Tag Archives: Security

ASP.Net Security Vulnerability

Friday the September 17th a serious security exploit was demonstrated at security conference by Juliano Rizzo and Thai Duong. A tool called POET (Padding Oracle Exploit Tool) was used to show the exploit in both .Net and Java.

POET exploits a well-known vulnerability in the way many websites encrypt text stored in ViewState, form authentication tickets, cookies, hidden HTML fields and request parameters.

It a deficiency in the encryption libraries in both Java and the .Net framework utilizing the fact that encrypted strings are padded in blocks of e.g. 8 bytes or 16 bytes or …. I will not go into details, as it is explained well in details here.

The exploit works on any block-cipher encryption mechanism, such as AES, DES and Triple DES.

The exploit is quite severe, as it can be used to download the web.config file.

The attack that was shown in the public relies on a feature in ASP.NET that allows files (typically javascript and css) to be downloaded, and which is secured with a key that is sent as part of the request. Unfortunately if you are able to forge a key you can use this feature to download the web.config file of an application (but not files outside of the application). We will obviously release a patch for this… Scott Gu

There are lots of systems affected, such as ASP.Net 1.0-4.0 (WebForms and MVC), SharePoint, Microsoft CRM, JavaServer Faces etc.

HTTPS with SSL/TLS does not protect your site.

Below is a video showing how to use the POET tool with DotNetNuke.

Scott Gu has workaround details until Microsoft releases a patch.

Update September 29th, 2010: A security update is released by Microsoft. More details about the patch on Scott Gu’s blog.

Transferring SQL Server logins

I had to migrate a SQL Server 2008 instance on to new hardware.

I choose to detach the databases and attach the databases on the new SQL Server 2008 instance on the new hardware. This was easy, but the origin SQL Server instance used mixed SQL Server and Windows Authentication Mode. This also meant that I had to migrate SQL Server logins, as the logins where a mix of SQL Server logins and Active Directory domain accounts/groups.

Both the SQL Server logins and domain accounts/groups has an unique SID (Security Identifier), which ties the logins in the SQL Server with the users in the database.

While the domain accounts/groups resides in the Active Directory domain controllers, the SQL Server logins only resides in the SQL Server. This means, moving domain accounts/groups is easy, by just creating the same users in the new SQL Server instance, but SQL Server logins is not. I could either choose to:

  • Recreate the SQL Server logins with new users in each of the databases, as new SQL Server logins will get new SIDs and therefore not be tied to the old database users. This also requires that you know all the passwords – alternative reconfigure all the client applications using SQL Server logins 🙁
  • Transfer the SQL Server logins with SID and password 🙂

How to transfer SQL Server logins? See the KB article: How to transfer the logins and the passwords between instances of SQL Server 2005 and SQL Server 2008. Easy 🙂

Cisco VPN (IPSec) support on 64 bit platforms

Shrew Soft LogoI like Windows 7 x64, but I hate Cisco’s lack of support for the IPSec protocol on 64-bit platforms. Many of our customers use IPSec and the Cisco VPN Client – therefore I cannot connect to the customer’s network via IPSec VPN tunnels on my primary laptop 🙁

Until today 🙂

A colleague of mine recommended Shrew Soft VPN Client. It’s free and works like a charm. It’s a lot faster connecting and negotiating to the remote network than Cisco VPN Client, so fast in fact, that I initially thought that the connection failed. I’ve been using it for a couple of days, connecting to multiple customers, without any issues.

Why does Cisco implement a VPN client for x64 platforms?

I guess it is a money making scheme. They want to push their new Cisco VPN boxes and their new Cisco AnyConnect VPN client (expensive!), which makes use of SSL VPN.

Greg Ferro has another critical article Early Death of Cisco VPN Client Forces VPN License Fees with more details about Cisco’s SSL VPN.

I know of a commercial IPSec VPN client from NCP that works fine with Cisco IPSec VPN tunnels, but the steep price tag of $144 USD + taxes is too much.

Update May 31, 2010: Cisco has released an x64 version of their client tools for Windows 7 with IPSec protocol support. Either my money making scheme hypotheses is wrong or Cisco feared the wrath of my blog readers 🙂