ScottGu’s Workaround for the ASP.NET Security Vulnerability


The ASP.NET Security Vulnerability

Poster for the movie "Hackers"

Chances are that you’ve seen the Microsoft Security Advisory, but in case you haven’t here’s the "tl;dr" version:

  • There’s a vulnerability in ASP.NET that was publically disclosed late on Friday at a security conference.
  • An attacker using this vulnerability can:
    • Request and download files within an ASP.NET application like the web.config file (which often contains sensitive data).
    • Decrypt data sent to the client in an encrypted state (like ViewState data within a page).

How Does the Vulnerability Work?

The vulnerability is based on a cryptographic oracle. When talking amongst the crypto crowd, an “oracle” refers to a system that gives away hints if you ask it the right questions.

Within ASP.NET, there’s a vulnerability that acts like a “padding oracle”. An attacker can send ciphertext to the web server and learn if it was decrypted properly by looking at the error code returned by the server. Make lots of requests like that while keeping track of the error codes returned, and you can learn enough to decrypt the ciphertext.

How Do You Work Around the Vulnerability (the high-level version)?

The vulnerability works because of the different error codes returned by the server. The workaround is to change the error handling withing ASP.NET so that it always sends the same error each time, regardless of the error, thereby cancelling the “oracular” behaviour.

More specifically, this involves enabling the <customErrors> feature of ASP.NET and mapping all errors to return the same error page.

How Do You Work Around the Vulnerability (the step-by-step version)?

Scott Guthrie’s blog has the step-by-step instructions for:

  • Working around the vulnerability
  • Making sure that the workaround has been enabled
  • Finding vulnerable ASP.NET applications on your server
  • Finding out more about the vulnerability

If you’ve got an ASP.NET-based application, make sure you’ve set up the workaround!

This article also appears in Global Nerdy.

Comments (2)

  1. Cory Fowler says:

    There is also a post by Security Research & Defense Blog which goes into details with scripts on how to detect if action is required: blogs.technet.com/…/understanding-the-asp-net-vulnerability.aspx

Skip to main content