ScottGu’s Workaround for the ASP.NET Security Vulnerability

The ASP.NET Security Vulnerability

Poster for the movie "Hackers"

Chances are that you’ve seen the Microsoft Security Advisory, but in case you haven’t here’s the "tl;dr" version:

  • There’s a vulnerability in ASP.NET that was publically disclosed late on Friday at a security conference.
  • An attacker using this vulnerability can:
    • Request and download files within an ASP.NET application like the web.config file (which often contains sensitive data).
    • Decrypt data sent to the client in an encrypted state (like ViewState data within a page).

How Does the Vulnerability Work?

The vulnerability is based on a cryptographic oracle. When talking amongst the crypto crowd, an “oracle” refers to a system that gives away hints if you ask it the right questions.

Within ASP.NET, there’s a vulnerability that acts like a “padding oracle”. An attacker can send ciphertext to the web server and learn if it was decrypted properly by looking at the error code returned by the server. Make lots of requests like that while keeping track of the error codes returned, and you can learn enough to decrypt the ciphertext.

How Do You Work Around the Vulnerability (the high-level version)?

The vulnerability works because of the different error codes returned by the server. The workaround is to change the error handling withing ASP.NET so that it always sends the same error each time, regardless of the error, thereby cancelling the “oracular” behaviour.

More specifically, this involves enabling the <customErrors> feature of ASP.NET and mapping all errors to return the same error page.

How Do You Work Around the Vulnerability (the step-by-step version)?

Scott Guthrie’s blog has the step-by-step instructions for:

  • Working around the vulnerability
  • Making sure that the workaround has been enabled
  • Finding vulnerable ASP.NET applications on your server
  • Finding out more about the vulnerability

If you’ve got an ASP.NET-based application, make sure you’ve set up the workaround!

This article also appears in Canadian Developer Connection.