Friday the September 17th a serious security exploit was demonstrated at security conference by Juliano Rizzo and Thai Duong. A tool called POET (Padding Oracle Exploit Tool) was used to show the exploit in both .Net and Java.
POET exploits a well-known vulnerability in the way many websites encrypt text stored in ViewState, form authentication tickets, cookies, hidden HTML fields and request parameters.
It a deficiency in the encryption libraries in both Java and the .Net framework utilizing the fact that encrypted strings are padded in blocks of e.g. 8 bytes or 16 bytes or …. I will not go into details, as it is explained well in details here.
The exploit works on any block-cipher encryption mechanism, such as AES, DES and Triple DES.
The exploit is quite severe, as it can be used to download the web.config file.
There are lots of systems affected, such as ASP.Net 1.0-4.0 (WebForms and MVC), SharePoint, Microsoft CRM, JavaServer Faces etc.
HTTPS with SSL/TLS does not protect your site.
Below is a video showing how to use the POET tool with DotNetNuke.
Scott Gu has workaround details until Microsoft releases a patch.
Anders Lybecker is an chief architect at Avior A/S, a consultancy firm in Copenhagen, Denmark. He holds a degree in software engineering specializing in software development. His primary expertise are the Microsoft .Net framework and SQL Server which he has been working with since the start of this century! He enjoys discussing technical topics, teaching and speaking at conferences.