During the September 2010 ekoparty Security Conference in Argentina, Juliano Rizzo, along with Thai Duong, disclosed a vulnerability that affects every ASP.NET web application. The exploit involves what is called a “Padding Oracle Attack.” He had released a working algorithm a while back in the form of POET, a python script, but this was the first time the exploit was disclosed in such a public arena.
Microsoft immediately responded by posting a security advisory 2416728 for the oracle padding attack, and other security advisories followed from third-party security researchers. The attack works by trying thousands of cryptographic requests and determining how correct the guess is by the error code returned. With the right key, an attacker can intercept and manipulate data including cookie files, and can ultimately read the configuration files of ASP.NET web applications. While the vulnerability does not itself allow elevated privileges or code execution, the information found might reveal other useful details about gaining access to systems on your network.
Microsoft’s recommended fix at this point is to configure the web application to use custom error pages that return the same error for all requests. This fix however does not address the fact that status codes and the processing time for the request are tell-tale indicators of success or failure. It also is not an option for web applications that depend on custom error pages for web services. The vulnerability is in the inherent design so a true fix may be slow coming. While administrators of a small- to medium-sized web applications might feel that a low enough profile would prevent them from being a target and forgo looking into this vulnerability, they should not ignore the problem. The exploit has been publicly disclosed, the algorithm works as advertised, and there is already a youtube video tutorial. The code makes the exploit mindlessly easy.
