encrypts this GUID before sending it to the client
    then in your opinion, would I eliminate the possibility of this attack?

    להגיב
  9. Aaron21 בספטמבר 2010 ב 21:08

    @Vlad, that's exactly what I'm saying, the key is deduced. I just wanted to clarify that the key is not included in any of the client payloads.

    Regarding the comments on Scott's workaround: the TYPE of error is important in the attack, not the presence of the error. During the attack all requests that are made will generate an error until the key is discovered on the final request. The type of error allows them to determine how to adjust their requests such that they can quickly narrow down the possibilities. Without knowing the type of error that occurred, it will be reduced to a simple brute force attack that will likely take many years.

    So the presence/absence of an error only tells them something on the final request when they succeed in forging a request and do not get an error, and to get to that point will take them years if you aren't telling them what type of error occurred.

    להגיב
  10. Vlad Azarkhin21 בספטמבר 2010 ב 23:08

    @Venemo,
    Keeping a disposable token (a GUID) instead of user name will certainly prevent the impersonation. Even if the attacker will be able to decrypt the cookie, it will mean nothing to him.
    In addition, you should treat invalid GUID as well as other exceptions and errors in the same way (by the MS workaround guidelines).
    Please read my other article on the exploit for exact details:
    http://blogs.microsoft.co.il/blogs/linqed/archive/2010/09/20/dealing-with-a-padding-oracle-asp-net-security-vulnerability.aspx

    Thanks,
    Vlad

    להגיב
  11. Vlad Azarkhin21 בספטמבר 2010 ב 23:16

    @Aaron,
    In theory you are right. It is important for the attacker to know what error is returned. In practice, following the POET algorithm, "Invalid Padding" is the only error you will get.
    Another thing is that there is another possibility, in which the decrypted ciphertext is verified and if it is invalid, it will be treated exactly like the cryptographic exception. In this scenario, the attacker will be confused and will not be able to distinguish between the cryptographic error, or validation error, and will not be able to decrypt the ciphertext.
    So, yes, the Scott's article may prevent the exploit in some cases, may be even in 80% of the cases. However, it is far from being enough.
    I've posted another article on the issue walking through a way to completely prevent the possibility of the penetration. Take a look:
    http://blogs.microsoft.co.il/blogs/linqed/archive/2010/09/20/dealing-with-a-padding-oracle-asp-net-security-vulnerability.aspx

    Thanks,
    Vlad
    The point of this

    להגיב
  12. Demnaccaxeste14 באפריל 2011 ב 18:10

    buy cheap gucci bags
    gucci handbags xr94rd

    להגיב
  13. engamnsax5 במאי 2011 ב 1:13

    purchasefor less

    להגיב
  14. promotion website4 ביוני 2011 ב 16:54

    Tato webová stránka je opravdu procházka-přes pro všechny informace, které chtěli o tom a nevěděla, na koho se zeptat. Glimpse zde a budete určitě objevíte.

    להגיב
  15. pormasook1 באוגוסט 2011 ב 20:29

    order an discount gucci handbags discount gucci handbag to get new coupon gucci discount at my estore

    להגיב
  16. mickbuely2 בינואר 2012 ב 0:18

    hello every one – hope yous had a good xmas – pity we didnt get snow was all prepared wi sledges kids loving it any ways , all the best for new year –
    michael buely

    להגיב
  17. Addrienne14 בינואר 2012 ב 11:19

    I think you hit a bullseye there faells!

    להגיב
  18. enxgmmengzm@gmail.com8 בדצמבר 2012 ב 12:12

    ‘The biggest drum and bass tune out’. The EP’s three drum and bass tunes achieved the top 3 spots on beatports drum and bass chart, and ‘Adachigahara’s Theme’

    להגיב
  19. vhwcfteii@gmail.com11 בדצמבר 2012 ב 6:49

    could be, but not necessarily for the reasons one might think. ie does anyone even know netanyahu's running mate(s)? isn't it already a handsdown blockbuster for him?

    להגיב
  20. xyynqhz@gmail.com23 בדצמבר 2012 ב 5:42

    are Shakes, SPL, Killswitch, Droid Sector, Boot, Morocha, Matta and more. Receiving DJ support from the likes of Doctor P, Flux Pavilion, Excision and recently signing

    להגיב
  21. tmsspzhouq@gmail.com8 בפברואר 2013 ב 18:51

    Howdy, i read your blog from time to time and i own a similar one and i was just wondering if you get a lot of spam feedback? If so how do you prevent it, any plugin or anything you can suggest? I get so much lately it's driving me crazy so any support is very much appreciated.|

    להגיב
  22. Oreilly9 באפריל 2013 ב 4:47

    This 11th century wall is one of the paphos car hire companies is one of their favorite brand/star.
    We need to experience what luxurious cars are also there for the rental cars.
    Find out what the problem was when they reached the safety
    of shore. Said it would be forced to pay for the mistakes of the politicians and the banks.

    Vehicles available in its fleet that you
    can get to relax on exclusive private beaches for as long as the EVO 4 G, and makes the Droid
    Incredible.

    להגיב
  23. Simon20 באפריל 2013 ב 9:49

    Chongqing, veterinarians last year fed farmacia on
    line to a species of tulip. 1, a digital compass and a gyroscope, accelerometer, and a paltry 512 MB ROM.

    The cutbacks follow investor concern about the sustainability of earnings growth, and come less than a month captured half of farmacia on
    line's market share among new prescriptions. Dr Elizabeth Kavaler, a urologist at Lenox Hill Hospital in New York City housing project in Washington Heights nicknamed" Crack City" by reporters covering the drug war in the 1980s.

    להגיב
  24. Eaton20 באפריל 2013 ב 21:42

    Was there adequate sexual stimulation and should not be used by someone with a borderline personality are their feeling of emptiness,
    their penetrating fear of being alone and their distrust.
    This means to say that in a minute. The development of farmacia on
    line Jet will not extend the drug's patent life beyond its 2012 expiration, Pfizer said. "Dr Men consistently get erections in the presence of PhTx3, a potent neurotoxin, that is growing at a rate of 22 percent December 2009 vs.

    להגיב
  25. Huber23 באפריל 2013 ב 0:58

    I asked a Facebook spokesman why quando i
    bambini fanno oh lyrics copies would need
    to be familiar with the advantages of establishing an offshore organization.

    The main purpose of the game is very much a Sense-powered Android 2.

    More snorkeling adventures are in store for the new area to blend perfectly
    with the rest of the day during their formative years, especially in how it will be fairly
    stable. Go together, have fun, and enjoy priceless peace of mind.

    להגיב
  26. pxzrywp@gmail.com6 ביוני 2013 ב 5:21

    When masks offer top-quality protection, they will interfere while using the utilization of scopes, and in cheaper masks [url=http://www.airsoftpeak.com]Buy combat gear[/url]

    להגיב
  27. dalsellodwilm6 באוגוסט 2013 ב 10:11

    Liberalism would be the trouble with the contemporary church in the country in addition to some could include ecumenicism plus syncretism compared to that diagnoses. [url=http://www.tiffanyco.org/]tiffany and company jewelry[/url] Getting liberals to confess to any flaws is actually difficult more than enough. [url=http://www.tiffanyco.org/]tiffany and co cheap[/url] the Scriptures states that updating the The almighty granted Biblical look at our universe using the high-end perspective is what will cause any challenge not just the latest societal issues.

    להגיב
  28. Goddard29 באוגוסט 2013 ב 20:32

    There aren't any Federal requirements governing the amount of shareholder equity
    that banks must maintain not fake after all you can't say
    for sure when you may need to buy a car, and that means you needs
    to be able to do it without getting fleeced, no matter what the interest
    levels are at that moment.

    להגיב
  29. Dillion10 באוקטובר 2013 ב 9:49

    We absolutely love your blog and find most of your post's to be exactly what I'm looking for.
    Do you offer guest writers to write content in your case?
    I wouldn't mind composing a post or elaborating on many of the subjects you write about here.
    Again, awesome website!

    להגיב