8 Kicks

Vulnerability in .NET AES puts ASP.NET Web Sites at Risk(securitythroughabsurdity.com)

submitted by j.montyj.monty(1868) 1 year, 8 months ago

ASP.NET web applications that leverage Forms Authentication, ASP.NET Membership Providers, ASP.NET Role Providers, and/or ViewState encryption are vulnerable to data exposure and potentially tampering. This vulnerability can lead to the .NET MachineKey being discovered by attackers. This post briefly details the issue and provides a simple temporary mitigation technique.

2 comments |category: |Views: 370

tags: another

new Add a live kick counter to your blog >> liveImage

You can even customize the image by choosing your own colors, and then clicking the button below to update the preview and the html code:

  • "Kick It" text
  • "Kick It" background
  • kick count text
  • kick count background
  • border

Simply copy and paste this HTML into your blog post.


Users who kicked this story:
bsenoffbsenoff(1583) - gabe19gabe19(43) - jeffespjeffesp(25) - dotnetchrisdotnetchris(157)
More who kicked this story...
Comments:

posted by dotnetchrisdotnetchris(157) 1 year, 8 months ago +2

I read this article and realized that it would be very hard to do something colossally damaging with this attack unless you had a very long sequence of security flaws in your application.

What does concern me however is that there isn't a single mention of this vulnerability being disclosed to Microsoft. From what's implied in the article the vulnerability itself will be announced at that hacker conference into the wild without Microsoft being notified beforehand.

Reply

posted by j.montyj.monty(1868) 1 year, 8 months ago +2

My understanding is that Microsoft has been aware of the AES vulnerability for awhile (since the original Oracle Padding vulnerably was discovered years ago), there was just no way to easily exploit it.

As far as damaging a site - you are correct, it depends on how the site is programmed - and that's where risk assessment comes in. The user name, and sometimes the roles are stuffed into the Forms Authentication Ticket which live in the cookie (in the UserData field). I suspect an attacker could elevate privileges or just change their UserName on a site that uses Forms Auth by decrypting the cookie, modifying the roles and then re-encrypting it with the Machine Key.

This was old recommend practice from MS - to put roles in the UserData field of the Forms Auth Ticket:
http://msdn.microsoft.com/en-us/library/aa289844(VS.71).aspx

Reply

information Login or create an account to comment on this story
Submit a Story
View upcoming stories
How else can I help?
Add our feeds to your site

Most Active Users

What's this?