Microsoft has published a new security advisory, which describes an workaround to prevent possible attacks exploiting a publicly disclosed ASP.NET vulnerability.The vulnerability and exploitation methods were demonstrated by security researchers Juliano Rizzo and Thai Duong, at the ekoparty Security Conference in Argentina.
They describe the exploit as a "padding oracle" attack and claim that it totally destroys ASP.NET security.
In its advisory, Microsoft has confirms that the vulnerability can be leveraged to capture protected ViewState data.
"[…] If the ASP.Net application stores sensitive information, such as passwords or database connection strings, in the ViewState object this data could be compromised," the company's Security Research & Defense (SRD) team explains.
This encryption vulnerability, which affects all .NET Framework versions, is the result of ASP.NET leaking sensitive information via error messages returned to web clients when decrypting certain strings.
The workaround proposed by Microsoft relies on returning a custom error page for all error types, by using the customErrors feature.
The Microsoft advisory provides several web.config files to enable this option on different .NET Framework versions, as well as custom error pages in both C# and Visual Basic .NET, to go along with them.
A special script enabling webmasters to determine if they have vulnerable ASP.NET applications deployed is included at the end of the SRD blog post.
People should note that in this case the term "oracle" does not refer to the Oracle database or the company with the same name, but to a cryptographic concept.
"An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there is a vulnerability in ASP.Net which acts as a padding oracle.
"This allows an attacker to send chosen cipher text to the server and learn if it was decrypted properly by examining which error code was returned by the server," Microsoft researchers explain.