Developping for the translation industry RSS 2.0



 Wednesday, September 15, 2010

Seen on Visual Studio Magazine

Two security researchers, Thai Duong and Juliano Rizzo, have discovered a bug in the default encryption mechanism used to protect the cookies normally used to implement Forms Authentication in ASP.NET. Using their tool (the Padding Oracle Exploit Tool or POET), they can repeatedly modify an ASP.NET Forms Authentication cookie encrypted using AES and, by examining the errors returned, determine the Machine Key used to encrypt the cookie. The process is claimed to be 100 percent reliable and takes between 30 and 50 minutes for any site.

Once the Machine Key is determined, attackers can create bogus forms authentication cookies. If site designers have chosen the option to embed role information in the security cookie, then attackers could arbitrarily assign themselves to administrator roles. This exposure also affects other membership provider features, spoofing protection on the ViewState, and encrypted information that might be stored in cookies or otherwise be made available at the client.

While the exposure is both wide and immediate, the fix is simple. The hack exploits a bug in .NET's implementation of AES encryption. The solution is to switch to one of the other encryption mechanisms -- to 3DES, for instance. Since encryption for the membership and roles providers is handled by ASP.NET, no modification of existing code should be required for Forms Authentication.

The encryption method can be set in the web.config file for a site, in IIS 7 for a Web server, or in the config file for .NET on a server in %SYSTEMROOT%\Microsoft.NET\Framework\version\CONFIG\. On 64-bit systems, it must also be set in %SYSTEMROOT%\Microsoft.NET\Framework64\version\CONFIG\. A typical entry would look like this:

    <machineKey validationKey="AutoGenerate,IsolateApps"         
                           validation="3DES"                           
                           decryptionKey="AutoGenerate,IsolateApps"
                           decryption="3DES" />  

On a Web farm, this setting will have to be made on all the servers in the farm.

These settings are also used to prevent spoofing (ViewState data is encoded but not encrypted), so making this change will also switch the ViewState to using 3DES. Developers who are using AES in their code to encrypt information made available at the client should consider modifying their code to use a different encryption mechanism.

 

Other Posts:

Google instant makes searching for God harder

Tabnabbing: A New Kind Of Phishing Attack

Big news in security: 1024-bit RSA encryption cracked!

Tips to enhance your SQL Server security

What is LDAP injection?

Wednesday, September 15, 2010 8:35:36 AM (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
.NET | News | Security
Comments are closed.

Navigation
Advertisement
About the author/Disclaimer

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

© Copyright 2014
Stanislas Biron
Sign In
Statistics
Total Posts: 135
This Year: 0
This Month: 0
This Week: 0
Comments: 1
All Content © 2014, Stanislas Biron