padding oracle (crypto) vulnerability announced

I guess I told my team about this, but neglected to put anything here! A few days ago Microsoft issued an advisory about a “Vulnerability in ASP.NET Could Allow Information Disclosure”. There are really two aspects of this vuln that require attention: being able to read viewstate data and being able to pull files/info out of the server, such as the web.config contents.

A video of POET (Padding Oracle Exploit Tool) demonstrating the attack is available, along with more info at Netifera. If you’re looking for even more detailed analysis on the crypto attack, check out Gotham’s excellent blog post along with their own tool, PadBuster.

ScottGu has a great blog post with more details and workarounds, along with an FAQ post, and there is a special forum carved out for discussion on this issue.

Is this a Big Deal? Reasonably so, I think it is, especially as a gateway into further application attacks that lead into system access, as the earlier video demonstrates. An attacker could sniff client traffic, grab viewstate, and attack it to possibly retrieve that client information. But why bother with that? The important part is an attacker can generate his own viewstate and directly attack the application and even the server on his own.

The attack is noisy. The attacker will generate a large number of exceptions in the logs, but unless there are specific alerts for such jumps in numbers or an analyst is watching logs in realtime (yeah, right), the attack can be quick enough that detection won’t catch it before damage is done.