ScottGu’s Workaround for the ASP.NET Security Vulnerability

The ASP.NET Security Vulnerability

Poster for the movie "Hackers"

Chances are that you’ve seen the Microsoft Security Advisory, but in case you haven’t here’s the "tl;dr" version:

  • There’s a vulnerability in ASP.NET that was publically disclosed late on Friday at a security conference.
  • An attacker using this vulnerability can:
    • Request and download files within an ASP.NET application like the web.config file (which often contains sensitive data).
    • Decrypt data sent to the client in an encrypted state (like ViewState data within a page).

How Does the Vulnerability Work?

The vulnerability is based on a cryptographic oracle. When talking amongst the crypto crowd, an “oracle” refers to a system that gives away hints if you ask it the right questions.

Within ASP.NET, there’s a vulnerability that acts like a “padding oracle”. An attacker can send ciphertext to the web server and learn if it was decrypted properly by looking at the error code returned by the server. Make lots of requests like that while keeping track of the error codes returned, and you can learn enough to decrypt the ciphertext.

How Do You Work Around the Vulnerability (the high-level version)?

The vulnerability works because of the different error codes returned by the server. The workaround is to change the error handling withing ASP.NET so that it always sends the same error each time, regardless of the error, thereby cancelling the “oracular” behaviour.

More specifically, this involves enabling the <customErrors> feature of ASP.NET and mapping all errors to return the same error page.

How Do You Work Around the Vulnerability (the step-by-step version)?

Scott Guthrie’s blog has the step-by-step instructions for:

  • Working around the vulnerability
  • Making sure that the workaround has been enabled
  • Finding vulnerable ASP.NET applications on your server
  • Finding out more about the vulnerability

If you’ve got an ASP.NET-based application, make sure you’ve set up the workaround!

This article also appears in Canadian Developer Connection.


Maybe It’s Time to Update Your Twitter Password

First, there were the Twitter phishing attacks that looked like direct messages from your friends offering you a chance to win an iPhone. Now some big-shot Twitter accounts appear to have been accessed by pranksters: FOX News’, CNN’s Rick Sanchez’ and Britney Spears’ accounts have all had tweets posted to them by unauthorized parties.

These tweets have since been deleted, but their images have been saved in a number of places, including a Flickr photoset by Mat Honan and on TechCrunch.

Here’s an image of the unauthorized post on Britney’s Twitter account. The pusillanimous bowlderizers over at TechCrunch blurred out the word “vagina” in their screenshot of the posting, but we don’t do that sort of thing here at Global Nerdy:

Screenshot of hacked Britney Spears tweet: "HI Yall! Brit here, just wanted to update you on the size of my vagina. Its about 4 feet wide with razor sharp teeth."
Click the screenshot to see the full version on its Flickr page.

Michael Arrington, you big girl’s blouse, they use the word “vagina” on prime time TV – for starters, on Family Guy. Also, thanks to Britney’s now legendary bad judgement and celebrity blogs, we’ve all seen said vagina anyway [link not safe for work!].

Here’s the unauthorized post on Rick Sanchez’ Twitter account:

Screenshot of hacked Rick Sanchez Twitter account: "i am high on crack right now might not be coming into work today"
Click the screenshot to see the full version on its Flickr page.

And my favourite, the unauthorized post on FOX News’ Twitter account that tells the shocking truth of about falafel-and-loofah fetishist and screaming head Bill O’Reilly:

Screenshot of FOX News Twitter account: "Breaking: Bill O Riley is gay"
Click the screenshot to see the full version on its Flickr page.

Anyhow, you might not be a celebrity, but it still might be a good idea to update your Twitter password if it’s something easily cracked, like a word that can be found in the dictionary.