1 minute read

Note: This post refers to .NET Framework for Windows only, and not for the cross-platform .NET Core or simply .NET as it is re-branded in 2020. This means this post is outdated for newer version of .NET

Friday the September 17th a serious security exploit was demonstrated at security conference by Juliano Rizzo and Thai Duong. A tool called POET (Padding Oracle Exploit Tool) was used to show the exploit in both .Net and Java.

POET exploits a well-known vulnerability in the way many websites encrypt text stored in ViewState, form authentication tickets, cookies, hidden HTML fields and request parameters.

It a deficiency in the encryption libraries in both Java and the .Net framework utilizing the fact that encrypted strings are padded in blocks of e.g. 8 bytes or 16 bytes or …. I will not go into details, as it is explained well in details here.

The exploit works on any block-cipher encryption mechanism, such as AES, DES and Triple DES.

The exploit is quite severe, as it can be used to download the web.config file.

The attack that was shown in the public relies on a feature in ASP.NET that allows files (typically javascript and css) to be downloaded, and which is secured with a key that is sent as part of the request. Unfortunately if you are able to forge a key you can use this feature to download the web.config file of an application (but not files outside of the application). We will obviously release a patch for this… Scott Gu

There are lots of systems affected, such as ASP.Net 1.0-4.0 (WebForms and MVC), SharePoint, Microsoft CRM, JavaServer Faces etc.

HTTPS with SSL/TLS does not protect your site.

Below is a video showing how to use the POET tool with DotNetNuke.

Scott Gu has workaround details until Microsoft releases a patch.

Update September 29th, 2010: A security update is released by Microsoft. More details about the patch on Scott Gu’s blog.

Comments