Flaw Affecting ASP.NET Apps Now Being Exploited

• By Kurt Mackie
• 09/22/10

Microsoft has issued a new security advisory about a vulnerability in the encryption system used with ASP.NET. Late Monday, Microsoft published additional information about the flaw.

The vulnerability, which involves methods used with the Public Key Cryptography Standard #7 encryption system, could lead to information disclosure, such as revealing password information. It could enable an attacker to get password information from forms used with ASP.NET Web applications. Using that information, the attacker could discover information from the target server itself.

Every supported Windows operating system is affected, including some unsupported ones, such as Windows XP Professional x64 Edition Service Pack 2, according to Microsoft's security advisory 2416728. A Microsoft security and defense blog post stated the vulnerability applies to Web applications using ASP.NET 3.5 Service Pack 1 or newer releases.

Microsoft clarified Monday in a new Q&A that the vulnerability can be found in all ASP.NET Applications, such as Web Forms and MVC. Also, Microsoft appeared to have different workarounds, depending on the ASP.NET version used, as this blog by Corporate Vice President of Microsoft's .NET Developer Platform Scott Guthrie explained. Other applications that work with ASP.NET, such as SharePoint 2010, also are affected. The SharePoint team provided a workaround here. Guthrie's blog post also pointed to a new Microsoft forum to get answers on the topic.

Microsoft is proposing a workaround and a way to assess whether the user's ASP.NET installation is vulnerable. As of Monday, Microsoft is aware of "limited attacks" using this vulnerability. The security team was working on a security update for the flaw, according to the advisory.

The flaw allows a hacker to gain information from a hidden form field called __VIEWSTATE, which is sent encrypted to the client user. This file could contain password information that can be used to gain information from the server, but systems are vulnerable even if no important data are contained in the view state file.

Microsoft's security advisory 2416728 described the vulnerability as a "padding oracle attack." It has nothing to do with Oracle products. Instead, the oracle in this case is located on the target server and encrypts the view state file. The exploit could be used to alter the view state file and send the altered version back to the server. Error messages returned from the server's oracle could then be used to read data from the target server. An attacker could gain enough information to access data in the WEB.CONFIG file used on the server for ASP.NET applications.

Microsoft's workaround for the flaw, as provided in its security advisory, is to make a configuration change that enables "ASP.NET custom errors." Instead of allowing the server's oracle to sing out error messages that could enable an attacker to gain information from the WEB.CONFIG file, this workaround returns a single file after encountering errors. The workaround doesn't fix the flaw, but it helps shutdown the information flow.

Microsoft provided a script in its security and defense blog post that allows IT pros to test whether their ASP.NET applications return this single error page or not. They can use the script to help determine which ASP.NET applications require the workaround.