A common mistake is to assume that encryption protects the cookies from tampering so that if any data in the cookie is modified, the cookie will not decrypt correctly. However, there are a lot of ways to make mistakes in crypto implementations, and when crypto breaks, it usually breaks badly.

According to Microsoft's advisory, the flaw exists in all versions of ASP.Net, the company's Web application framework used to craft millions of sites and applications. Microsoft will have to patch every supported version of Windows, from XP Service Pack 3 and Server 2003 to Windows 7 and Server 2008 R2, as well as other products, including its IIS and SharePoint server software.

"We knew ASP.NET was vulnerable to our attack several months ago, but we didn't know how serious it is until a couple of weeks ago. It turns out that the vulnerability in ASP.NET is the most critical amongst other frameworks. In short, it totally destroys ASP.NET security," said Thai Duong, who along with Juliano Rizzo, developed the attack against ASP.NET.

Microsoft is recommending, as a workaround, reducing information returned to the client in the event of an error to prevent intruders from gathering the information needed to determine the Machine Key. You can read more on that here. The simplest solution is, in the site's web.config file, to add or replace the customErrors tag inside the system.web element. The tag should point to an error page that provides no feedback on the error. A typical entry would look like this (where error.html is some html-only page in the same folder as the web.config file):

On a Web farm, these changes will have to be made on all the servers in the farm.

Here's a demo of the attack, and the Microsoft Security Advisory. More articles. The theory behind this attack is here.

Comments

Leave a comment