Microsoft Issues Web Apps Security Warning

Microsoft issued a security advisory on 17 September with a workaround for a vulnerability impacting web applications built on ASP.NET.

The advisory was in response to findings by security researchers Juliano Rizzo and Thai Duong, who developed the “Padding Oracle Exploit Tool” to demonstrate the attack. At the heart of the issue is a vulnerability in the way ASP.NET implements encryption to protect data. The problem, Microsoft said, is caused by ASP.NET providing web clients details in error messages when decrypting certain ciphertext.

Padding oracle

“An oracle in the context of cryptography is a system which provides hints as you ask it questions,” explained Kevin Brown, Microsoft Security Response Centre Engineering, in a post on Microsoft’s Security Research & Defense blog. “In this case, there is a vulnerability in ASP.Net which acts as a padding oracle. This allows an attacker to send chosen cipher text to the server and learn if it was decrypted properly by examining which error code was returned by the server.”

“By making many requests the attacker can learn enough to successfully decrypt the rest of the cipher text,” he continued. “The attacker can then alter the plain text and re-encrypt it as well.”

If the ASP.NET application stores sensitive information, such as passwords or database connection strings, in the ViewState object the data could be compromised, Brown said.

“The ViewState object is encrypted and sent to the client in a hidden form variable, so it is a possible target of this attack,” he wrote. “If the ASP.Net application is using ASP.Net 3.5 SP1 or above, the attacker could use this encryption vulnerability to request the contents of an arbitrary file within the ASP.Net application.”

“The public disclosure demonstrated using this technique to retrieve the contents of web.config,” he added, noting that any “file in the ASP.Net application which the worker process has access to will be returned to the attacker.”

Microsoft said it is planning an update to address the issue, and as of 17 September was not aware of any attacks targeting the flaw. According to the advisory, using Triple DES encryption instead of AES encryption will have no effect, since the “cryptographic vulnerability being presented involves revealing cryptographic padding errors to a client for algorithms that use PKCS #7 padding” and Triple DES shares that padding mode with AES.

As a workaround, the company recommends enabling ASP.NET custom errors, and mapping all error codes to the same error page to make it more difficult for an attacker to distinguish the different types of errors. Advice on how to do that is contained within the advisory.