Monthly Archives: September 2010

ASP.Net Security Vulnerability

Friday the September 17th a serious security exploit was demonstrated at security conference by Juliano Rizzo and Thai Duong. A tool called POET (Padding Oracle Exploit Tool) was used to show the exploit in both .Net and Java.

POET exploits a well-known vulnerability in the way many websites encrypt text stored in ViewState, form authentication tickets, cookies, hidden HTML fields and request parameters.

It a deficiency in the encryption libraries in both Java and the .Net framework utilizing the fact that encrypted strings are padded in blocks of e.g. 8 bytes or 16 bytes or …. I will not go into details, as it is explained well in details here.

The exploit works on any block-cipher encryption mechanism, such as AES, DES and Triple DES.

The exploit is quite severe, as it can be used to download the web.config file.

The attack that was shown in the public relies on a feature in ASP.NET that allows files (typically javascript and css) to be downloaded, and which is secured with a key that is sent as part of the request. Unfortunately if you are able to forge a key you can use this feature to download the web.config file of an application (but not files outside of the application). We will obviously release a patch for this… Scott Gu

There are lots of systems affected, such as ASP.Net 1.0-4.0 (WebForms and MVC), SharePoint, Microsoft CRM, JavaServer Faces etc.

HTTPS with SSL/TLS does not protect your site.

Below is a video showing how to use the POET tool with DotNetNuke.

Scott Gu has workaround details until Microsoft releases a patch.

Update September 29th, 2010: A security update is released by Microsoft. More details about the patch on Scott Gu’s blog.

Configuring Windows 7 network priority

Windows 7 apparently always prioritizes the wireless network connection (Wi-Fi) – no matter if a faster wired network connection is available. This is default behavior – go figure!

Luckily you can change it, but it isn’t easy to find. Do the following:

  1. Go to “Network and Sharing Center” (e.g. through the “Control Panel”)
  2. Click “Change Adapter Settings”
  3. In the “Network Connections” window, press the ALT key on your keyboard to being up the menu bar.
  4. Click the “Advanced” menu and then “Advanced Settings”
  5. In the “Advanced Settings” windows on the “Adapters and Bindings” tab under “Connections”, you can change the network connection priority with the arrows on the right.

It will still connect to all available network connections (wireless and wired), unless they are disabled.